You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Maiorano Pasquale <pa...@leonardocompany.com> on 2017/04/03 08:03:43 UTC
R: Password policy retrieving problem
But the release of the LDAP API is the 1.0 not 2.0. Is it Correct?
Regards,
Pasquale
Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.
The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender
-----Messaggio originale-----
Da: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Inviato: venerdì 31 marzo 2017 17:48
A: Apache Directory Developers List
Oggetto: Re: Password policy retrieving problem
Le 31/03/2017 à 13:23, Maiorano Pasquale a écrit :
> Dear Sirs,
>
> I am using unboundid Library to connect to the ApacheDS.
I suggest you switch to teh Apache LDAP API (http://directory.apache.org/api/). It's the one we are developping, it comes with a full AL 2.0 license, and there is no such thing as a "commercial edition".
> I am trying to retrieve the password policy. Unfortunately I am not able to retrieve neither the time remaing to the password expiration nor the grace attempt remaining after the password expiration.
Those informations are operational attributes that need to be requested by their name (or using the meta '+' attribute in your sarch request).
Now, not having your code, it's hard to tell what's wrong with your request. We would also need to know about your confguraion (and, no, sending an image will not work, as attachements are automatically removed from mails send to Apache, to avoid being poluted by malwares).
> I am able to catch both the alarm related to the acount locked and the the password expored.
> Have you got any ideas related to the flag tha i have to set in the password policy?
Send us a copy of the passwordPolicy configuration in a LDIF format.
Thanks !
--
Emmanuel Lecharny
Symas.com
directory.apache.org
Re: R: Password policy retrieving problem
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 03/04/2017 à 10:03, Maiorano Pasquale a écrit :
> But the release of the LDAP API is the 1.0 not 2.0. Is it Correct?
Correct.
We have different versions :
LDAP API : 1.0.0-RC2
ApacheDS : 2.0.0-M23
Studio : 2.0.0-M12
--
Emmanuel Lecharny
Symas.com
directory.apache.org
Re: R: R: Password policy retrieving problem
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 03/04/2017 à 11:13, Maiorano Pasquale a écrit :
> The environment that I am using is what you stated. Thanks very much. I'l keep you informed on my progress. I am going to swith using LDAP API 1.0 on the client side. I am exploring the SW that you send me as a link to test the psw policy, in order to re-use it.
Don't hesitate to ask if you face any issue !
--
Emmanuel Lecharny
Symas.com
directory.apache.org
Re: R: R: R: Password policy retrieving problem
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 03/04/2017 à 12:13, Maiorano Pasquale a écrit :
> My needs are the following:
> I do not have to set the psw policy by code. I set them by means of the directory studio. The psw policy are overall, valid for any entry. If the client sw tries to connect a user with a psw, and the if I have set the psw policy as stated in the annexed image, the LDAP API raise an excpetion if, for instance, the psw is being expired?
The thing is : users don't set PP, they are subject to it. What will
happen is that if an application is trying to bind on the LDAP server
with the user credentials, and if the user's password has expired, then
the bind will fail and a control will contain the cause of the failure.
It's now up to the application to deal with this failure and control.
--
Emmanuel Lecharny
Symas.com
directory.apache.org
R: R: R: R: Password policy retrieving problem
Posted by Maiorano Pasquale <pa...@leonardocompany.com>.
I'm trying to install TLS connection and I am finding the following exception:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Hereinafter you can find the key installed on the cacerts keystore used by the JVM;
Nome alias: dem
Data di creazione: 3-apr-2017
Tipo di voce: trustedCertEntry
Proprietario: CN=localhost, OU=ApacheDS, O=ASF, C=US
Autorità emittente: CN=localhost, OU=ApacheDS, O=ASF, C=US
Numero di serie: 29e85549
Valido da: Mon Apr 03 16:59:52 CEST 2017 a: Wed Apr 03 16:59:52 CEST 2019
Impronte digitali certificato:
MD5: 0D:56:E7:CF:68:6E:5D:5D:B2:CC:78:8C:E1:FA:DE:2A
SHA1: 4E:BB:0D:3F:CC:EA:9F:89:70:79:A8:B9:8C:5A:98:E0:A9:8A:BB:E2
SHA256: B0:45:C6:37:16:A4:79:7A:37:91:57:AE:DD:65:94:DE:BE:B0:05:AF:67:2F:DE:C6:60:00:73:34:7A:E5:58:A8
Nome algoritmo firma: SHA256withRSA
Versione: 3
Estensioni:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E9 01 0A 4D 4C E6 2A B9 2D 27 14 5D 59 34 16 6B ...ML.*.-'.]Y4.k
0010: A7 3A 0F 29 .:.)
]
]
Now you can find the key store used by ApacheDS from which i generated the previous key:
Tipo keystore: JKS
Provider keystore: SUN
Il keystore contiene 1 voce
Nome alias: dem
Data di creazione: 3-apr-2017
Tipo di voce: PrivateKeyEntry
Lunghezza catena certificati: 1
Certificato[1]:
Proprietario: CN=localhost, OU=ApacheDS, O=ASF, C=US
Autorità emittente: CN=localhost, OU=ApacheDS, O=ASF, C=US
Numero di serie: 29e85549
Valido da: Mon Apr 03 16:59:52 CEST 2017 a: Wed Apr 03 16:59:52 CEST 2019
Impronte digitali certificato:
MD5: 0D:56:E7:CF:68:6E:5D:5D:B2:CC:78:8C:E1:FA:DE:2A
SHA1: 4E:BB:0D:3F:CC:EA:9F:89:70:79:A8:B9:8C:5A:98:E0:A9:8A:BB:E2
SHA256: B0:45:C6:37:16:A4:79:7A:37:91:57:AE:DD:65:94:DE:BE:B0:05:AF:67:2F:DE:C6:60:00:73:34:7A:E5:58:A8
Nome algoritmo firma: SHA256withRSA
Versione: 3
Estensioni:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E9 01 0A 4D 4C E6 2A B9 2D 27 14 5D 59 34 16 6B ...ML.*.-'.]Y4.k
0010: A7 3A 0F 29 .:.)
]
]
Can you help me to understab why my client application does not work?
It fails when it try to negotiate.
In the follwing you can find the code where the SW fails
tls = (StartTlsResponse) context.extendedOperation(new StartTlsRequest());
SSLSession sess = tls.negotiate();
any advice will be appriciated.
Regards
Pasquale
Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.
The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender
-----Messaggio originale-----
Da: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Inviato: lunedì 3 aprile 2017 14:08
A: Apache Directory Developers List
Oggetto: Re: R: R: R: Password policy retrieving problem
Le 03/04/2017 à 12:13, Maiorano Pasquale a écrit :
> My needs are the following:
> I do not have to set the psw policy by code. I set them by means of the directory studio. The psw policy are overall, valid for any entry. If the client sw tries to connect a user with a psw, and the if I have set the psw policy as stated in the annexed image, the LDAP API raise an excpetion if, for instance, the psw is being expired?
The thing is : users don't set PP, they are subject to it. What will happen is that if an application is trying to bind on the LDAP server with the user credentials, and if the user's password has expired, then the bind will fail and a control will contain the cause of the failure.
It's now up to the application to deal with this failure and control.
--
Emmanuel Lecharny
Symas.com
directory.apache.org
R: R: R: Password policy retrieving problem
Posted by Maiorano Pasquale <pa...@leonardocompany.com>.
My needs are the following:
I do not have to set the psw policy by code. I set them by means of the directory studio. The psw policy are overall, valid for any entry. If the client sw tries to connect a user with a psw, and the if I have set the psw policy as stated in the annexed image, the LDAP API raise an excpetion if, for instance, the psw is being expired?
Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.
The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender
-----Messaggio originale-----
Da: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Inviato: lunedì 3 aprile 2017 11:24
A: Apache Directory Developers List
Oggetto: Re: R: R: Password policy retrieving problem
Le 03/04/2017 à 11:13, Maiorano Pasquale a écrit :
> The environment that I am using is what you stated. Thanks very much. I'l keep you informed on my progress. I am going to swith using LDAP API 1.0 on the client side. I am exploring the SW that you send me as a link to test the psw policy, in order to re-use it.
Don't hesitate to ask if you face any issue !
--
Emmanuel Lecharny
Symas.com
directory.apache.org
R: R: Password policy retrieving problem
Posted by Maiorano Pasquale <pa...@leonardocompany.com>.
The environment that I am using is what you stated. Thanks very much. I'l keep you informed on my progress. I am going to swith using LDAP API 1.0 on the client side. I am exploring the SW that you send me as a link to test the psw policy, in order to re-use it.
Regards,
Pasquale
Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.
The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender
-----Messaggio originale-----
Da: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Inviato: lunedì 3 aprile 2017 10:34
A: Apache Directory Developers List
Oggetto: Re: R: Password policy retrieving problem
Le 03/04/2017 à 10:03, Maiorano Pasquale a écrit :
> But the release of the LDAP API is the 1.0 not 2.0. Is it Correct?
Correct.
We have different versions :
LDAP API : 1.0.0-RC2
ApacheDS : 2.0.0-M23
Studio : 2.0.0-M12
--
Emmanuel Lecharny
Symas.com
directory.apache.org