You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by David Paulsen <da...@kewill.com> on 2015/01/15 21:16:48 UTC
Password Policy attribute pwdMinAge not working?
I set the pwdMinAge in my Password Policy to 86400 (1 day in seconds) but
it doesn't see to be working. I am able to change the password, and then
change it again immediately after that. My understanding is that I should
have to wait a day before I can change it again. Is that correct?
I am using ApacheDS version 2.0.0-M19.
Thanks!
Re: Password Policy attribute pwdMinAge not working?
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 21/01/15 21:44, David Paulsen a écrit :
>
>> Thank you for your help!
>>>
>>>
>>>
> Is there a way to formally request the enhancement to not require a
> restart, or is it already on your radar and you'll get to it when you
> can? We are very eager to get this capability added.
Check the JIRA (http://directory.apache.org/issue-tracking.html). I'm
not sure we have such a request, and if not, just create a new one.
The required modification should not be too complicated to set up.
Re: Password Policy attribute pwdMinAge not working?
Posted by David Paulsen <da...@kewill.com>.
>
> We are most certlainly try to cut an ApacheDS release soon anyway, so
> you won't have to wait too long for an official M20
>
Any rough idea of when M20 will be released?
Re: Password Policy attribute pwdMinAge not working?
Posted by David Paulsen <da...@kewill.com>.
> > This is fantastic Kiran, thanks! I'm assuming this will be in the
ApacheDS
> > 2.0.0-M20 release, correct? I'm also assuming that if I want it before
then
> > I'll have to build my own version from the trunk, correct?
>
> Correct and correct.
>
> We are most certlainly try to cut an ApacheDS release soon anyway, so
> you won't have to wait too long for an official M20
>
Thank Kiran, do have a rough idea of when M20 will be released? If it's
within the next few weeks I won't worry about building the trunk.
Re: Password Policy attribute pwdMinAge not working?
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 26/01/15 20:17, David Paulsen a écrit :
> Kiran Ayyagari <ka...@...> writes:
>
>>>>>> Is there a way to formally request the enhancement to not require a
>>>>>>
>>>>> there was one filed a while ago
>>>>> https://issues.apache.org/jira/browse/DIRSERVER-1809
>>>>>
>>>>>> restart, or is it already on your radar and you'll get to it when
> you
>>>>>> can? We are very eager to get this capability added.
>>>>>>
>>>> Thanks Kiran, is there anything I can do to expedite this? We really
> need
>>>> it. In the enhancement it suggests adding a method that would refresh
> the
>>>> running policies in memory could be an easier interim solution - could
>>>> that
>>>> be done sooner?
>>>>
>>> will see if I can get this done this weekend, let you know on this
> thread
>>> I have just added this feature in trunk (http://svn.apache.org/r1654657)
>>>
>>> --
>>> Kiran Ayyagari
>>> http://keydap.com
>>>
> This is fantastic Kiran, thanks! I'm assuming this will be in the ApacheDS
> 2.0.0-M20 release, correct? I'm also assuming that if I want it before then
> I'll have to build my own version from the trunk, correct?
Correct and correct.
We are most certlainly try to cut an ApacheDS release soon anyway, so
you won't have to wait too long for an official M20
>
Re: Password Policy attribute pwdMinAge not working?
Posted by David Paulsen <da...@kewill.com>.
Kiran Ayyagari <ka...@...> writes:
> >> > > Is there a way to formally request the enhancement to not require a
> >> > >
> >> > there was one filed a while ago
> >> > https://issues.apache.org/jira/browse/DIRSERVER-1809
> >> >
> >> > > restart, or is it already on your radar and you'll get to it when
you
> >> > > can? We are very eager to get this capability added.
> >> > >
> >> >
> >> Thanks Kiran, is there anything I can do to expedite this? We really
need
> >> it. In the enhancement it suggests adding a method that would refresh
the
> >> running policies in memory could be an easier interim solution - could
> >> that
> >> be done sooner?
> >>
> > will see if I can get this done this weekend, let you know on this
thread
> >
> > I have just added this feature in trunk (http://svn.apache.org/r1654657)
>
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
> >
>
This is fantastic Kiran, thanks! I'm assuming this will be in the ApacheDS
2.0.0-M20 release, correct? I'm also assuming that if I want it before then
I'll have to build my own version from the trunk, correct?
Re: Password Policy attribute pwdMinAge not working?
Posted by Kiran Ayyagari <ka...@apache.org>.
On Fri, Jan 23, 2015 at 6:13 AM, Kiran Ayyagari <ka...@apache.org>
wrote:
>
>
> On Thu, Jan 22, 2015 at 11:04 PM, David Paulsen <da...@kewill.com>
> wrote:
>
>> > > > > Is there any way around requiring a restart of the server to have
>> > > > > password policy settings take effect? This would be a major issue
>> > > for us.
>> > > > >
>> > > > not yet, I have been sitting on this idea for far too long, but the
>> > > effort stopped midway.
>> > > > >
>> > > Is there a way to formally request the enhancement to not require a
>> > >
>> > there was one filed a while ago
>> > https://issues.apache.org/jira/browse/DIRSERVER-1809
>> >
>> > > restart, or is it already on your radar and you'll get to it when you
>> > > can? We are very eager to get this capability added.
>> > >
>> >
>> Thanks Kiran, is there anything I can do to expedite this? We really need
>> it. In the enhancement it suggests adding a method that would refresh the
>> running policies in memory could be an easier interim solution - could
>> that
>> be done sooner?
>>
> will see if I can get this done this weekend, let you know on this thread
>
> I have just added this feature in trunk (http://svn.apache.org/r1654657)
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
--
Kiran Ayyagari
http://keydap.com
Re: Password Policy attribute pwdMinAge not working?
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Jan 22, 2015 at 11:04 PM, David Paulsen <da...@kewill.com>
wrote:
> > > > > Is there any way around requiring a restart of the server to have
> > > > > password policy settings take effect? This would be a major issue
> > > for us.
> > > > >
> > > > not yet, I have been sitting on this idea for far too long, but the
> > > effort stopped midway.
> > > > >
> > > Is there a way to formally request the enhancement to not require a
> > >
> > there was one filed a while ago
> > https://issues.apache.org/jira/browse/DIRSERVER-1809
> >
> > > restart, or is it already on your radar and you'll get to it when you
> > > can? We are very eager to get this capability added.
> > >
> >
> Thanks Kiran, is there anything I can do to expedite this? We really need
> it. In the enhancement it suggests adding a method that would refresh the
> running policies in memory could be an easier interim solution - could that
> be done sooner?
>
will see if I can get this done this weekend, let you know on this thread
--
Kiran Ayyagari
http://keydap.com
Re: Password Policy attribute pwdMinAge not working?
Posted by David Paulsen <da...@kewill.com>.
> > > > Is there any way around requiring a restart of the server to have
> > > > password policy settings take effect? This would be a major issue
> > for us.
> > > >
> > > not yet, I have been sitting on this idea for far too long, but the
> > effort stopped midway.
> > > >
> > Is there a way to formally request the enhancement to not require a
> >
> there was one filed a while ago
> https://issues.apache.org/jira/browse/DIRSERVER-1809
>
> > restart, or is it already on your radar and you'll get to it when you
> > can? We are very eager to get this capability added.
> >
>
Thanks Kiran, is there anything I can do to expedite this? We really need
it. In the enhancement it suggests adding a method that would refresh the
running policies in memory could be an easier interim solution - could that
be done sooner?
Re: Password Policy attribute pwdMinAge not working?
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Jan 22, 2015 at 4:44 AM, David Paulsen <da...@kewill.com>
wrote:
> > > Hi Kiran, it's working now. What happened is that in my password
> policy,
> > > I had changed ads-pwdallowuserchange=TRUE, but I hadn't restarted
> the
> > > LDAP server, and apparently password policy changes don't take
> effect
> > > until the server is restarted.
> > >
> > ah!
> >
> > >
> > > Once I restarted, I could change the password when connected as the
> user
> > > I'm changing the password for. And, if I attempt to change the
> password
> > > before the pwdMinAge expires, I get a code = 19 "password is too
> young
> > > to update" error as expected. All good.
> > >
> > > Is there any way around requiring a restart of the server to have
> > > password policy settings take effect? This would be a major issue
> for us
> > >
> > not yet, I have been sitting on this idea for far too long, but the
> effort
> > stopped
> > midway
> >
> > > because we create/change password policy configurations often (we
> > > maintain password policies per customer).
> > >
> > >
> > Thank you for your help!
> > >
> > >
> > >
> > >
> >
> Is there a way to formally request the enhancement to not require a
>
there was one filed a while ago
https://issues.apache.org/jira/browse/DIRSERVER-1809
> restart, or is it already on your radar and you'll get to it when you
> can? We are very eager to get this capability added.
>
--
Kiran Ayyagari
http://keydap.com
Re: Password Policy attribute pwdMinAge not working?
Posted by David Paulsen <da...@kewill.com>.
> > Hi Kiran, it's working now. What happened is that in my password
policy,
> > I had changed ads-pwdallowuserchange=TRUE, but I hadn't restarted
the
> > LDAP server, and apparently password policy changes don't take
effect
> > until the server is restarted.
> >
> ah!
>
> >
> > Once I restarted, I could change the password when connected as the
user
> > I'm changing the password for. And, if I attempt to change the
password
> > before the pwdMinAge expires, I get a code = 19 "password is too
young
> > to update" error as expected. All good.
> >
> > Is there any way around requiring a restart of the server to have
> > password policy settings take effect? This would be a major issue
for us
> >
> not yet, I have been sitting on this idea for far too long, but the
effort
> stopped
> midway
>
> > because we create/change password policy configurations often (we
> > maintain password policies per customer).
> >
> >
> Thank you for your help!
> >
> >
> >
> >
>
Is there a way to formally request the enhancement to not require a
restart, or is it already on your radar and you'll get to it when you
can? We are very eager to get this capability added.
Re: Password Policy attribute pwdMinAge not working?
Posted by Kiran Ayyagari <ka...@apache.org>.
On Wed, Jan 21, 2015 at 11:41 PM, David Paulsen <da...@kewill.com>
wrote:
> Kiran Ayyagari <ka...@...> writes:
>
> >
> > On Wed, Jan 21, 2015 at 8:26 AM, David Paulsen <da...@...>
> > wrote:
> >
> > > > > Thanks, Kiran. I was using the admin account to change the
> password.
> > > > > But, when I attempted to use the user account for which I'm
> changing
> > > the
> > > > > password (instead of the admin account), I get an
> > > > > INSUFFICIENT_ACCESS_RIGHTS error:
> > > > >
> > > > > LDAPException: Insufficient Access Rights (50) Insufficient
> Access
> > > > > Rights
> > > > >
> > > > are there any ACIs affecting the below mentioned entry?
> > > >
> > > > > LDAPException: Server Message: INSUFFICIENT_ACCESS_RIGHTS:
> failed
> > > for
> > > > > MessageType : MODIFY_REQUEST
> > > > > Message ID : 111
> > > > > Modify Request
> > > > > Object :
> > > 'uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com
> > > > > '
> > > > > Modification[0]
> > > > > Operation : replace
> > > > > Modification
> > > > > userPassword: 0x48 0x69 0x54 0x68 0x65 0x72 0x65 0x32
> > > > > org.apache.directory.api.ldap.model.message.ModifyRequestImpl
> <at>
> > > 8ede0d34:
> > > > > null
> > > > > LDAPException: Matched DN:
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > Not that I know of. I did not specifically configure any ACIs for
> > > uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com. Is there a
> way I
> > > can check for that? I would think that by default a user logged in
> to
> > >
> > see if the parent/root entry has any ACI applied
> >
> > > LDAP as themselves would be able to change their password, correct?
> > >
> > > yes
> >
> Hi Kiran, it's working now. What happened is that in my password policy,
> I had changed ads-pwdallowuserchange=TRUE, but I hadn't restarted the
> LDAP server, and apparently password policy changes don't take effect
> until the server is restarted.
>
ah!
>
> Once I restarted, I could change the password when connected as the user
> I'm changing the password for. And, if I attempt to change the password
> before the pwdMinAge expires, I get a code = 19 "password is too young
> to update" error as expected. All good.
>
> Is there any way around requiring a restart of the server to have
> password policy settings take effect? This would be a major issue for us
>
not yet, I have been sitting on this idea for far too long, but the effort
stopped
midway
> because we create/change password policy configurations often (we
> maintain password policies per customer).
>
>
Thank you for your help!
>
>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Password Policy attribute pwdMinAge not working?
Posted by David Paulsen <da...@kewill.com>.
Kiran Ayyagari <ka...@...> writes:
>
> On Wed, Jan 21, 2015 at 8:26 AM, David Paulsen <da...@...>
> wrote:
>
> > > > Thanks, Kiran. I was using the admin account to change the
password.
> > > > But, when I attempted to use the user account for which I'm
changing
> > the
> > > > password (instead of the admin account), I get an
> > > > INSUFFICIENT_ACCESS_RIGHTS error:
> > > >
> > > > LDAPException: Insufficient Access Rights (50) Insufficient
Access
> > > > Rights
> > > >
> > > are there any ACIs affecting the below mentioned entry?
> > >
> > > > LDAPException: Server Message: INSUFFICIENT_ACCESS_RIGHTS:
failed
> > for
> > > > MessageType : MODIFY_REQUEST
> > > > Message ID : 111
> > > > Modify Request
> > > > Object :
> > 'uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com
> > > > '
> > > > Modification[0]
> > > > Operation : replace
> > > > Modification
> > > > userPassword: 0x48 0x69 0x54 0x68 0x65 0x72 0x65 0x32
> > > > org.apache.directory.api.ldap.model.message.ModifyRequestImpl
<at>
> > 8ede0d34:
> > > > null
> > > > LDAPException: Matched DN:
> > > >
> > > >
> > > >
> > > >
> > >
> > Not that I know of. I did not specifically configure any ACIs for
> > uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com. Is there a
way I
> > can check for that? I would think that by default a user logged in
to
> >
> see if the parent/root entry has any ACI applied
>
> > LDAP as themselves would be able to change their password, correct?
> >
> > yes
>
Hi Kiran, it's working now. What happened is that in my password policy,
I had changed ads-pwdallowuserchange=TRUE, but I hadn't restarted the
LDAP server, and apparently password policy changes don't take effect
until the server is restarted.
Once I restarted, I could change the password when connected as the user
I'm changing the password for. And, if I attempt to change the password
before the pwdMinAge expires, I get a code = 19 "password is too young
to update" error as expected. All good.
Is there any way around requiring a restart of the server to have
password policy settings take effect? This would be a major issue for us
because we create/change password policy configurations often (we
maintain password policies per customer).
Thank you for your help!
Re: Password Policy attribute pwdMinAge not working?
Posted by Kiran Ayyagari <ka...@apache.org>.
On Wed, Jan 21, 2015 at 8:26 AM, David Paulsen <da...@kewill.com>
wrote:
> > > Thanks, Kiran. I was using the admin account to change the password.
> > > But, when I attempted to use the user account for which I'm changing
> the
> > > password (instead of the admin account), I get an
> > > INSUFFICIENT_ACCESS_RIGHTS error:
> > >
> > > LDAPException: Insufficient Access Rights (50) Insufficient Access
> > > Rights
> > >
> > are there any ACIs affecting the below mentioned entry?
> >
> > > LDAPException: Server Message: INSUFFICIENT_ACCESS_RIGHTS: failed
> for
> > > MessageType : MODIFY_REQUEST
> > > Message ID : 111
> > > Modify Request
> > > Object :
> 'uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com
> > > '
> > > Modification[0]
> > > Operation : replace
> > > Modification
> > > userPassword: 0x48 0x69 0x54 0x68 0x65 0x72 0x65 0x32
> > > org.apache.directory.api.ldap.model.message.ModifyRequestImpl <at>
> 8ede0d34:
> > > null
> > > LDAPException: Matched DN:
> > >
> > >
> > >
> > >
> >
> Not that I know of. I did not specifically configure any ACIs for
> uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com. Is there a way I
> can check for that? I would think that by default a user logged in to
>
see if the parent/root entry has any ACI applied
> LDAP as themselves would be able to change their password, correct?
>
> yes
--
Kiran Ayyagari
http://keydap.com
Re: Password Policy attribute pwdMinAge not working?
Posted by David Paulsen <da...@kewill.com>.
> > Thanks, Kiran. I was using the admin account to change the password.
> > But, when I attempted to use the user account for which I'm changing
the
> > password (instead of the admin account), I get an
> > INSUFFICIENT_ACCESS_RIGHTS error:
> >
> > LDAPException: Insufficient Access Rights (50) Insufficient Access
> > Rights
> >
> are there any ACIs affecting the below mentioned entry?
>
> > LDAPException: Server Message: INSUFFICIENT_ACCESS_RIGHTS: failed
for
> > MessageType : MODIFY_REQUEST
> > Message ID : 111
> > Modify Request
> > Object :
'uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com
> > '
> > Modification[0]
> > Operation : replace
> > Modification
> > userPassword: 0x48 0x69 0x54 0x68 0x65 0x72 0x65 0x32
> > org.apache.directory.api.ldap.model.message.ModifyRequestImpl <at>
8ede0d34:
> > null
> > LDAPException: Matched DN:
> >
> >
> >
> >
>
Not that I know of. I did not specifically configure any ACIs for
uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com. Is there a way I
can check for that? I would think that by default a user logged in to
LDAP as themselves would be able to change their password, correct?
Re: Password Policy attribute pwdMinAge not working?
Posted by Kiran Ayyagari <ka...@apache.org>.
On Wed, Jan 21, 2015 at 6:15 AM, David Paulsen <da...@kewill.com>
wrote:
> Kiran Ayyagari <ka...@...> writes:
>
> >
> > On Fri, Jan 16, 2015 at 4:16 AM, David Paulsen <da...@...>
> > wrote:
> >
> > > I set the pwdMinAge in my Password Policy to 86400 (1 day in
> seconds) but
> > > it doesn't see to be working. I am able to change the password, and
> then
> > > change it again immediately after that. My understanding is that I
> should
> > > have to wait a day before I can change it again. Is that correct?
> > >
> > > you must have tried to change as admin, password policies are not
> applied
> > when an admin user
> > updates passwords, make sure you are not changing as an admin.
> >
> > > I am using ApacheDS version 2.0.0-M19.
> > >
> > > Thanks!
> > >
> > >
> >
> Thanks, Kiran. I was using the admin account to change the password.
> But, when I attempted to use the user account for which I'm changing the
> password (instead of the admin account), I get an
> INSUFFICIENT_ACCESS_RIGHTS error:
>
> LDAPException: Insufficient Access Rights (50) Insufficient Access
> Rights
>
are there any ACIs affecting the below mentioned entry?
> LDAPException: Server Message: INSUFFICIENT_ACCESS_RIGHTS: failed for
> MessageType : MODIFY_REQUEST
> Message ID : 111
> Modify Request
> Object : 'uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com
> '
> Modification[0]
> Operation : replace
> Modification
> userPassword: 0x48 0x69 0x54 0x68 0x65 0x72 0x65 0x32
> org.apache.directory.api.ldap.model.message.ModifyRequestImpl@8ede0d34:
> null
> LDAPException: Matched DN:
>
>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Password Policy attribute pwdMinAge not working?
Posted by David Paulsen <da...@kewill.com>.
Kiran Ayyagari <ka...@...> writes:
>
> On Fri, Jan 16, 2015 at 4:16 AM, David Paulsen <da...@...>
> wrote:
>
> > I set the pwdMinAge in my Password Policy to 86400 (1 day in
seconds) but
> > it doesn't see to be working. I am able to change the password, and
then
> > change it again immediately after that. My understanding is that I
should
> > have to wait a day before I can change it again. Is that correct?
> >
> > you must have tried to change as admin, password policies are not
applied
> when an admin user
> updates passwords, make sure you are not changing as an admin.
>
> > I am using ApacheDS version 2.0.0-M19.
> >
> > Thanks!
> >
> >
>
Thanks, Kiran. I was using the admin account to change the password.
But, when I attempted to use the user account for which I'm changing the
password (instead of the admin account), I get an
INSUFFICIENT_ACCESS_RIGHTS error:
LDAPException: Insufficient Access Rights (50) Insufficient Access
Rights
LDAPException: Server Message: INSUFFICIENT_ACCESS_RIGHTS: failed for
MessageType : MODIFY_REQUEST
Message ID : 111
Modify Request
Object : 'uid=jguinn,ou=8300,ou=DVHead,dc=kewilltransport,dc=com
'
Modification[0]
Operation : replace
Modification
userPassword: 0x48 0x69 0x54 0x68 0x65 0x72 0x65 0x32
org.apache.directory.api.ldap.model.message.ModifyRequestImpl@8ede0d34:
null
LDAPException: Matched DN:
Re: Password Policy attribute pwdMinAge not working?
Posted by Kiran Ayyagari <ka...@apache.org>.
On Fri, Jan 16, 2015 at 4:16 AM, David Paulsen <da...@kewill.com>
wrote:
> I set the pwdMinAge in my Password Policy to 86400 (1 day in seconds) but
> it doesn't see to be working. I am able to change the password, and then
> change it again immediately after that. My understanding is that I should
> have to wait a day before I can change it again. Is that correct?
>
> you must have tried to change as admin, password policies are not applied
when an admin user
updates passwords, make sure you are not changing as an admin.
> I am using ApacheDS version 2.0.0-M19.
>
> Thanks!
>
>
--
Kiran Ayyagari
http://keydap.com