You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Sathya S <sa...@gmail.com> on 2014/05/17 15:48:39 UTC
Password expiry enforcement
I am continuing on my experiments with getting password policies
functioning on ApacheDS and I am trying to enable password expiry and a
warning before the expiry.
This is what I have configured on the server:
dn:
ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
ads-pwdminlength: 7
ads-pwdinhistory: 5
ads-pwdid: default
ads-pwdcheckquality: 1
ads-pwdlockout: TRUE
ads-pwdlockoutduration: 0
*ads-pwdMaxAge: 300ads-pwdExpireWarning: 180*
...
My understanding of this is that a user's password is valid for 5 minutes
after which authentication would fail. After 3 minutes up to 5 minutes, he
would be able to login, but would receive a warning about impending expiry.
Is that correct?
I restarted the server after making the above change.
I have the below Java code to authenticate the user:
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
//
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL,
"uid=Sathya,ou=people,dc=example,dc=com");
env.put(Context.SECURITY_CREDENTIALS, "helloworld");
// Create the initial context
DirContext ctx = new InitialDirContext(env);
I created this user account almost an hour ago but the authentication still
goes through successfully. Anything I am missing here?
Thanks.
Re: Password expiry enforcement
Posted by Sathya S <sa...@gmail.com>.
Thank you Carlo and Kiran. Setting the system property solves the problem.
But Kiran- I *am* using the ApacheDS directory client and still seem to
need to use the system setting.
I am using the api-all-1.0.0-M22.jar version package. My imports-
import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicy;
import
org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyImpl;
import
org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator;
import org.apache.directory.api.ldap.model.message.BindRequest;
import org.apache.directory.api.ldap.model.message.BindRequestImpl;
import org.apache.directory.api.ldap.model.message.BindResponse;
import org.apache.directory.api.ldap.model.message.Control;
import org.apache.directory.api.ldap.model.message.Response;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
On Tue, May 20, 2014 at 6:56 AM, Kiran Ayyagari <ka...@apache.org>wrote:
> On Tue, May 20, 2014 at 3:11 AM, <Ca...@ibs-ag.com> wrote:
>
> > Hi,
> > I had the same issue last year and Kiran suggested adding this line
> > somewhere in your code.
> >
> > System.setProperty("extra.controls",
> >
> "org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyFactory");
> >
> > yes, and this is not needed if you are using client API version >=
> 1.0.0-M21
>
> > I put it in the static initializer of the class that handles the pw
> policy
> > responses. Worked for me.
> >
> >
> >
> > -----Original Message-----
> > From: Sathya S [mailto:sathya.skr.75@gmail.com]
> > Sent: Monday, May 19, 2014 5:17 PM
> > To: users@directory.apache.org
> > Subject: Re: Password expiry enforcement
> >
> > Thanks,
> >
> > I am trying out code from :
> >
> >
> svn.apache.org/repos/asf/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java
> >
> > I am facing an issue when trying to access the PasswordPolicy -
> > PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl();
> >
> > BindRequest bindReq = new BindRequestImpl();
> > bindReq.setDn(new
> > Dn("uid=SathyaSkr,ou=people,dc=example,dc=com"));
> > bindReq.setCredentials("helloworld");
> > bindReq.addControl(PP_REQ_CTRL);
> >
> > LdapConnection userCon = new
> LdapNetworkConnection("localhost",
> > 10389);
> > BindResponse bindResp = userCon.bind(bindReq);
> >
> > Control control = bindResp
> > .getControls().get("1.3.6.1.4.1.42.2.27.8.5.1");
> > PasswordPolicy policy = ((PasswordPolicyDecorator)
> > control).getDecorated();
> >
> > The last line throws me this exception:
> > java.lang.ClassCastException:
> > org.apache.directory.api.ldap.codec.BasicControlDecorator cannot be cast
> > to
> >
> org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator
> >
> > This is the config on my server:
> >
> > dn:
> >
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
> > eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > ads-pwdminlength: 7
> > ads-pwdinhistory: 5
> > ads-pwdid: default
> > ads-pwdcheckquality: 1
> > ads-pwdlockout: TRUE
> > ads-pwdlockoutduration: 0
> > ads-pwdMaxAge: 120
> > ads-pwdvalidator: com.sathya.MyPasswordPolicy
> > ads-pwdmaxfailure: 5
> > ads-pwdattribute: userPassword
> > ads-pwdfailurecountinterval: 30
> > entryParentId: 9d1262c2-6583-4dca-9abb-7b470cfd6b25
> > ads-enabled: TRUE
> > objectclass: top
> > objectclass: ads-base
> > objectclass: ads-passwordPolicy
> > entryuuid: 7706635b-3da4-4c9b-aefd-bf059d38868d
> > ads-pwdgraceauthnlimit: 1
> > entryCSN: 20140519205014.514000Z#000000#001#000000
> > modifyTimestamp: 20140519205014.514Z
> > ads-pwdExpireWarning: 60
> >
> > Any input?
> >
> >
> >
> > On Mon, May 19, 2014 at 8:31 PM, Kiran Ayyagari <kayyagari@apache.org
> > >wrote:
> >
> > > On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75
> > > <sathya.skr.75@gmail.com
> > > >wrote:
> > >
> > > > Brilliant!! Thanks so much Kiran. That worked.
> > > >
> > > > But still don't get a warning before expiry. Some of my friends said
> > > > that this is something that needs to be built into the calling code
> > > > and not something that apacheds provides out of the box. Is that
> right?
> > > >
> > > you need to send password policy request control (OID is
> > > 1.3.6.1.4.1.42.2.27.8.5.1) to get the warning back, note that the
> > > error/warning will be present in the password policy response control
> > > present in the bind response
> > >
> > > >
> > > > —
> > > > Sent from Mailbox
> > > >
> > > > On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari
> > > > <ka...@apache.org>
> > > > wrote:
> > > >
> > > > > On Sat, May 17, 2014 at 7:18 PM, Sathya S
> > > > > <sa...@gmail.com>
> > > > wrote:
> > > > >> I am continuing on my experiments with getting password policies
> > > > >> functioning on ApacheDS and I am trying to enable password expiry
> > > > >> and
> > > a
> > > > >> warning before the expiry.
> > > > >>
> > > > >> This is what I have configured on the server:
> > > > >>
> > > > >> dn:
> > > > >>
> > > > >>
> > > >
> > > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authentication
> > > Interc
> > > > >> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > > > >> ads-pwdminlength: 7
> > > > >> ads-pwdinhistory: 5
> > > > >> ads-pwdid: default
> > > > >> ads-pwdcheckquality: 1
> > > > >> ads-pwdlockout: TRUE
> > > > >> ads-pwdlockoutduration: 0
> > > > >>
> > > > >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180* ...
> > > > >>
> > > > >> My understanding of this is that a user's password is valid for 5
> > > > minutes
> > > > >> after which authentication would fail. After 3 minutes up to 5
> > > minutes,
> > > > he
> > > > >> would be able to login, but would receive a warning about
> > > > >> impending
> > > > expiry.
> > > > >> Is that correct?
> > > > >>
> > > > >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as
> > > > >> well,
> > > > > otherwise bind operation
> > > > > always accepts the expired password
> > > > >> I restarted the server after making the above change.
> > > > >>
> > > > >> I have the below Java code to authenticate the user:
> > > > >>
> > > > >> Hashtable<String, String> env = new Hashtable<String,
> > > > >> String>();
> > > > >> env.put(Context.INITIAL_CONTEXT_FACTORY,
> > > > >> "com.sun.jndi.ldap.LdapCtxFactory");
> > > > >> env.put(Context.PROVIDER_URL,
> "ldap://localhost:10389");
> > > > >> //
> > > > >> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> > > > >> env.put(Context.SECURITY_PRINCIPAL,
> > > > >> "uid=Sathya,ou=people,dc=example,dc=com");
> > > > >> env.put(Context.SECURITY_CREDENTIALS, "helloworld");
> > > > >>
> > > > >> // Create the initial context
> > > > >>
> > > > >> DirContext ctx = new InitialDirContext(env);
> > > > >>
> > > > >> I created this user account almost an hour ago but the
> > > > >> authentication
> > > > still
> > > > >> goes through successfully. Anything I am missing here?
> > > > >>
> > > > >> Thanks.
> > > > >>
> > > > > --
> > > > > Kiran Ayyagari
> > > > > http://keydap.com
> > > >
> > >
> > >
> > >
> > > --
> > > Kiran Ayyagari
> > > http://keydap.com
> > >
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Re: Password expiry enforcement
Posted by Kiran Ayyagari <ka...@apache.org>.
On Tue, May 20, 2014 at 3:11 AM, <Ca...@ibs-ag.com> wrote:
> Hi,
> I had the same issue last year and Kiran suggested adding this line
> somewhere in your code.
>
> System.setProperty("extra.controls",
> "org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyFactory");
>
> yes, and this is not needed if you are using client API version >=
1.0.0-M21
> I put it in the static initializer of the class that handles the pw policy
> responses. Worked for me.
>
>
>
> -----Original Message-----
> From: Sathya S [mailto:sathya.skr.75@gmail.com]
> Sent: Monday, May 19, 2014 5:17 PM
> To: users@directory.apache.org
> Subject: Re: Password expiry enforcement
>
> Thanks,
>
> I am trying out code from :
>
> svn.apache.org/repos/asf/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java
>
> I am facing an issue when trying to access the PasswordPolicy -
> PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl();
>
> BindRequest bindReq = new BindRequestImpl();
> bindReq.setDn(new
> Dn("uid=SathyaSkr,ou=people,dc=example,dc=com"));
> bindReq.setCredentials("helloworld");
> bindReq.addControl(PP_REQ_CTRL);
>
> LdapConnection userCon = new LdapNetworkConnection("localhost",
> 10389);
> BindResponse bindResp = userCon.bind(bindReq);
>
> Control control = bindResp
> .getControls().get("1.3.6.1.4.1.42.2.27.8.5.1");
> PasswordPolicy policy = ((PasswordPolicyDecorator)
> control).getDecorated();
>
> The last line throws me this exception:
> java.lang.ClassCastException:
> org.apache.directory.api.ldap.codec.BasicControlDecorator cannot be cast
> to
> org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator
>
> This is the config on my server:
>
> dn:
>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> ads-pwdminlength: 7
> ads-pwdinhistory: 5
> ads-pwdid: default
> ads-pwdcheckquality: 1
> ads-pwdlockout: TRUE
> ads-pwdlockoutduration: 0
> ads-pwdMaxAge: 120
> ads-pwdvalidator: com.sathya.MyPasswordPolicy
> ads-pwdmaxfailure: 5
> ads-pwdattribute: userPassword
> ads-pwdfailurecountinterval: 30
> entryParentId: 9d1262c2-6583-4dca-9abb-7b470cfd6b25
> ads-enabled: TRUE
> objectclass: top
> objectclass: ads-base
> objectclass: ads-passwordPolicy
> entryuuid: 7706635b-3da4-4c9b-aefd-bf059d38868d
> ads-pwdgraceauthnlimit: 1
> entryCSN: 20140519205014.514000Z#000000#001#000000
> modifyTimestamp: 20140519205014.514Z
> ads-pwdExpireWarning: 60
>
> Any input?
>
>
>
> On Mon, May 19, 2014 at 8:31 PM, Kiran Ayyagari <kayyagari@apache.org
> >wrote:
>
> > On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75
> > <sathya.skr.75@gmail.com
> > >wrote:
> >
> > > Brilliant!! Thanks so much Kiran. That worked.
> > >
> > > But still don't get a warning before expiry. Some of my friends said
> > > that this is something that needs to be built into the calling code
> > > and not something that apacheds provides out of the box. Is that right?
> > >
> > you need to send password policy request control (OID is
> > 1.3.6.1.4.1.42.2.27.8.5.1) to get the warning back, note that the
> > error/warning will be present in the password policy response control
> > present in the bind response
> >
> > >
> > > —
> > > Sent from Mailbox
> > >
> > > On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari
> > > <ka...@apache.org>
> > > wrote:
> > >
> > > > On Sat, May 17, 2014 at 7:18 PM, Sathya S
> > > > <sa...@gmail.com>
> > > wrote:
> > > >> I am continuing on my experiments with getting password policies
> > > >> functioning on ApacheDS and I am trying to enable password expiry
> > > >> and
> > a
> > > >> warning before the expiry.
> > > >>
> > > >> This is what I have configured on the server:
> > > >>
> > > >> dn:
> > > >>
> > > >>
> > >
> > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authentication
> > Interc
> > > >> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > > >> ads-pwdminlength: 7
> > > >> ads-pwdinhistory: 5
> > > >> ads-pwdid: default
> > > >> ads-pwdcheckquality: 1
> > > >> ads-pwdlockout: TRUE
> > > >> ads-pwdlockoutduration: 0
> > > >>
> > > >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180* ...
> > > >>
> > > >> My understanding of this is that a user's password is valid for 5
> > > minutes
> > > >> after which authentication would fail. After 3 minutes up to 5
> > minutes,
> > > he
> > > >> would be able to login, but would receive a warning about
> > > >> impending
> > > expiry.
> > > >> Is that correct?
> > > >>
> > > >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as
> > > >> well,
> > > > otherwise bind operation
> > > > always accepts the expired password
> > > >> I restarted the server after making the above change.
> > > >>
> > > >> I have the below Java code to authenticate the user:
> > > >>
> > > >> Hashtable<String, String> env = new Hashtable<String,
> > > >> String>();
> > > >> env.put(Context.INITIAL_CONTEXT_FACTORY,
> > > >> "com.sun.jndi.ldap.LdapCtxFactory");
> > > >> env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
> > > >> //
> > > >> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> > > >> env.put(Context.SECURITY_PRINCIPAL,
> > > >> "uid=Sathya,ou=people,dc=example,dc=com");
> > > >> env.put(Context.SECURITY_CREDENTIALS, "helloworld");
> > > >>
> > > >> // Create the initial context
> > > >>
> > > >> DirContext ctx = new InitialDirContext(env);
> > > >>
> > > >> I created this user account almost an hour ago but the
> > > >> authentication
> > > still
> > > >> goes through successfully. Anything I am missing here?
> > > >>
> > > >> Thanks.
> > > >>
> > > > --
> > > > Kiran Ayyagari
> > > > http://keydap.com
> > >
> >
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
> >
>
--
Kiran Ayyagari
http://keydap.com
RE: Password expiry enforcement
Posted by Ca...@ibs-ag.com.
Hi,
I had the same issue last year and Kiran suggested adding this line somewhere in your code.
System.setProperty("extra.controls", "org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyFactory");
I put it in the static initializer of the class that handles the pw policy responses. Worked for me.
-----Original Message-----
From: Sathya S [mailto:sathya.skr.75@gmail.com]
Sent: Monday, May 19, 2014 5:17 PM
To: users@directory.apache.org
Subject: Re: Password expiry enforcement
Thanks,
I am trying out code from :
svn.apache.org/repos/asf/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java
I am facing an issue when trying to access the PasswordPolicy -
PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl();
BindRequest bindReq = new BindRequestImpl();
bindReq.setDn(new
Dn("uid=SathyaSkr,ou=people,dc=example,dc=com"));
bindReq.setCredentials("helloworld");
bindReq.addControl(PP_REQ_CTRL);
LdapConnection userCon = new LdapNetworkConnection("localhost",
10389);
BindResponse bindResp = userCon.bind(bindReq);
Control control = bindResp
.getControls().get("1.3.6.1.4.1.42.2.27.8.5.1");
PasswordPolicy policy = ((PasswordPolicyDecorator) control).getDecorated();
The last line throws me this exception:
java.lang.ClassCastException:
org.apache.directory.api.ldap.codec.BasicControlDecorator cannot be cast to org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator
This is the config on my server:
dn:
ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
ads-pwdminlength: 7
ads-pwdinhistory: 5
ads-pwdid: default
ads-pwdcheckquality: 1
ads-pwdlockout: TRUE
ads-pwdlockoutduration: 0
ads-pwdMaxAge: 120
ads-pwdvalidator: com.sathya.MyPasswordPolicy
ads-pwdmaxfailure: 5
ads-pwdattribute: userPassword
ads-pwdfailurecountinterval: 30
entryParentId: 9d1262c2-6583-4dca-9abb-7b470cfd6b25
ads-enabled: TRUE
objectclass: top
objectclass: ads-base
objectclass: ads-passwordPolicy
entryuuid: 7706635b-3da4-4c9b-aefd-bf059d38868d
ads-pwdgraceauthnlimit: 1
entryCSN: 20140519205014.514000Z#000000#001#000000
modifyTimestamp: 20140519205014.514Z
ads-pwdExpireWarning: 60
Any input?
On Mon, May 19, 2014 at 8:31 PM, Kiran Ayyagari <ka...@apache.org>wrote:
> On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75
> <sathya.skr.75@gmail.com
> >wrote:
>
> > Brilliant!! Thanks so much Kiran. That worked.
> >
> > But still don't get a warning before expiry. Some of my friends said
> > that this is something that needs to be built into the calling code
> > and not something that apacheds provides out of the box. Is that right?
> >
> you need to send password policy request control (OID is
> 1.3.6.1.4.1.42.2.27.8.5.1) to get the warning back, note that the
> error/warning will be present in the password policy response control
> present in the bind response
>
> >
> > —
> > Sent from Mailbox
> >
> > On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari
> > <ka...@apache.org>
> > wrote:
> >
> > > On Sat, May 17, 2014 at 7:18 PM, Sathya S
> > > <sa...@gmail.com>
> > wrote:
> > >> I am continuing on my experiments with getting password policies
> > >> functioning on ApacheDS and I am trying to enable password expiry
> > >> and
> a
> > >> warning before the expiry.
> > >>
> > >> This is what I have configured on the server:
> > >>
> > >> dn:
> > >>
> > >>
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authentication
> Interc
> > >> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > >> ads-pwdminlength: 7
> > >> ads-pwdinhistory: 5
> > >> ads-pwdid: default
> > >> ads-pwdcheckquality: 1
> > >> ads-pwdlockout: TRUE
> > >> ads-pwdlockoutduration: 0
> > >>
> > >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180* ...
> > >>
> > >> My understanding of this is that a user's password is valid for 5
> > minutes
> > >> after which authentication would fail. After 3 minutes up to 5
> minutes,
> > he
> > >> would be able to login, but would receive a warning about
> > >> impending
> > expiry.
> > >> Is that correct?
> > >>
> > >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as
> > >> well,
> > > otherwise bind operation
> > > always accepts the expired password
> > >> I restarted the server after making the above change.
> > >>
> > >> I have the below Java code to authenticate the user:
> > >>
> > >> Hashtable<String, String> env = new Hashtable<String,
> > >> String>();
> > >> env.put(Context.INITIAL_CONTEXT_FACTORY,
> > >> "com.sun.jndi.ldap.LdapCtxFactory");
> > >> env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
> > >> //
> > >> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> > >> env.put(Context.SECURITY_PRINCIPAL,
> > >> "uid=Sathya,ou=people,dc=example,dc=com");
> > >> env.put(Context.SECURITY_CREDENTIALS, "helloworld");
> > >>
> > >> // Create the initial context
> > >>
> > >> DirContext ctx = new InitialDirContext(env);
> > >>
> > >> I created this user account almost an hour ago but the
> > >> authentication
> > still
> > >> goes through successfully. Anything I am missing here?
> > >>
> > >> Thanks.
> > >>
> > > --
> > > Kiran Ayyagari
> > > http://keydap.com
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Re: Password expiry enforcement
Posted by Sathya S <sa...@gmail.com>.
Thanks,
I am trying out code from :
svn.apache.org/repos/asf/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java
I am facing an issue when trying to access the PasswordPolicy -
PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl();
BindRequest bindReq = new BindRequestImpl();
bindReq.setDn(new
Dn("uid=SathyaSkr,ou=people,dc=example,dc=com"));
bindReq.setCredentials("helloworld");
bindReq.addControl(PP_REQ_CTRL);
LdapConnection userCon = new LdapNetworkConnection("localhost",
10389);
BindResponse bindResp = userCon.bind(bindReq);
Control control = bindResp
.getControls().get("1.3.6.1.4.1.42.2.27.8.5.1");
PasswordPolicy policy = ((PasswordPolicyDecorator)
control).getDecorated();
The last line throws me this exception:
java.lang.ClassCastException:
org.apache.directory.api.ldap.codec.BasicControlDecorator cannot be cast to
org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator
This is the config on my server:
dn:
ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
ads-pwdminlength: 7
ads-pwdinhistory: 5
ads-pwdid: default
ads-pwdcheckquality: 1
ads-pwdlockout: TRUE
ads-pwdlockoutduration: 0
ads-pwdMaxAge: 120
ads-pwdvalidator: com.sathya.MyPasswordPolicy
ads-pwdmaxfailure: 5
ads-pwdattribute: userPassword
ads-pwdfailurecountinterval: 30
entryParentId: 9d1262c2-6583-4dca-9abb-7b470cfd6b25
ads-enabled: TRUE
objectclass: top
objectclass: ads-base
objectclass: ads-passwordPolicy
entryuuid: 7706635b-3da4-4c9b-aefd-bf059d38868d
ads-pwdgraceauthnlimit: 1
entryCSN: 20140519205014.514000Z#000000#001#000000
modifyTimestamp: 20140519205014.514Z
ads-pwdExpireWarning: 60
Any input?
On Mon, May 19, 2014 at 8:31 PM, Kiran Ayyagari <ka...@apache.org>wrote:
> On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75 <sathya.skr.75@gmail.com
> >wrote:
>
> > Brilliant!! Thanks so much Kiran. That worked.
> >
> > But still don't get a warning before expiry. Some of my friends said that
> > this is something that needs to be built into the calling code and not
> > something that apacheds provides out of the box. Is that right?
> >
> you need to send password policy request control (OID is
> 1.3.6.1.4.1.42.2.27.8.5.1) to get the warning
> back, note that the error/warning will be present in the password policy
> response control present in the
> bind response
>
> >
> > —
> > Sent from Mailbox
> >
> > On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari <ka...@apache.org>
> > wrote:
> >
> > > On Sat, May 17, 2014 at 7:18 PM, Sathya S <sa...@gmail.com>
> > wrote:
> > >> I am continuing on my experiments with getting password policies
> > >> functioning on ApacheDS and I am trying to enable password expiry and
> a
> > >> warning before the expiry.
> > >>
> > >> This is what I have configured on the server:
> > >>
> > >> dn:
> > >>
> > >>
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
> > >> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > >> ads-pwdminlength: 7
> > >> ads-pwdinhistory: 5
> > >> ads-pwdid: default
> > >> ads-pwdcheckquality: 1
> > >> ads-pwdlockout: TRUE
> > >> ads-pwdlockoutduration: 0
> > >>
> > >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180*
> > >> ...
> > >>
> > >> My understanding of this is that a user's password is valid for 5
> > minutes
> > >> after which authentication would fail. After 3 minutes up to 5
> minutes,
> > he
> > >> would be able to login, but would receive a warning about impending
> > expiry.
> > >> Is that correct?
> > >>
> > >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as well,
> > > otherwise bind operation
> > > always accepts the expired password
> > >> I restarted the server after making the above change.
> > >>
> > >> I have the below Java code to authenticate the user:
> > >>
> > >> Hashtable<String, String> env = new Hashtable<String,
> > >> String>();
> > >> env.put(Context.INITIAL_CONTEXT_FACTORY,
> > >> "com.sun.jndi.ldap.LdapCtxFactory");
> > >> env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
> > >> //
> > >> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> > >> env.put(Context.SECURITY_PRINCIPAL,
> > >> "uid=Sathya,ou=people,dc=example,dc=com");
> > >> env.put(Context.SECURITY_CREDENTIALS, "helloworld");
> > >>
> > >> // Create the initial context
> > >>
> > >> DirContext ctx = new InitialDirContext(env);
> > >>
> > >> I created this user account almost an hour ago but the authentication
> > still
> > >> goes through successfully. Anything I am missing here?
> > >>
> > >> Thanks.
> > >>
> > > --
> > > Kiran Ayyagari
> > > http://keydap.com
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Re: Password expiry enforcement
Posted by Kiran Ayyagari <ka...@apache.org>.
On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75 <sa...@gmail.com>wrote:
> Brilliant!! Thanks so much Kiran. That worked.
>
> But still don't get a warning before expiry. Some of my friends said that
> this is something that needs to be built into the calling code and not
> something that apacheds provides out of the box. Is that right?
>
you need to send password policy request control (OID is
1.3.6.1.4.1.42.2.27.8.5.1) to get the warning
back, note that the error/warning will be present in the password policy
response control present in the
bind response
>
> —
> Sent from Mailbox
>
> On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari <ka...@apache.org>
> wrote:
>
> > On Sat, May 17, 2014 at 7:18 PM, Sathya S <sa...@gmail.com>
> wrote:
> >> I am continuing on my experiments with getting password policies
> >> functioning on ApacheDS and I am trying to enable password expiry and a
> >> warning before the expiry.
> >>
> >> This is what I have configured on the server:
> >>
> >> dn:
> >>
> >>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
> >> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> >> ads-pwdminlength: 7
> >> ads-pwdinhistory: 5
> >> ads-pwdid: default
> >> ads-pwdcheckquality: 1
> >> ads-pwdlockout: TRUE
> >> ads-pwdlockoutduration: 0
> >>
> >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180*
> >> ...
> >>
> >> My understanding of this is that a user's password is valid for 5
> minutes
> >> after which authentication would fail. After 3 minutes up to 5 minutes,
> he
> >> would be able to login, but would receive a warning about impending
> expiry.
> >> Is that correct?
> >>
> >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as well,
> > otherwise bind operation
> > always accepts the expired password
> >> I restarted the server after making the above change.
> >>
> >> I have the below Java code to authenticate the user:
> >>
> >> Hashtable<String, String> env = new Hashtable<String,
> >> String>();
> >> env.put(Context.INITIAL_CONTEXT_FACTORY,
> >> "com.sun.jndi.ldap.LdapCtxFactory");
> >> env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
> >> //
> >> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> >> env.put(Context.SECURITY_PRINCIPAL,
> >> "uid=Sathya,ou=people,dc=example,dc=com");
> >> env.put(Context.SECURITY_CREDENTIALS, "helloworld");
> >>
> >> // Create the initial context
> >>
> >> DirContext ctx = new InitialDirContext(env);
> >>
> >> I created this user account almost an hour ago but the authentication
> still
> >> goes through successfully. Anything I am missing here?
> >>
> >> Thanks.
> >>
> > --
> > Kiran Ayyagari
> > http://keydap.com
>
--
Kiran Ayyagari
http://keydap.com
Re: Password expiry enforcement
Posted by Sathya Skr 75 <sa...@gmail.com>.
Brilliant!! Thanks so much Kiran. That worked.
But still don't get a warning before expiry. Some of my friends said that this is something that needs to be built into the calling code and not something that apacheds provides out of the box. Is that right?
—
Sent from Mailbox
On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari <ka...@apache.org>
wrote:
> On Sat, May 17, 2014 at 7:18 PM, Sathya S <sa...@gmail.com> wrote:
>> I am continuing on my experiments with getting password policies
>> functioning on ApacheDS and I am trying to enable password expiry and a
>> warning before the expiry.
>>
>> This is what I have configured on the server:
>>
>> dn:
>>
>> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
>> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> ads-pwdminlength: 7
>> ads-pwdinhistory: 5
>> ads-pwdid: default
>> ads-pwdcheckquality: 1
>> ads-pwdlockout: TRUE
>> ads-pwdlockoutduration: 0
>>
>> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180*
>> ...
>>
>> My understanding of this is that a user's password is valid for 5 minutes
>> after which authentication would fail. After 3 minutes up to 5 minutes, he
>> would be able to login, but would receive a warning about impending expiry.
>> Is that correct?
>>
>> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as well,
> otherwise bind operation
> always accepts the expired password
>> I restarted the server after making the above change.
>>
>> I have the below Java code to authenticate the user:
>>
>> Hashtable<String, String> env = new Hashtable<String,
>> String>();
>> env.put(Context.INITIAL_CONTEXT_FACTORY,
>> "com.sun.jndi.ldap.LdapCtxFactory");
>> env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
>> //
>> env.put(Context.SECURITY_AUTHENTICATION, "simple");
>> env.put(Context.SECURITY_PRINCIPAL,
>> "uid=Sathya,ou=people,dc=example,dc=com");
>> env.put(Context.SECURITY_CREDENTIALS, "helloworld");
>>
>> // Create the initial context
>>
>> DirContext ctx = new InitialDirContext(env);
>>
>> I created this user account almost an hour ago but the authentication still
>> goes through successfully. Anything I am missing here?
>>
>> Thanks.
>>
> --
> Kiran Ayyagari
> http://keydap.com
Re: Password expiry enforcement
Posted by Kiran Ayyagari <ka...@apache.org>.
On Sat, May 17, 2014 at 7:18 PM, Sathya S <sa...@gmail.com> wrote:
> I am continuing on my experiments with getting password policies
> functioning on ApacheDS and I am trying to enable password expiry and a
> warning before the expiry.
>
> This is what I have configured on the server:
>
> dn:
>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> ads-pwdminlength: 7
> ads-pwdinhistory: 5
> ads-pwdid: default
> ads-pwdcheckquality: 1
> ads-pwdlockout: TRUE
> ads-pwdlockoutduration: 0
>
> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180*
> ...
>
> My understanding of this is that a user's password is valid for 5 minutes
> after which authentication would fail. After 3 minutes up to 5 minutes, he
> would be able to login, but would receive a warning about impending expiry.
> Is that correct?
>
> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as well,
otherwise bind operation
always accepts the expired password
> I restarted the server after making the above change.
>
> I have the below Java code to authenticate the user:
>
> Hashtable<String, String> env = new Hashtable<String,
> String>();
> env.put(Context.INITIAL_CONTEXT_FACTORY,
> "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
> //
> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> env.put(Context.SECURITY_PRINCIPAL,
> "uid=Sathya,ou=people,dc=example,dc=com");
> env.put(Context.SECURITY_CREDENTIALS, "helloworld");
>
> // Create the initial context
>
> DirContext ctx = new InitialDirContext(env);
>
> I created this user account almost an hour ago but the authentication still
> goes through successfully. Anything I am missing here?
>
> Thanks.
>
--
Kiran Ayyagari
http://keydap.com