You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fortress@directory.apache.org by "David Erie (US)" <Da...@datapath.com> on 2017/06/01 15:57:53 UTC
Using REST API to get user's locked and reset states
Hello,
We're evaluating Fortress with ApacheDS, and I'm trying to get a user's account status (locked and reset, specifically) via the REST API for a user whose account is locked and whose password has been reset.
What I get back is this:
<entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
...
<userId>dave</userId>
<locked>false</locked>
<reset>false</reset>
...
</entity>
How can I tell that a user's account has been locked or reset when these Boolean properties don't seem to contain the correct information?
Thank you,
Dave
Re: Using REST API to get user's locked and reset states
Posted by Shawn McKinney <sm...@apache.org>.
Need to change core to support pw policies in apacheds formally. Ticket open:
https://issues.apache.org/jira/browse/FC-211
Shawn
> On Jun 8, 2017, at 11:25 AM, Shawn McKinney <sm...@apache.org> wrote:
>
> I finally got around to trying this myself. Changing the ldap.server.type prop as described means fortress will process the pw policy ops. I was able to verify on a test against apacheds, new response pasted below. I noticed before that you don’t have the pwpolicy attribute set on your user which means the default policy for the server will be enforced.
>
> Let me know if you have any more questions.
>
>
> <FortResponse>
> <errorCode>0</errorCode>
> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
> <modId>18e5955f-90cf-420a-8580-fc47be245f0a</modId>
> <sequenceId>0</sequenceId>
> <userId>foo1</userId>
> <description>foo fighters 1</description>
> <name>foo1 fighters</name>
> <internalId>d301b72a-916f-4419-94a4-df24fc8ac7ad</internalId>
> <ou>dev1</ou>
> <pwPolicy>cn=test1</pwPolicy>
> <sn>fighters</sn>
> <cn>foo1 fighters</cn>
> <dn>uid=foo1,ou=People,dc=example,dc=com</dn>
> <address/>
> <props>
> <modId>8e4f30a3-d452-4fc0-9ac6-fd73b298990f</modId>
> <sequenceId>0</sequenceId>
> <entry>
> <key>initAttrArrays</key>
> <value/>
> </entry>
> </props>
> <locked>true</locked>
> <reset>true</reset>
> <timeout>0</timeout>
> </entity>
> </FortResponse>
>
> Shawn
>
>> On Jun 5, 2017, at 9:56 PM, Shawn McKinney <sm...@apache.org> wrote:
>>
>> Hey Brian,
>>
>> can you add/replace with this fortress.properties:
>>
>> ldap.server.type=openldap
>>
>> and tell me what happens. Normally I'd try it myself first but am sort of busy right now. Will have more time in a couple of days.
>>
>> Thanks,
>> Shawn
>>
>>> On Jun 5, 2017, at 8:41 AM, Brian Brooks (US) <Br...@datapath.com> wrote:
>>>
>>> Good Morning Shawn,
>>>
>>>> How did you enable pw policies in apacheds, can you point me to the setup instructions you used?
>>>
>>> We just setup a vanilla install of ApacheDS on a Windows 10 virtual machine using apacheds-2.0.0-M23.exe downloaded from
>>>
>>> http://directory.apache.org/apacheds/download/download-windows.html
>>>
>>> The ApacheDS instances is configured with default settings which includes enabling a default password policy.
>>>
>>> http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html
>>>
>>> Dave setup the ApacheDS, when he gets back in the office I can confirm whether he customized anything.
>>>
>>> Here's an LDIF export of
>>>
>>> * ou=config
>>> * ads-directoryServiceId=<default>
>>> * ou=interceptors
>>> * ads-interceptorId=authenticationInterceptor
>>> * ou=passwordPolicies
>>>
>>> from our ApacheDS installation of
>>>
>>>
>>> dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
>>> terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>>> objectclass: ads-passwordPolicy
>>> objectclass: ads-base
>>> objectclass: top
>>> ads-pwdattribute: userPassword
>>> ads-pwdid: default
>>> ads-enabled: TRUE
>>> ads-pwdallowuserchange: TRUE
>>> ads-pwdcheckquality: 1
>>> ads-pwdexpirewarning: 600
>>> ads-pwdfailurecountinterval: 30
>>> ads-pwdgraceauthnlimit: 5
>>> ads-pwdgraceexpire: 0
>>> ads-pwdinhistory: 5
>>> ads-pwdlockout: TRUE
>>> ads-pwdlockoutduration: 0
>>> ads-pwdmaxage: 0
>>> ads-pwdmaxdelay: 0
>>> ads-pwdmaxfailure: 5
>>> ads-pwdmaxidle: 0
>>> ads-pwdmaxlength: 0
>>> ads-pwdminage: 0
>>> ads-pwdmindelay: 0
>>> ads-pwdminlength: 5
>>> ads-pwdmustchange: FALSE
>>> ads-pwdsafemodify: FALSE
>>> ads-pwdvalidator: org.apache.directory.server.core.api.authn.ppolicy.Default
>>> PasswordValidator
>>> createtimestamp: 20170523201006.896Z
>>> creatorsname: uid=admin,ou=system
>>> entrycsn: 20170523201006.896000Z#000000#000#000000
>>> entryDN: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticat
>>> ionInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>>> entryParentId: 81135817-120c-4b89-81be-33f759cd5319
>>> entryuuid:: ZGYyYjI2OTctNzQ4OC00NzUzLWFiOGEtZWJhMmRhOTE1NmQ1
>>> nbChildren: 0
>>> nbSubordinates: 0
>>> subschemaSubentry: cn=schema
>>>
>>> Brian Brooks
>>> Sr Software Engineer
>>> brian.brooks@datapath.com
>>> Office: +1 678 252 4498
>>> 2205 Northmont Pkwy, STE 100
>>> Duluth, GA 30096
>>>
>>> -----Original Message-----
>>> From: Shawn McKinney [mailto:smckinney@apache.org]
>>> Sent: Monday, June 05, 2017 8:23 AM
>>> To: fortress@directory.apache.org
>>> Subject: Re: Using REST API to get user's locked and reset states
>>>
>>> Hi Brian,
>>>
>>> I’ll need to setup an apacheds instance locally that matches your config.
>>>
>>> How did you enable pw policies in apacheds, can you point me to the setup instructions you used?
>>>
>>> In the meantime, here is a response via enmasse of user who’s account is both locked and reset.
>>>
>>> The policy attributes are being populated. But again I’m using openldap, and need to run the exact same test with ads.
>>>
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FortResponse> <errorCode>0</errorCode> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
>>> <modId>cb792bd1-c8fe-424f-a629-aad6c5572aa9</modId>
>>> <sequenceId>0</sequenceId>
>>> <userId>foo1</userId>
>>> <description>foo fighter</description>
>>> <name>foo1</name>
>>> <internalId>fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551</internalId>
>>> <ou>dev1</ou>
>>> <pwPolicy>cn=test1</pwPolicy>
>>> <sn>fighter</sn>
>>> <cn>foo1</cn>
>>> <dn>uid=foo1,ou=People,dc=example,dc=com</dn>
>>> <address/>
>>> <props>
>>> <modId>fc416338-69bd-46df-8b00-e1fd6be7ed9c</modId>
>>> <sequenceId>0</sequenceId>
>>> <entry>
>>> <key>initAttrArrays</key>
>>> <value/>
>>> </entry>
>>> </props>
>>> <locked>true</locked>
>>> <reset>true</reset>
>>> <timeout>0</timeout>
>>> </entity>
>>> </FortResponse>
>>>
>>>
>>> Shawn
>>>
>>>
>>>
>>>
>>>
>>>> On Jun 2, 2017, at 3:39 PM, Brian Brooks (US) <Br...@datapath.com> wrote:
>>>>
>>>> Hi Shawn,
>>>>
>>>> Dave and I work together. He's on vacation for a couple days.
>>>>
>>>>> Can you export that corresponding user entry into ldif and post it here?
>>>>
>>>> Below is the dave user's entry exported to ldif (I omitted the jpegPhoto, userPassword, and the 5 pwdHistory attributes).
>>>>
>>>> I don't see the policy attribute even though fotress-commander seems to successfully commit the password policy assignment. For example, I just tried to change another user's password policy and tomcat recorded an HTTP 200 in it's access log. I don't see any obvious errors in the tomcat stdout/stderr/catalina logs.
>>>>
>>>> 10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST
>>>> /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.Us
>>>> erPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commi
>>>> t&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apa
>>>> che.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634
>>>>
>>>> dn: uid=dave,ou=People,dc=example,dc=com
>>>> objectClass: extensibleObject
>>>> objectClass: ftMods
>>>> objectClass: ftProperties
>>>> objectClass: ftUserAttrs
>>>> objectClass: organizationalPerson
>>>> objectClass: person
>>>> objectClass: inetOrgPerson
>>>> objectClass: top
>>>> cn: dave
>>>> ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874
>>>> sn: dave
>>>> displayName: dave
>>>> ftCstr: dave$0$$$$$$$
>>>> ftModCode: AdminMgrImpl.resetPassword
>>>> ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b
>>>> ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda
>>>> ftProps: initAttrArrays:
>>>> ftRA: fortress-rest-super-user
>>>> ftRC: fortress-rest-super-user$0$$$$$$$
>>>> ftSystem: FALSE
>>>> ou: dev0
>>>> uid: dave
>>>> createTimestamp: 20170531211627.651Z
>>>> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>>>> entryCSN: 20170601195338.392000Z#000000#001#000000
>>>> entryDN: uid=dave,ou=People,dc=example,dc=com
>>>> entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42
>>>> entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz
>>>> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>>>> modifyTimestamp: 20170601195338.057Z
>>>> nbChildren: 0
>>>> nbSubordinates: 0
>>>> pwdAccountLockedTime: 000001010000Z
>>>> pwdReset: TRUE
>>>> subschemaSubentry: cn=schema
>>>>
>>>>
>>>> Brian Brooks
>>>> Sr Software Engineer
>>>> brian.brooks@datapath.com
>>>> Office: +1 678 252 4498
>>>> 2205 Northmont Pkwy, STE 100
>>>> Duluth, GA 30096
>>>>
>>>> -----Original Message-----
>>>> From: Shawn McKinney [mailto:smckinney@apache.org]
>>>> Sent: Thursday, June 01, 2017 6:12 PM
>>>> To: fortress@directory.apache.org
>>>> Subject: Re: Using REST API to get user's locked and reset states
>>>>
>>>> Welcome Dave,
>>>>
>>>> Can you export that corresponding user entry into ldif and post it here? We’ll need to see the operational attributes before trying to figure out where the problem is.
>>>>
>>>> For example, here’s an export I did of test user ‘foo1’. You can see that I’ve put that user’s account into both a locked and reset state (in openldap).
>>>>
>>>> You can also see this user’s password policy is ‘test1’.
>>>>
>>>> dn: uid=foo1,ou=People,dc=example,dc=com
>>>> objectClass: extensibleObject
>>>> objectClass: ftMods
>>>> objectClass: ftProperties
>>>> objectClass: ftUserAttrs
>>>> objectClass: inetOrgPerson
>>>> objectClass: top
>>>> cn: foo1
>>>> ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551
>>>> sn: fighter
>>>> description: foo fighter
>>>> displayName: foo1
>>>> ftCstr: foo1$0$$$$$$$
>>>> ftProps: initAttrArrays:
>>>> ou: dev1
>>>> uid: foo1
>>>> userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E=
>>>> createTimestamp: 20170601212713Z
>>>> creatorsName: cn=Manager,dc=example,dc=com
>>>> entryCSN: 20170601213012.870902Z#000000#000#000000
>>>> entryDN: uid=foo1,ou=People,dc=example,dc=com
>>>> entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4
>>>> hasSubordinates: FALSE
>>>> modifiersName: cn=Manager,dc=example,dc=com
>>>> modifyTimestamp: 20170601213012Z
>>>> pwdAccountLockedTime: 000001010000Z
>>>> pwdChangedTime: 20170601212844Z
>>>> pwdHistory::
>>>> MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM
>>>> 4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR
>>>> pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com
>>>> pwdReset: TRUE
>>>> structuralObjectClass: inetOrgPerson
>>>> subschemaSubentry: cn=Subschema
>>>>
>>>>
>>>>
>>>> thanks
>>>> Shawn
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> On Jun 1, 2017, at 10:57 AM, David Erie (US) <Da...@datapath.com> wrote:
>>>>>
>>>>> Hello,
>>>>> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's account status (locked and reset, specifically) via the REST API for a user whose account is locked and whose password has been reset.
>>>>>
>>>>> What I get back is this:
>>>>>
>>>>> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:type="user"> ..
>>>>> <userId>dave</userId>
>>>>> <locked>false</locked>
>>>>> <reset>false</reset>
>>>>> ..
>>>>> </entity>
>>>>>
>>>>> How can I tell that a user's account has been locked or reset when these Boolean properties don't seem to contain the correct information?
>>>>>
>>>>> Thank you,
>>>>> Dave
>>>>
>>>
>>
>
Re: Using REST API to get user's locked and reset states
Posted by Shawn McKinney <sm...@apache.org>.
I finally got around to trying this myself. Changing the ldap.server.type prop as described means fortress will process the pw policy ops. I was able to verify on a test against apacheds, new response pasted below. I noticed before that you don’t have the pwpolicy attribute set on your user which means the default policy for the server will be enforced.
Let me know if you have any more questions.
<FortResponse>
<errorCode>0</errorCode>
<entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
<modId>18e5955f-90cf-420a-8580-fc47be245f0a</modId>
<sequenceId>0</sequenceId>
<userId>foo1</userId>
<description>foo fighters 1</description>
<name>foo1 fighters</name>
<internalId>d301b72a-916f-4419-94a4-df24fc8ac7ad</internalId>
<ou>dev1</ou>
<pwPolicy>cn=test1</pwPolicy>
<sn>fighters</sn>
<cn>foo1 fighters</cn>
<dn>uid=foo1,ou=People,dc=example,dc=com</dn>
<address/>
<props>
<modId>8e4f30a3-d452-4fc0-9ac6-fd73b298990f</modId>
<sequenceId>0</sequenceId>
<entry>
<key>initAttrArrays</key>
<value/>
</entry>
</props>
<locked>true</locked>
<reset>true</reset>
<timeout>0</timeout>
</entity>
</FortResponse>
Shawn
> On Jun 5, 2017, at 9:56 PM, Shawn McKinney <sm...@apache.org> wrote:
>
> Hey Brian,
>
> can you add/replace with this fortress.properties:
>
> ldap.server.type=openldap
>
> and tell me what happens. Normally I'd try it myself first but am sort of busy right now. Will have more time in a couple of days.
>
> Thanks,
> Shawn
>
>> On Jun 5, 2017, at 8:41 AM, Brian Brooks (US) <Br...@datapath.com> wrote:
>>
>> Good Morning Shawn,
>>
>>> How did you enable pw policies in apacheds, can you point me to the setup instructions you used?
>>
>> We just setup a vanilla install of ApacheDS on a Windows 10 virtual machine using apacheds-2.0.0-M23.exe downloaded from
>>
>> http://directory.apache.org/apacheds/download/download-windows.html
>>
>> The ApacheDS instances is configured with default settings which includes enabling a default password policy.
>>
>> http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html
>>
>> Dave setup the ApacheDS, when he gets back in the office I can confirm whether he customized anything.
>>
>> Here's an LDIF export of
>>
>> * ou=config
>> * ads-directoryServiceId=<default>
>> * ou=interceptors
>> * ads-interceptorId=authenticationInterceptor
>> * ou=passwordPolicies
>>
>> from our ApacheDS installation of
>>
>>
>> dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
>> terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> objectclass: ads-passwordPolicy
>> objectclass: ads-base
>> objectclass: top
>> ads-pwdattribute: userPassword
>> ads-pwdid: default
>> ads-enabled: TRUE
>> ads-pwdallowuserchange: TRUE
>> ads-pwdcheckquality: 1
>> ads-pwdexpirewarning: 600
>> ads-pwdfailurecountinterval: 30
>> ads-pwdgraceauthnlimit: 5
>> ads-pwdgraceexpire: 0
>> ads-pwdinhistory: 5
>> ads-pwdlockout: TRUE
>> ads-pwdlockoutduration: 0
>> ads-pwdmaxage: 0
>> ads-pwdmaxdelay: 0
>> ads-pwdmaxfailure: 5
>> ads-pwdmaxidle: 0
>> ads-pwdmaxlength: 0
>> ads-pwdminage: 0
>> ads-pwdmindelay: 0
>> ads-pwdminlength: 5
>> ads-pwdmustchange: FALSE
>> ads-pwdsafemodify: FALSE
>> ads-pwdvalidator: org.apache.directory.server.core.api.authn.ppolicy.Default
>> PasswordValidator
>> createtimestamp: 20170523201006.896Z
>> creatorsname: uid=admin,ou=system
>> entrycsn: 20170523201006.896000Z#000000#000#000000
>> entryDN: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticat
>> ionInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> entryParentId: 81135817-120c-4b89-81be-33f759cd5319
>> entryuuid:: ZGYyYjI2OTctNzQ4OC00NzUzLWFiOGEtZWJhMmRhOTE1NmQ1
>> nbChildren: 0
>> nbSubordinates: 0
>> subschemaSubentry: cn=schema
>>
>> Brian Brooks
>> Sr Software Engineer
>> brian.brooks@datapath.com
>> Office: +1 678 252 4498
>> 2205 Northmont Pkwy, STE 100
>> Duluth, GA 30096
>>
>> -----Original Message-----
>> From: Shawn McKinney [mailto:smckinney@apache.org]
>> Sent: Monday, June 05, 2017 8:23 AM
>> To: fortress@directory.apache.org
>> Subject: Re: Using REST API to get user's locked and reset states
>>
>> Hi Brian,
>>
>> I’ll need to setup an apacheds instance locally that matches your config.
>>
>> How did you enable pw policies in apacheds, can you point me to the setup instructions you used?
>>
>> In the meantime, here is a response via enmasse of user who’s account is both locked and reset.
>>
>> The policy attributes are being populated. But again I’m using openldap, and need to run the exact same test with ads.
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FortResponse> <errorCode>0</errorCode> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
>> <modId>cb792bd1-c8fe-424f-a629-aad6c5572aa9</modId>
>> <sequenceId>0</sequenceId>
>> <userId>foo1</userId>
>> <description>foo fighter</description>
>> <name>foo1</name>
>> <internalId>fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551</internalId>
>> <ou>dev1</ou>
>> <pwPolicy>cn=test1</pwPolicy>
>> <sn>fighter</sn>
>> <cn>foo1</cn>
>> <dn>uid=foo1,ou=People,dc=example,dc=com</dn>
>> <address/>
>> <props>
>> <modId>fc416338-69bd-46df-8b00-e1fd6be7ed9c</modId>
>> <sequenceId>0</sequenceId>
>> <entry>
>> <key>initAttrArrays</key>
>> <value/>
>> </entry>
>> </props>
>> <locked>true</locked>
>> <reset>true</reset>
>> <timeout>0</timeout>
>> </entity>
>> </FortResponse>
>>
>>
>> Shawn
>>
>>
>>
>>
>>
>>> On Jun 2, 2017, at 3:39 PM, Brian Brooks (US) <Br...@datapath.com> wrote:
>>>
>>> Hi Shawn,
>>>
>>> Dave and I work together. He's on vacation for a couple days.
>>>
>>>> Can you export that corresponding user entry into ldif and post it here?
>>>
>>> Below is the dave user's entry exported to ldif (I omitted the jpegPhoto, userPassword, and the 5 pwdHistory attributes).
>>>
>>> I don't see the policy attribute even though fotress-commander seems to successfully commit the password policy assignment. For example, I just tried to change another user's password policy and tomcat recorded an HTTP 200 in it's access log. I don't see any obvious errors in the tomcat stdout/stderr/catalina logs.
>>>
>>> 10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST
>>> /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.Us
>>> erPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commi
>>> t&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apa
>>> che.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634
>>>
>>> dn: uid=dave,ou=People,dc=example,dc=com
>>> objectClass: extensibleObject
>>> objectClass: ftMods
>>> objectClass: ftProperties
>>> objectClass: ftUserAttrs
>>> objectClass: organizationalPerson
>>> objectClass: person
>>> objectClass: inetOrgPerson
>>> objectClass: top
>>> cn: dave
>>> ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874
>>> sn: dave
>>> displayName: dave
>>> ftCstr: dave$0$$$$$$$
>>> ftModCode: AdminMgrImpl.resetPassword
>>> ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b
>>> ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda
>>> ftProps: initAttrArrays:
>>> ftRA: fortress-rest-super-user
>>> ftRC: fortress-rest-super-user$0$$$$$$$
>>> ftSystem: FALSE
>>> ou: dev0
>>> uid: dave
>>> createTimestamp: 20170531211627.651Z
>>> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>>> entryCSN: 20170601195338.392000Z#000000#001#000000
>>> entryDN: uid=dave,ou=People,dc=example,dc=com
>>> entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42
>>> entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz
>>> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>>> modifyTimestamp: 20170601195338.057Z
>>> nbChildren: 0
>>> nbSubordinates: 0
>>> pwdAccountLockedTime: 000001010000Z
>>> pwdReset: TRUE
>>> subschemaSubentry: cn=schema
>>>
>>>
>>> Brian Brooks
>>> Sr Software Engineer
>>> brian.brooks@datapath.com
>>> Office: +1 678 252 4498
>>> 2205 Northmont Pkwy, STE 100
>>> Duluth, GA 30096
>>>
>>> -----Original Message-----
>>> From: Shawn McKinney [mailto:smckinney@apache.org]
>>> Sent: Thursday, June 01, 2017 6:12 PM
>>> To: fortress@directory.apache.org
>>> Subject: Re: Using REST API to get user's locked and reset states
>>>
>>> Welcome Dave,
>>>
>>> Can you export that corresponding user entry into ldif and post it here? We’ll need to see the operational attributes before trying to figure out where the problem is.
>>>
>>> For example, here’s an export I did of test user ‘foo1’. You can see that I’ve put that user’s account into both a locked and reset state (in openldap).
>>>
>>> You can also see this user’s password policy is ‘test1’.
>>>
>>> dn: uid=foo1,ou=People,dc=example,dc=com
>>> objectClass: extensibleObject
>>> objectClass: ftMods
>>> objectClass: ftProperties
>>> objectClass: ftUserAttrs
>>> objectClass: inetOrgPerson
>>> objectClass: top
>>> cn: foo1
>>> ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551
>>> sn: fighter
>>> description: foo fighter
>>> displayName: foo1
>>> ftCstr: foo1$0$$$$$$$
>>> ftProps: initAttrArrays:
>>> ou: dev1
>>> uid: foo1
>>> userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E=
>>> createTimestamp: 20170601212713Z
>>> creatorsName: cn=Manager,dc=example,dc=com
>>> entryCSN: 20170601213012.870902Z#000000#000#000000
>>> entryDN: uid=foo1,ou=People,dc=example,dc=com
>>> entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4
>>> hasSubordinates: FALSE
>>> modifiersName: cn=Manager,dc=example,dc=com
>>> modifyTimestamp: 20170601213012Z
>>> pwdAccountLockedTime: 000001010000Z
>>> pwdChangedTime: 20170601212844Z
>>> pwdHistory::
>>> MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM
>>> 4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR
>>> pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com
>>> pwdReset: TRUE
>>> structuralObjectClass: inetOrgPerson
>>> subschemaSubentry: cn=Subschema
>>>
>>>
>>>
>>> thanks
>>> Shawn
>>>
>>>
>>>
>>>
>>>
>>>> On Jun 1, 2017, at 10:57 AM, David Erie (US) <Da...@datapath.com> wrote:
>>>>
>>>> Hello,
>>>> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's account status (locked and reset, specifically) via the REST API for a user whose account is locked and whose password has been reset.
>>>>
>>>> What I get back is this:
>>>>
>>>> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="user"> ..
>>>> <userId>dave</userId>
>>>> <locked>false</locked>
>>>> <reset>false</reset>
>>>> ..
>>>> </entity>
>>>>
>>>> How can I tell that a user's account has been locked or reset when these Boolean properties don't seem to contain the correct information?
>>>>
>>>> Thank you,
>>>> Dave
>>>
>>
>
Re: Using REST API to get user's locked and reset states
Posted by Shawn McKinney <sm...@apache.org>.
Hey Brian,
can you add/replace with this fortress.properties:
ldap.server.type=openldap
and tell me what happens. Normally I'd try it myself first but am sort of busy right now. Will have more time in a couple of days.
Thanks,
Shawn
> On Jun 5, 2017, at 8:41 AM, Brian Brooks (US) <Br...@datapath.com> wrote:
>
> Good Morning Shawn,
>
>> How did you enable pw policies in apacheds, can you point me to the setup instructions you used?
>
> We just setup a vanilla install of ApacheDS on a Windows 10 virtual machine using apacheds-2.0.0-M23.exe downloaded from
>
> http://directory.apache.org/apacheds/download/download-windows.html
>
> The ApacheDS instances is configured with default settings which includes enabling a default password policy.
>
> http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html
>
> Dave setup the ApacheDS, when he gets back in the office I can confirm whether he customized anything.
>
> Here's an LDIF export of
>
> * ou=config
> * ads-directoryServiceId=<default>
> * ou=interceptors
> * ads-interceptorId=authenticationInterceptor
> * ou=passwordPolicies
>
> from our ApacheDS installation of
>
>
> dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
> terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectclass: ads-passwordPolicy
> objectclass: ads-base
> objectclass: top
> ads-pwdattribute: userPassword
> ads-pwdid: default
> ads-enabled: TRUE
> ads-pwdallowuserchange: TRUE
> ads-pwdcheckquality: 1
> ads-pwdexpirewarning: 600
> ads-pwdfailurecountinterval: 30
> ads-pwdgraceauthnlimit: 5
> ads-pwdgraceexpire: 0
> ads-pwdinhistory: 5
> ads-pwdlockout: TRUE
> ads-pwdlockoutduration: 0
> ads-pwdmaxage: 0
> ads-pwdmaxdelay: 0
> ads-pwdmaxfailure: 5
> ads-pwdmaxidle: 0
> ads-pwdmaxlength: 0
> ads-pwdminage: 0
> ads-pwdmindelay: 0
> ads-pwdminlength: 5
> ads-pwdmustchange: FALSE
> ads-pwdsafemodify: FALSE
> ads-pwdvalidator: org.apache.directory.server.core.api.authn.ppolicy.Default
> PasswordValidator
> createtimestamp: 20170523201006.896Z
> creatorsname: uid=admin,ou=system
> entrycsn: 20170523201006.896000Z#000000#000#000000
> entryDN: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticat
> ionInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> entryParentId: 81135817-120c-4b89-81be-33f759cd5319
> entryuuid:: ZGYyYjI2OTctNzQ4OC00NzUzLWFiOGEtZWJhMmRhOTE1NmQ1
> nbChildren: 0
> nbSubordinates: 0
> subschemaSubentry: cn=schema
>
> Brian Brooks
> Sr Software Engineer
> brian.brooks@datapath.com
> Office: +1 678 252 4498
> 2205 Northmont Pkwy, STE 100
> Duluth, GA 30096
>
> -----Original Message-----
> From: Shawn McKinney [mailto:smckinney@apache.org]
> Sent: Monday, June 05, 2017 8:23 AM
> To: fortress@directory.apache.org
> Subject: Re: Using REST API to get user's locked and reset states
>
> Hi Brian,
>
> I’ll need to setup an apacheds instance locally that matches your config.
>
> How did you enable pw policies in apacheds, can you point me to the setup instructions you used?
>
> In the meantime, here is a response via enmasse of user who’s account is both locked and reset.
>
> The policy attributes are being populated. But again I’m using openldap, and need to run the exact same test with ads.
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FortResponse> <errorCode>0</errorCode> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
> <modId>cb792bd1-c8fe-424f-a629-aad6c5572aa9</modId>
> <sequenceId>0</sequenceId>
> <userId>foo1</userId>
> <description>foo fighter</description>
> <name>foo1</name>
> <internalId>fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551</internalId>
> <ou>dev1</ou>
> <pwPolicy>cn=test1</pwPolicy>
> <sn>fighter</sn>
> <cn>foo1</cn>
> <dn>uid=foo1,ou=People,dc=example,dc=com</dn>
> <address/>
> <props>
> <modId>fc416338-69bd-46df-8b00-e1fd6be7ed9c</modId>
> <sequenceId>0</sequenceId>
> <entry>
> <key>initAttrArrays</key>
> <value/>
> </entry>
> </props>
> <locked>true</locked>
> <reset>true</reset>
> <timeout>0</timeout>
> </entity>
> </FortResponse>
>
>
> Shawn
>
>
>
>
>
>> On Jun 2, 2017, at 3:39 PM, Brian Brooks (US) <Br...@datapath.com> wrote:
>>
>> Hi Shawn,
>>
>> Dave and I work together. He's on vacation for a couple days.
>>
>>> Can you export that corresponding user entry into ldif and post it here?
>>
>> Below is the dave user's entry exported to ldif (I omitted the jpegPhoto, userPassword, and the 5 pwdHistory attributes).
>>
>> I don't see the policy attribute even though fotress-commander seems to successfully commit the password policy assignment. For example, I just tried to change another user's password policy and tomcat recorded an HTTP 200 in it's access log. I don't see any obvious errors in the tomcat stdout/stderr/catalina logs.
>>
>> 10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST
>> /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.Us
>> erPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commi
>> t&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apa
>> che.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634
>>
>> dn: uid=dave,ou=People,dc=example,dc=com
>> objectClass: extensibleObject
>> objectClass: ftMods
>> objectClass: ftProperties
>> objectClass: ftUserAttrs
>> objectClass: organizationalPerson
>> objectClass: person
>> objectClass: inetOrgPerson
>> objectClass: top
>> cn: dave
>> ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874
>> sn: dave
>> displayName: dave
>> ftCstr: dave$0$$$$$$$
>> ftModCode: AdminMgrImpl.resetPassword
>> ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b
>> ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda
>> ftProps: initAttrArrays:
>> ftRA: fortress-rest-super-user
>> ftRC: fortress-rest-super-user$0$$$$$$$
>> ftSystem: FALSE
>> ou: dev0
>> uid: dave
>> createTimestamp: 20170531211627.651Z
>> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>> entryCSN: 20170601195338.392000Z#000000#001#000000
>> entryDN: uid=dave,ou=People,dc=example,dc=com
>> entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42
>> entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz
>> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>> modifyTimestamp: 20170601195338.057Z
>> nbChildren: 0
>> nbSubordinates: 0
>> pwdAccountLockedTime: 000001010000Z
>> pwdReset: TRUE
>> subschemaSubentry: cn=schema
>>
>>
>> Brian Brooks
>> Sr Software Engineer
>> brian.brooks@datapath.com
>> Office: +1 678 252 4498
>> 2205 Northmont Pkwy, STE 100
>> Duluth, GA 30096
>>
>> -----Original Message-----
>> From: Shawn McKinney [mailto:smckinney@apache.org]
>> Sent: Thursday, June 01, 2017 6:12 PM
>> To: fortress@directory.apache.org
>> Subject: Re: Using REST API to get user's locked and reset states
>>
>> Welcome Dave,
>>
>> Can you export that corresponding user entry into ldif and post it here? We’ll need to see the operational attributes before trying to figure out where the problem is.
>>
>> For example, here’s an export I did of test user ‘foo1’. You can see that I’ve put that user’s account into both a locked and reset state (in openldap).
>>
>> You can also see this user’s password policy is ‘test1’.
>>
>> dn: uid=foo1,ou=People,dc=example,dc=com
>> objectClass: extensibleObject
>> objectClass: ftMods
>> objectClass: ftProperties
>> objectClass: ftUserAttrs
>> objectClass: inetOrgPerson
>> objectClass: top
>> cn: foo1
>> ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551
>> sn: fighter
>> description: foo fighter
>> displayName: foo1
>> ftCstr: foo1$0$$$$$$$
>> ftProps: initAttrArrays:
>> ou: dev1
>> uid: foo1
>> userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E=
>> createTimestamp: 20170601212713Z
>> creatorsName: cn=Manager,dc=example,dc=com
>> entryCSN: 20170601213012.870902Z#000000#000#000000
>> entryDN: uid=foo1,ou=People,dc=example,dc=com
>> entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4
>> hasSubordinates: FALSE
>> modifiersName: cn=Manager,dc=example,dc=com
>> modifyTimestamp: 20170601213012Z
>> pwdAccountLockedTime: 000001010000Z
>> pwdChangedTime: 20170601212844Z
>> pwdHistory::
>> MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM
>> 4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR
>> pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com
>> pwdReset: TRUE
>> structuralObjectClass: inetOrgPerson
>> subschemaSubentry: cn=Subschema
>>
>>
>>
>> thanks
>> Shawn
>>
>>
>>
>>
>>
>>> On Jun 1, 2017, at 10:57 AM, David Erie (US) <Da...@datapath.com> wrote:
>>>
>>> Hello,
>>> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's account status (locked and reset, specifically) via the REST API for a user whose account is locked and whose password has been reset.
>>>
>>> What I get back is this:
>>>
>>> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="user"> ..
>>> <userId>dave</userId>
>>> <locked>false</locked>
>>> <reset>false</reset>
>>> ..
>>> </entity>
>>>
>>> How can I tell that a user's account has been locked or reset when these Boolean properties don't seem to contain the correct information?
>>>
>>> Thank you,
>>> Dave
>>
>
RE: Using REST API to get user's locked and reset states
Posted by "Brian Brooks (US)" <Br...@datapath.com>.
Good Morning Shawn,
> How did you enable pw policies in apacheds, can you point me to the setup instructions you used?
We just setup a vanilla install of ApacheDS on a Windows 10 virtual machine using apacheds-2.0.0-M23.exe downloaded from
http://directory.apache.org/apacheds/download/download-windows.html
The ApacheDS instances is configured with default settings which includes enabling a default password policy.
http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html
Dave setup the ApacheDS, when he gets back in the office I can confirm whether he customized anything.
Here's an LDIF export of
* ou=config
* ads-directoryServiceId=<default>
* ou=interceptors
* ads-interceptorId=authenticationInterceptor
* ou=passwordPolicies
from our ApacheDS installation of
dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectclass: ads-passwordPolicy
objectclass: ads-base
objectclass: top
ads-pwdattribute: userPassword
ads-pwdid: default
ads-enabled: TRUE
ads-pwdallowuserchange: TRUE
ads-pwdcheckquality: 1
ads-pwdexpirewarning: 600
ads-pwdfailurecountinterval: 30
ads-pwdgraceauthnlimit: 5
ads-pwdgraceexpire: 0
ads-pwdinhistory: 5
ads-pwdlockout: TRUE
ads-pwdlockoutduration: 0
ads-pwdmaxage: 0
ads-pwdmaxdelay: 0
ads-pwdmaxfailure: 5
ads-pwdmaxidle: 0
ads-pwdmaxlength: 0
ads-pwdminage: 0
ads-pwdmindelay: 0
ads-pwdminlength: 5
ads-pwdmustchange: FALSE
ads-pwdsafemodify: FALSE
ads-pwdvalidator: org.apache.directory.server.core.api.authn.ppolicy.Default
PasswordValidator
createtimestamp: 20170523201006.896Z
creatorsname: uid=admin,ou=system
entrycsn: 20170523201006.896000Z#000000#000#000000
entryDN: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticat
ionInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
entryParentId: 81135817-120c-4b89-81be-33f759cd5319
entryuuid:: ZGYyYjI2OTctNzQ4OC00NzUzLWFiOGEtZWJhMmRhOTE1NmQ1
nbChildren: 0
nbSubordinates: 0
subschemaSubentry: cn=schema
Brian Brooks
Sr Software Engineer
brian.brooks@datapath.com
Office: +1 678 252 4498
2205 Northmont Pkwy, STE 100
Duluth, GA 30096
-----Original Message-----
From: Shawn McKinney [mailto:smckinney@apache.org]
Sent: Monday, June 05, 2017 8:23 AM
To: fortress@directory.apache.org
Subject: Re: Using REST API to get user's locked and reset states
Hi Brian,
I’ll need to setup an apacheds instance locally that matches your config.
How did you enable pw policies in apacheds, can you point me to the setup instructions you used?
In the meantime, here is a response via enmasse of user who’s account is both locked and reset.
The policy attributes are being populated. But again I’m using openldap, and need to run the exact same test with ads.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FortResponse> <errorCode>0</errorCode> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
<modId>cb792bd1-c8fe-424f-a629-aad6c5572aa9</modId>
<sequenceId>0</sequenceId>
<userId>foo1</userId>
<description>foo fighter</description>
<name>foo1</name>
<internalId>fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551</internalId>
<ou>dev1</ou>
<pwPolicy>cn=test1</pwPolicy>
<sn>fighter</sn>
<cn>foo1</cn>
<dn>uid=foo1,ou=People,dc=example,dc=com</dn>
<address/>
<props>
<modId>fc416338-69bd-46df-8b00-e1fd6be7ed9c</modId>
<sequenceId>0</sequenceId>
<entry>
<key>initAttrArrays</key>
<value/>
</entry>
</props>
<locked>true</locked>
<reset>true</reset>
<timeout>0</timeout>
</entity>
</FortResponse>
Shawn
> On Jun 2, 2017, at 3:39 PM, Brian Brooks (US) <Br...@datapath.com> wrote:
>
> Hi Shawn,
>
> Dave and I work together. He's on vacation for a couple days.
>
>> Can you export that corresponding user entry into ldif and post it here?
>
> Below is the dave user's entry exported to ldif (I omitted the jpegPhoto, userPassword, and the 5 pwdHistory attributes).
>
> I don't see the policy attribute even though fotress-commander seems to successfully commit the password policy assignment. For example, I just tried to change another user's password policy and tomcat recorded an HTTP 200 in it's access log. I don't see any obvious errors in the tomcat stdout/stderr/catalina logs.
>
> 10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST
> /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.Us
> erPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commi
> t&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apa
> che.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634
>
> dn: uid=dave,ou=People,dc=example,dc=com
> objectClass: extensibleObject
> objectClass: ftMods
> objectClass: ftProperties
> objectClass: ftUserAttrs
> objectClass: organizationalPerson
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: top
> cn: dave
> ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874
> sn: dave
> displayName: dave
> ftCstr: dave$0$$$$$$$
> ftModCode: AdminMgrImpl.resetPassword
> ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b
> ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda
> ftProps: initAttrArrays:
> ftRA: fortress-rest-super-user
> ftRC: fortress-rest-super-user$0$$$$$$$
> ftSystem: FALSE
> ou: dev0
> uid: dave
> createTimestamp: 20170531211627.651Z
> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> entryCSN: 20170601195338.392000Z#000000#001#000000
> entryDN: uid=dave,ou=People,dc=example,dc=com
> entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42
> entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz
> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> modifyTimestamp: 20170601195338.057Z
> nbChildren: 0
> nbSubordinates: 0
> pwdAccountLockedTime: 000001010000Z
> pwdReset: TRUE
> subschemaSubentry: cn=schema
>
>
> Brian Brooks
> Sr Software Engineer
> brian.brooks@datapath.com
> Office: +1 678 252 4498
> 2205 Northmont Pkwy, STE 100
> Duluth, GA 30096
>
> -----Original Message-----
> From: Shawn McKinney [mailto:smckinney@apache.org]
> Sent: Thursday, June 01, 2017 6:12 PM
> To: fortress@directory.apache.org
> Subject: Re: Using REST API to get user's locked and reset states
>
> Welcome Dave,
>
> Can you export that corresponding user entry into ldif and post it here? We’ll need to see the operational attributes before trying to figure out where the problem is.
>
> For example, here’s an export I did of test user ‘foo1’. You can see that I’ve put that user’s account into both a locked and reset state (in openldap).
>
> You can also see this user’s password policy is ‘test1’.
>
> dn: uid=foo1,ou=People,dc=example,dc=com
> objectClass: extensibleObject
> objectClass: ftMods
> objectClass: ftProperties
> objectClass: ftUserAttrs
> objectClass: inetOrgPerson
> objectClass: top
> cn: foo1
> ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551
> sn: fighter
> description: foo fighter
> displayName: foo1
> ftCstr: foo1$0$$$$$$$
> ftProps: initAttrArrays:
> ou: dev1
> uid: foo1
> userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E=
> createTimestamp: 20170601212713Z
> creatorsName: cn=Manager,dc=example,dc=com
> entryCSN: 20170601213012.870902Z#000000#000#000000
> entryDN: uid=foo1,ou=People,dc=example,dc=com
> entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4
> hasSubordinates: FALSE
> modifiersName: cn=Manager,dc=example,dc=com
> modifyTimestamp: 20170601213012Z
> pwdAccountLockedTime: 000001010000Z
> pwdChangedTime: 20170601212844Z
> pwdHistory::
> MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM
> 4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR
> pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com
> pwdReset: TRUE
> structuralObjectClass: inetOrgPerson
> subschemaSubentry: cn=Subschema
>
>
>
> thanks
> Shawn
>
>
>
>
>
>> On Jun 1, 2017, at 10:57 AM, David Erie (US) <Da...@datapath.com> wrote:
>>
>> Hello,
>> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's account status (locked and reset, specifically) via the REST API for a user whose account is locked and whose password has been reset.
>>
>> What I get back is this:
>>
>> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="user"> ..
>> <userId>dave</userId>
>> <locked>false</locked>
>> <reset>false</reset>
>> ..
>> </entity>
>>
>> How can I tell that a user's account has been locked or reset when these Boolean properties don't seem to contain the correct information?
>>
>> Thank you,
>> Dave
>
Re: Using REST API to get user's locked and reset states
Posted by Shawn McKinney <sm...@apache.org>.
Hi Brian,
I’ll need to setup an apacheds instance locally that matches your config.
How did you enable pw policies in apacheds, can you point me to the setup instructions you used?
In the meantime, here is a response via enmasse of user who’s account is both locked and reset.
The policy attributes are being populated. But again I’m using openldap, and need to run the exact same test with ads.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FortResponse>
<errorCode>0</errorCode>
<entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
<modId>cb792bd1-c8fe-424f-a629-aad6c5572aa9</modId>
<sequenceId>0</sequenceId>
<userId>foo1</userId>
<description>foo fighter</description>
<name>foo1</name>
<internalId>fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551</internalId>
<ou>dev1</ou>
<pwPolicy>cn=test1</pwPolicy>
<sn>fighter</sn>
<cn>foo1</cn>
<dn>uid=foo1,ou=People,dc=example,dc=com</dn>
<address/>
<props>
<modId>fc416338-69bd-46df-8b00-e1fd6be7ed9c</modId>
<sequenceId>0</sequenceId>
<entry>
<key>initAttrArrays</key>
<value/>
</entry>
</props>
<locked>true</locked>
<reset>true</reset>
<timeout>0</timeout>
</entity>
</FortResponse>
Shawn
> On Jun 2, 2017, at 3:39 PM, Brian Brooks (US) <Br...@datapath.com> wrote:
>
> Hi Shawn,
>
> Dave and I work together. He's on vacation for a couple days.
>
>> Can you export that corresponding user entry into ldif and post it here?
>
> Below is the dave user's entry exported to ldif (I omitted the jpegPhoto, userPassword, and the 5 pwdHistory attributes).
>
> I don't see the policy attribute even though fotress-commander seems to successfully commit the password policy assignment. For example, I just tried to change another user's password policy and tomcat recorded an HTTP 200 in it's access log. I don't see any obvious errors in the tomcat stdout/stderr/catalina logs.
>
> 10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.UserPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commit&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apache.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634
>
> dn: uid=dave,ou=People,dc=example,dc=com
> objectClass: extensibleObject
> objectClass: ftMods
> objectClass: ftProperties
> objectClass: ftUserAttrs
> objectClass: organizationalPerson
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: top
> cn: dave
> ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874
> sn: dave
> displayName: dave
> ftCstr: dave$0$$$$$$$
> ftModCode: AdminMgrImpl.resetPassword
> ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b
> ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda
> ftProps: initAttrArrays:
> ftRA: fortress-rest-super-user
> ftRC: fortress-rest-super-user$0$$$$$$$
> ftSystem: FALSE
> ou: dev0
> uid: dave
> createTimestamp: 20170531211627.651Z
> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> entryCSN: 20170601195338.392000Z#000000#001#000000
> entryDN: uid=dave,ou=People,dc=example,dc=com
> entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42
> entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz
> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> modifyTimestamp: 20170601195338.057Z
> nbChildren: 0
> nbSubordinates: 0
> pwdAccountLockedTime: 000001010000Z
> pwdReset: TRUE
> subschemaSubentry: cn=schema
>
>
> Brian Brooks
> Sr Software Engineer
> brian.brooks@datapath.com
> Office: +1 678 252 4498
> 2205 Northmont Pkwy, STE 100
> Duluth, GA 30096
>
> -----Original Message-----
> From: Shawn McKinney [mailto:smckinney@apache.org]
> Sent: Thursday, June 01, 2017 6:12 PM
> To: fortress@directory.apache.org
> Subject: Re: Using REST API to get user's locked and reset states
>
> Welcome Dave,
>
> Can you export that corresponding user entry into ldif and post it here? We’ll need to see the operational attributes before trying to figure out where the problem is.
>
> For example, here’s an export I did of test user ‘foo1’. You can see that I’ve put that user’s account into both a locked and reset state (in openldap).
>
> You can also see this user’s password policy is ‘test1’.
>
> dn: uid=foo1,ou=People,dc=example,dc=com
> objectClass: extensibleObject
> objectClass: ftMods
> objectClass: ftProperties
> objectClass: ftUserAttrs
> objectClass: inetOrgPerson
> objectClass: top
> cn: foo1
> ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551
> sn: fighter
> description: foo fighter
> displayName: foo1
> ftCstr: foo1$0$$$$$$$
> ftProps: initAttrArrays:
> ou: dev1
> uid: foo1
> userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E=
> createTimestamp: 20170601212713Z
> creatorsName: cn=Manager,dc=example,dc=com
> entryCSN: 20170601213012.870902Z#000000#000#000000
> entryDN: uid=foo1,ou=People,dc=example,dc=com
> entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4
> hasSubordinates: FALSE
> modifiersName: cn=Manager,dc=example,dc=com
> modifyTimestamp: 20170601213012Z
> pwdAccountLockedTime: 000001010000Z
> pwdChangedTime: 20170601212844Z
> pwdHistory:: MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM
> 4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR
> pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com
> pwdReset: TRUE
> structuralObjectClass: inetOrgPerson
> subschemaSubentry: cn=Subschema
>
>
>
> thanks
> Shawn
>
>
>
>
>
>> On Jun 1, 2017, at 10:57 AM, David Erie (US) <Da...@datapath.com> wrote:
>>
>> Hello,
>> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's account status (locked and reset, specifically) via the REST API for a user whose account is locked and whose password has been reset.
>>
>> What I get back is this:
>>
>> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="user"> ..
>> <userId>dave</userId>
>> <locked>false</locked>
>> <reset>false</reset>
>> ..
>> </entity>
>>
>> How can I tell that a user's account has been locked or reset when these Boolean properties don't seem to contain the correct information?
>>
>> Thank you,
>> Dave
>
RE: Using REST API to get user's locked and reset states
Posted by "Brian Brooks (US)" <Br...@datapath.com>.
Hi Shawn,
Dave and I work together. He's on vacation for a couple days.
> Can you export that corresponding user entry into ldif and post it here?
Below is the dave user's entry exported to ldif (I omitted the jpegPhoto, userPassword, and the 5 pwdHistory attributes).
I don't see the policy attribute even though fotress-commander seems to successfully commit the password policy assignment. For example, I just tried to change another user's password policy and tomcat recorded an HTTP 200 in it's access log. I don't see any obvious errors in the tomcat stdout/stderr/catalina logs.
10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.UserPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commit&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apache.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634
dn: uid=dave,ou=People,dc=example,dc=com
objectClass: extensibleObject
objectClass: ftMods
objectClass: ftProperties
objectClass: ftUserAttrs
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: dave
ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874
sn: dave
displayName: dave
ftCstr: dave$0$$$$$$$
ftModCode: AdminMgrImpl.resetPassword
ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b
ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda
ftProps: initAttrArrays:
ftRA: fortress-rest-super-user
ftRC: fortress-rest-super-user$0$$$$$$$
ftSystem: FALSE
ou: dev0
uid: dave
createTimestamp: 20170531211627.651Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20170601195338.392000Z#000000#001#000000
entryDN: uid=dave,ou=People,dc=example,dc=com
entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42
entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifyTimestamp: 20170601195338.057Z
nbChildren: 0
nbSubordinates: 0
pwdAccountLockedTime: 000001010000Z
pwdReset: TRUE
subschemaSubentry: cn=schema
Brian Brooks
Sr Software Engineer
brian.brooks@datapath.com
Office: +1 678 252 4498
2205 Northmont Pkwy, STE 100
Duluth, GA 30096
-----Original Message-----
From: Shawn McKinney [mailto:smckinney@apache.org]
Sent: Thursday, June 01, 2017 6:12 PM
To: fortress@directory.apache.org
Subject: Re: Using REST API to get user's locked and reset states
Welcome Dave,
Can you export that corresponding user entry into ldif and post it here? We’ll need to see the operational attributes before trying to figure out where the problem is.
For example, here’s an export I did of test user ‘foo1’. You can see that I’ve put that user’s account into both a locked and reset state (in openldap).
You can also see this user’s password policy is ‘test1’.
dn: uid=foo1,ou=People,dc=example,dc=com
objectClass: extensibleObject
objectClass: ftMods
objectClass: ftProperties
objectClass: ftUserAttrs
objectClass: inetOrgPerson
objectClass: top
cn: foo1
ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551
sn: fighter
description: foo fighter
displayName: foo1
ftCstr: foo1$0$$$$$$$
ftProps: initAttrArrays:
ou: dev1
uid: foo1
userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E=
createTimestamp: 20170601212713Z
creatorsName: cn=Manager,dc=example,dc=com
entryCSN: 20170601213012.870902Z#000000#000#000000
entryDN: uid=foo1,ou=People,dc=example,dc=com
entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4
hasSubordinates: FALSE
modifiersName: cn=Manager,dc=example,dc=com
modifyTimestamp: 20170601213012Z
pwdAccountLockedTime: 000001010000Z
pwdChangedTime: 20170601212844Z
pwdHistory:: MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM
4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR
pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com
pwdReset: TRUE
structuralObjectClass: inetOrgPerson
subschemaSubentry: cn=Subschema
thanks
Shawn
> On Jun 1, 2017, at 10:57 AM, David Erie (US) <Da...@datapath.com> wrote:
>
> Hello,
> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's account status (locked and reset, specifically) via the REST API for a user whose account is locked and whose password has been reset.
>
> What I get back is this:
>
> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="user"> ..
> <userId>dave</userId>
> <locked>false</locked>
> <reset>false</reset>
> ..
> </entity>
>
> How can I tell that a user's account has been locked or reset when these Boolean properties don't seem to contain the correct information?
>
> Thank you,
> Dave
Re: Using REST API to get user's locked and reset states
Posted by Shawn McKinney <sm...@apache.org>.
Welcome Dave,
Can you export that corresponding user entry into ldif and post it here? We’ll need to see the operational attributes before trying to figure out where the problem is.
For example, here’s an export I did of test user ‘foo1’. You can see that I’ve put that user’s account into both a locked and reset state (in openldap).
You can also see this user’s password policy is ‘test1’.
dn: uid=foo1,ou=People,dc=example,dc=com
objectClass: extensibleObject
objectClass: ftMods
objectClass: ftProperties
objectClass: ftUserAttrs
objectClass: inetOrgPerson
objectClass: top
cn: foo1
ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551
sn: fighter
description: foo fighter
displayName: foo1
ftCstr: foo1$0$$$$$$$
ftProps: initAttrArrays:
ou: dev1
uid: foo1
userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E=
createTimestamp: 20170601212713Z
creatorsName: cn=Manager,dc=example,dc=com
entryCSN: 20170601213012.870902Z#000000#000#000000
entryDN: uid=foo1,ou=People,dc=example,dc=com
entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4
hasSubordinates: FALSE
modifiersName: cn=Manager,dc=example,dc=com
modifyTimestamp: 20170601213012Z
pwdAccountLockedTime: 000001010000Z
pwdChangedTime: 20170601212844Z
pwdHistory:: MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM
4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR
pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com
pwdReset: TRUE
structuralObjectClass: inetOrgPerson
subschemaSubentry: cn=Subschema
thanks
Shawn
> On Jun 1, 2017, at 10:57 AM, David Erie (US) <Da...@datapath.com> wrote:
>
> Hello,
> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's account status (locked and reset, specifically) via the REST API for a user whose account is locked and whose password has been reset.
>
> What I get back is this:
>
> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
> ..
> <userId>dave</userId>
> <locked>false</locked>
> <reset>false</reset>
> ..
> </entity>
>
> How can I tell that a user's account has been locked or reset when these Boolean properties don't seem to contain the correct information?
>
> Thank you,
> Dave