You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Ca...@ibs-ag.com on 2011/12/21 21:08:17 UTC

FW: ApacheDS differentiating Authentication Exceptions

Hi Everyone. We're still stuck on this one. Does anyone have a suggestion of how to handle this?  We've tried coding around this but we keep coming back to it. 

In summary, when we're changing a user's password and it's in the history, an InvalidAttributeValueException  is thrown but the response controls in the LdapContext 
Are null. When we make the request with our PasswordRequestControl class OID = "1.3.6.1.4.1.42.2.27.8.5.1"  . 

Are we going about this the wrong way? I was hoping to catch the InvalidAttributeValueException but then determine from the response control that the Password was in the history and raise the appropriate error in our user interface. Thanks

-----Original Message-----
From: Accorsi, Carlo 
Sent: Wednesday, November 30, 2011 2:45 PM
To: 'users@directory.apache.org'
Subject: FW: ApacheDS differentiating Authentication Exceptions
<message removed>

-----Original Message-----
From: Accorsi, Carlo 
Sent: Friday, November 18, 2011 11:09 AM
To: users@directory.apache.org
Subject: RE: ApacheDS differentiating Authentication Exceptions

Say for example "123" is in your password history. 
Create and admin LdapContext with a PasswordRequestControl.  (ctx)

		ModificationItem[] mods = new ModificationItem[1];
		mods[0] = new ModificationItem(ctx.REPLACE_ATTRIBUTE, new BasicAttribute("userPassword","123")); // try to set the password to entry in history
		try {
			//response controls set in ctx here
			ctx.modifyAttributes(strDn, mods);
		} catch (InvalidAttributeValueException e){
			// response control will be null here. 
			e.printStackTrace(); // below	
		} 


Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST Message ID : 4
    Modify Request
        Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro'
            Modification[0]
                Operation :  replace
                Modification
    userPassword: '0x32 0x32 0x32 0x32 0x32 0x32 '
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@f757cf46    ManageDsaITImpl Control
        Type OID    : '2.16.840.1.113730.3.4.2'
        Criticality : 'false'
'
: invalid reuse of password present in password history]; remaining name 'uid=1320878789594,ou=users,ou=ext,o=cpro'



Regards,
Carlo Accorsi

-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Friday, November 18, 2011 9:59 AM
To: users@directory.apache.org
Subject: Re: ApacheDS differentiating Authentication Exceptions

have checked the code but didn't find any obvious issue, do you have a test case that I can use to reproduce?

On Fri, Nov 18, 2011 at 9:02 AM, Kiran Ayyagari <ka...@apache.org> wrote:
> most likely it could be a bug, will check that
>
> On Fri, Nov 18, 2011 at 6:09 AM,  <Ca...@ibs-ag.com> wrote:
>> Hi again. I'm getting and handling the ASN.1 messages for when a password is about to expire, and grace logins left and cases where there's no exception.
>> However, if there's an exception, the response controls are null. In 
>> the debugger, I see my response control present in the LdapContext 
>> but the moment, I step over ctx.modifyAttributes(strDn, mods);
>>
>> and for example an  javax.naming.directory.InvalidAttributeValueException is thrown for:
>>
>> : Password should have a minmum of 6 characters Or
>> : invalid reuse of password present in password history]
>>
>> The LdapContext is still valid but the response controls are set null? I've observed this by stepping through the code.
>> I was hoping to catch the reason in the ASN message and handle the failure appropriately from there.
>>
>>
>> Thank you,
>> Carlo Accorsi
>>
>>
>> -----Original Message-----
>> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On 
>> Behalf Of Kiran Ayyagari
>> Sent: Tuesday, November 15, 2011 1:57 PM
>> To: users@directory.apache.org
>> Subject: Re: ApacheDS differentiating Authentication Exceptions
>>
>> On Tue, Nov 15, 2011 at 1:47 PM, Emmanuel Lecharny <el...@gmail.com> wrote:
>>> On 11/15/11 7:11 PM, Carlo.Accorsi@ibs-ag.com wrote:
>>>>
>>>> Ok, when I try and bind with an expired password and all grace 
>>>> logins are spent, this exception is thrown:
>>>>
>>>> Caused by: javax.naming.AuthenticationException: [LDAP: error code
>>>> 49
>>>> -
>>>> INVALID_CREDENTIALS: Bind failed: paasword expired and max grace 
>>>> logins were used]
>>>>
>>>>
>>>> And in the LdapContext. getResponseControls()  encodedValue there 
>>>> is
>>>>  this small byte array:
>>>>
>>>>  [48, 3, -127, 1, 0]
>>>>
>>>> Does anyone know how to interpret or decode this?
>>>
>>> This stands for
>>> 0x30 0x03
>>>  0x81 0x01 0x00
>>>
>>> which means, when correlated with the ASN.1 grammar :
>>>
>>>      PasswordPolicyResponseValue ::= SEQUENCE {
>>>         warning [0] CHOICE {
>>>            timeBeforeExpiration [0] INTEGER (0 .. maxInt),
>>>            graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } 
>>> OPTIONAL,
>>>         error   [1] ENUMERATED {
>>>            passwordExpired             (0),
>>>            accountLocked               (1),
>>>            changeAfterReset            (2),
>>>            passwordModNotAllowed       (3),
>>>            mustSupplyOldPassword       (4),
>>>            insufficientPasswordQuality (5),
>>>            passwordTooShort            (6),
>>>            passwordTooYoung            (7),
>>>            passwordInHistory           (8) } OPTIONAL }
>>>
>>> 0x30 0x03 : SEQUENCE, 3 bytes length
>>> 0x81 : error [1] (would have been 0x80 for a warning)
>>> 0x01 : one byte length
>>> 0x00 : passwordExpired.
>>>
>>> ASN1 can be fun, but only for people who like this part of Pulp Fiction :
>>> http://www.youtube.com/watch?v=wN2-I31Imis&feature=player_detailpage
>>>
>> there goes the Christopher Nolan of ASN1 :) thanks for putting many details than the one I was about to send.
>>
>> OTOH, Carlo -
>> take a look at the control's source present here [1], you need 
>> not(and might not) use all of it, but some parts can be reused
>>
>> [1]
>> http://svn.apache.org/repos/asf/directory/shared/trunk/ldap/extras/co
>> dec-api/src/main/java/org/apache/directory/shared/ldap/extras/control
>> s/ppolicy
>>>
>>> --
>>> Regards,
>>> Cordialement,
>>> Emmanuel Lécharny
>>> www.iktek.com
>>>
>>>
>>
>>
>>
>> --
>> Kiran Ayyagari
>>
>
>
>
> --
> Kiran Ayyagari
>



--
Kiran Ayyagari