You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Mike Davis <md...@rez1.com> on 2017/06/08 18:32:03 UTC
RE: [ApacheDS | LDAP API] changing expired passwords
I know this is going back a few months, but was this issue ever addressed?
We've got some planned changes that involve a 3rd party tool that is going
to make this issue very difficult for us to address in code.
Last I heard from Emmanuel on this is likely a bug, and should be fixed
urgently. I'm not finding anything obvious in issues.apache.org that relates
to this.
-----Original Message-----
From: Mike Davis [mailto:mdavis@rez1.com]
Sent: Wednesday, November 02, 2016 9:51 AM
To: users@directory.apache.org
Subject: RE: [ApacheDS | LDAP API] changing expired passwords
Thanks. I was considering grace logins as a work around. Not my ideal
scenario, but should work.
Ideally, this work around should not be needed.
Get Outlook for Android
On Wed, Nov 2, 2016 at 9:46 AM -0400, "Accorsi, Carlo"
<Ca...@siemens.com> wrote:
Hi - We're using API M32 and a server version a few releases back.
We use the grace logins to raise errors (to change the password) before it's
actually expired & locked.
In the password policy we set the attribute ads-pwdgraceauthnlimit=4. The
user then gets 4 more attempts to login after the password is expired but
before it's locked out. You'll need to raise an error or warning so that
they do it but a valid password gives them a few more logins. The
PasswordPolicyResponse getGraceAuthNRemaining() method indicates how many
grace logins are left for the user. We were not able to get the safe
password function working, we just bind with the creds one last time before
resetting the password using an admin bind. (This isn't ideal however
because it uses one of the user's grace logins. So with the grace value set
to 4, we only allow 3 grace logins, saving the last one for the password
reset).
Here are some code snips and hope it helps.
/**Determine if user password is expired and all grace logins are used from
PasswordPolicyResponse code.
* @param ctrl The PasswordPolicyResponse object containing the response
code
* @return true when the password and grace logins are expired and the user
cannot login, false otherwise.
*/
public static boolean isPasswordExpiredLocked(PasswordPolicyResponse ctrl)
{
if (ctrl != null){
// two grace logins are needed. One to login, one to change the password.
// Account must lock if only one grace login remains because there are no
binds left to change it.
// Password is forced to change, but there are no expire warnings, ok.
if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
ctrl.getPasswordPolicyError() &&
ctrl.getGraceAuthNRemaining() == -1 )
{
return false;
}
// Password is expired and there are no grace logins to clear it, fail.
if ((ctrl.getTimeBeforeExpiration() == -1 &&
ctrl.getGraceAuthNRemaining() <= 1)
|| PasswordPolicyErrorEnum.PASSWORD_EXPIRED ==
ctrl.getPasswordPolicyError()) // need to set expired flag.
{
return true;
}
}
return false;
}
/**Determine if user password must change from PasswordPolicyResponse code.
* @param ctrl The PasswordPolicyResponse object containing the response
code
* @return true when the password must change, false otherwise.
*/
public static boolean isPasswordMustChange(PasswordPolicyResponse ctrl)
{
if (ctrl != null){
if (ctrl.getTimeBeforeExpiration() == -1 ||
(ctrl.getGraceAuthNRemaining() <= 2 && ctrl.getGraceAuthNRemaining()
> -1)) // need to reset before LAST 2 logins
{
//System.out.println("Password must change. Expired in " +
ctrl.getTimeBeforeExpiration()+ " seconds, " +
ctrl.getGraceLoginsRemaining() + " logins remain . ");
return true;
}
if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
ctrl.getPasswordPolicyError())
{
//System.out.println("Password was changed by admin and must change. ");
return true;
}
if (PasswordPolicyErrorEnum.PASSWORD_EXPIRED ==
ctrl.getPasswordPolicyError())
{
//System.out.println("Password has expired and must change. ");
return true;
}
}
return false;
}
//here's our relevant config
dn:
ads-pwdId=internal,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectClass: top
objectClass: ads-base
objectClass: ads-passwordPolicy
ads-pwdId: internal
ads-pwdSafeModify: FALSE // never got this to work. Password reset using
admin bind.
ads-pwdMaxAge: 5184000 // 60 days
ads-pwdFailureCountInterval: 30
ads-pwdAttribute: userPassword
ads-pwdMaxFailure: 5
ads-pwdLockout: TRUE
ads-pwdMustChange: FALSE
ads-pwdLockoutDuration: 0 // lock indefinitely.
ads-pwdMinLength: 6
ads-pwdInHistory: 5
ads-pwdExpireWarning: 345600 // 4 days
ads-pwdMinAge: 0
ads-pwdAllowUserChange: TRUE
ads-pwdGraceAuthNLimit: 4 // allow 4 logins after expired (raising an error
each time)
ads-pwdCheckQuality: 1
ads-pwdMaxLength: 0
ads-pwdGraceExpire: 0
ads-pwdMinDelay: 0
ads-pwdMaxDelay: 0
ads-pwdMaxIdle: 0
ads-enabled: FALSE
-----Original Message-----
From: Mike Davis [mailto:mdavis@rez1.com]
Sent: Wednesday, November 02, 2016 7:36 AM
To: users@directory.apache.org
Subject: Re: [ApacheDS | LDAP API] changing expired passwords
Thanks for the quick response.
I have not set any of the grace login parameters at this time.
Get Outlook for Android
From: Emmanuel Lécharny
Sent: Wednesday, November 2, 4:00 AM
Subject: Re: [ApacheDS | LDAP API] changing expired passwords
To: users@directory.apache.org
Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue with
either Apache DS or the Apache LDAP API, or > both. > > > > Here's the
scenario. > > > > I have a user whose password is expired. I want to force
the user to > change their password. However, I can't distinguish between a
case where > the user knows the password and where the user doesn't. I
always get a > PasswordException with >
passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and >
resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that, the
LdapConnectionTemplate.modifyPassword() method that > takes old and new
password doesn't work, because the library is attempting > to bind with the
users old password, and we just get the same > PasswordException as above.
If I use the 'asAdmin' flag, then the old > password is never checked. > > >
> I don't want to change the password as admin, because I have no way to >
validate the user knows his old password. You should not be forced to use
the admin flag to change an expired password. There is a paramter
(pwdGraceUseTime) that let the user tries up a given delay to change an
expired password. What is the value you have set for this parameter ?
However, teh default should be infinite. I suspect there is a bug that
should be fixed urgently...
Hi !
Le 01/11/16 à 22:03, Mike Davis a écrit :
> I've run into an issue with either Apache DS or the Apache LDAP API,
> or both.
>
>
>
> Here's the scenario.
>
>
>
> I have a user whose password is expired. I want to force the user to
> change their password. However, I can't distinguish between a case
> where the user knows the password and where the user doesn't. I always
> get a PasswordException with
> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and
> resultCode = ResultCodeEnum.INVALID_CREDENTIALS.
>
>
>
> On top of that, the LdapConnectionTemplate.modifyPassword() method
> that takes old and new password doesn't work, because the library is
> attempting to bind with the users old password, and we just get the
> same PasswordException as above. If I use the 'asAdmin' flag, then the
> old password is never checked.
>
>
>
> I don't want to change the password as admin, because I have no way to
> validate the user knows his old password.
You should not be forced to use the admin flag to change an expired
password. There is a paramter (pwdGraceUseTime) that let the user tries up a
given delay to change an expired password. What is the value you have set
for this parameter ?
However, teh default should be infinite. I suspect there is a bug that
should be fixed urgently...
Re: [ApacheDS | LDAP API] changing expired passwords
Posted by Sambedi Fahted <sf...@gmail.com>.
Congrats, Emmanuel!
On Mon, Aug 7, 2017 at 5:48 PM, Emmanuel Lécharny <el...@gmail.com>
wrote:
> Hi Mike,
>
>
> sorry for having left this pb aside (was working on a more important
> release : a baby ;-)
>
>
> You should xreate a JIRA with a description of the problem (copy/paste
> the contet of your mail should be good enough).
>
>
> I can't guarantee a quick fix, being pretty busy atm, but I'll have a
> look. Please ping me if you don't see a response after a few days.
>
>
> Thanks !
>
>
> Le 08/06/2017 à 20:32, Mike Davis a écrit :
> > I know this is going back a few months, but was this issue ever
> addressed?
> > We've got some planned changes that involve a 3rd party tool that is
> going
> > to make this issue very difficult for us to address in code.
> >
> > Last I heard from Emmanuel on this is likely a bug, and should be fixed
> > urgently. I'm not finding anything obvious in issues.apache.org that
> relates
> > to this.
> >
> > -----Original Message-----
> > From: Mike Davis [mailto:mdavis@rez1.com]
> > Sent: Wednesday, November 02, 2016 9:51 AM
> > To: users@directory.apache.org
> > Subject: RE: [ApacheDS | LDAP API] changing expired passwords
> >
> >
> >
> > Thanks. I was considering grace logins as a work around. Not my ideal
> > scenario, but should work.
> >
> >
> > Ideally, this work around should not be needed.
> >
> >
> >
> >
> > Get Outlook for Android
> >
> >
> >
> >
> >
> >
> > On Wed, Nov 2, 2016 at 9:46 AM -0400, "Accorsi, Carlo"
> > <Ca...@siemens.com> wrote:
> >
> >
> >
> >
> >
> >
> > Hi - We're using API M32 and a server version a few releases back.
> >
> > We use the grace logins to raise errors (to change the password) before
> it's
> > actually expired & locked.
> >
> > In the password policy we set the attribute ads-pwdgraceauthnlimit=4.
> The
> > user then gets 4 more attempts to login after the password is expired but
> > before it's locked out. You'll need to raise an error or warning so that
> > they do it but a valid password gives them a few more logins. The
> > PasswordPolicyResponse getGraceAuthNRemaining() method indicates how
> many
> > grace logins are left for the user. We were not able to get the safe
> > password function working, we just bind with the creds one last time
> before
> > resetting the password using an admin bind. (This isn't ideal however
> > because it uses one of the user's grace logins. So with the grace value
> set
> > to 4, we only allow 3 grace logins, saving the last one for the password
> > reset).
> >
> > Here are some code snips and hope it helps.
> >
> > /**Determine if user password is expired and all grace logins are used
> from
> > PasswordPolicyResponse code.
> > * @param ctrl The PasswordPolicyResponse object containing the
> response
> > code
> > * @return true when the password and grace logins are expired and
> the user
> > cannot login, false otherwise.
> > */
> > public static boolean isPasswordExpiredLocked(PasswordPolicyResponse
> ctrl)
> > {
> > if (ctrl != null){
> > // two grace logins are needed. One to login, one
> to change the password.
> > // Account must lock if only one grace login
> remains because there are no
> > binds left to change it.
> >
> > // Password is forced to change, but there are no
> expire warnings, ok.
> > if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
> > ctrl.getPasswordPolicyError() &&
> > ctrl.getGraceAuthNRemaining() ==
> -1 )
> > {
> > return false;
> > }
> >
> > // Password is expired and there are no grace
> logins to clear it, fail.
> > if ((ctrl.getTimeBeforeExpiration() == -1 &&
> > ctrl.getGraceAuthNRemaining() <= 1)
> > || PasswordPolicyErrorEnum.PASSWORD_EXPIRED
> ==
> > ctrl.getPasswordPolicyError()) // need to set expired flag.
> > {
> > return true;
> > }
> > }
> > return false;
> > }
> >
> >
> > /**Determine if user password must change from
> PasswordPolicyResponse code.
> > * @param ctrl The PasswordPolicyResponse object containing the
> response
> > code
> > * @return true when the password must change, false otherwise.
> > */
> > public static boolean isPasswordMustChange(PasswordPolicyResponse
> ctrl)
> > {
> > if (ctrl != null){
> > if (ctrl.getTimeBeforeExpiration() == -1 ||
> > (ctrl.getGraceAuthNRemaining() <=
> 2 && ctrl.getGraceAuthNRemaining()
> > > -1)) // need to reset before LAST 2 logins
> > {
> > //System.out.println("Password must
> change. Expired in " +
> > ctrl.getTimeBeforeExpiration()+ " seconds, " +
> > ctrl.getGraceLoginsRemaining() + " logins remain . ");
> > return true;
> > }
> > if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
> > ctrl.getPasswordPolicyError())
> > {
> > //System.out.println("Password was changed
> by admin and must change. ");
> > return true;
> > }
> > if (PasswordPolicyErrorEnum.PASSWORD_EXPIRED ==
> > ctrl.getPasswordPolicyError())
> > {
> > //System.out.println("Password has expired
> and must change. ");
> > return true;
> > }
> > }
> > return false;
> > }
> >
> > //here's our relevant config
> >
> > dn:
> > ads-pwdId=internal,ou=passwordPolicies,ads-interceptorId=
> authenticationInterceptor,ou=interceptors,ads-
> directoryServiceId=default,ou=config
> > objectClass: top
> > objectClass: ads-base
> > objectClass: ads-passwordPolicy
> > ads-pwdId: internal
> > ads-pwdSafeModify: FALSE // never got this to work. Password reset using
> > admin bind.
> > ads-pwdMaxAge: 5184000 // 60 days
> > ads-pwdFailureCountInterval: 30
> > ads-pwdAttribute: userPassword
> > ads-pwdMaxFailure: 5
> > ads-pwdLockout: TRUE
> > ads-pwdMustChange: FALSE
> > ads-pwdLockoutDuration: 0 // lock indefinitely.
> > ads-pwdMinLength: 6
> > ads-pwdInHistory: 5
> > ads-pwdExpireWarning: 345600 // 4 days
> > ads-pwdMinAge: 0
> > ads-pwdAllowUserChange: TRUE
> > ads-pwdGraceAuthNLimit: 4 // allow 4 logins after expired (raising an
> error
> > each time)
> > ads-pwdCheckQuality: 1
> > ads-pwdMaxLength: 0
> > ads-pwdGraceExpire: 0
> > ads-pwdMinDelay: 0
> > ads-pwdMaxDelay: 0
> > ads-pwdMaxIdle: 0
> > ads-enabled: FALSE
> >
> >
> >
> > -----Original Message-----
> > From: Mike Davis [mailto:mdavis@rez1.com]
> > Sent: Wednesday, November 02, 2016 7:36 AM
> > To: users@directory.apache.org
> > Subject: Re: [ApacheDS | LDAP API] changing expired passwords
> >
> >
> >
> > Thanks for the quick response.
> >
> >
> > I have not set any of the grace login parameters at this time.
> >
> >
> >
> >
> > Get Outlook for Android
> >
> >
> >
> > From: Emmanuel Lécharny
> >
> > Sent: Wednesday, November 2, 4:00 AM
> >
> > Subject: Re: [ApacheDS | LDAP API] changing expired passwords
> >
> > To: users@directory.apache.org
> >
> >
> >
> > Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue
> with
> > either Apache DS or the Apache LDAP API, or > both. > > > > Here's the
> > scenario. > > > > I have a user whose password is expired. I want to
> force
> > the user to > change their password. However, I can't distinguish
> between a
> > case where > the user knows the password and where the user doesn't. I
> > always get a > PasswordException with >
> > passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and >
> > resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of
> that, the
> > LdapConnectionTemplate.modifyPassword() method that > takes old and new
> > password doesn't work, because the library is attempting > to bind with
> the
> > users old password, and we just get the same > PasswordException as
> above.
> > If I use the 'asAdmin' flag, then the old > password is never checked. >
> > >
> > > I don't want to change the password as admin, because I have no way
> to >
> > validate the user knows his old password. You should not be forced to use
> > the admin flag to change an expired password. There is a paramter
> > (pwdGraceUseTime) that let the user tries up a given delay to change an
> > expired password. What is the value you have set for this parameter ?
> > However, teh default should be infinite. I suspect there is a bug that
> > should be fixed urgently...
> > Hi !
> >
> >
> > Le 01/11/16 à 22:03, Mike Davis a écrit :
> >> I've run into an issue with either Apache DS or the Apache LDAP API,
> >> or both.
> >>
> >>
> >>
> >> Here's the scenario.
> >>
> >>
> >>
> >> I have a user whose password is expired. I want to force the user to
> >> change their password. However, I can't distinguish between a case
> >> where the user knows the password and where the user doesn't. I always
> >> get a PasswordException with
> >> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and
> >> resultCode = ResultCodeEnum.INVALID_CREDENTIALS.
> >>
> >>
> >>
> >> On top of that, the LdapConnectionTemplate.modifyPassword() method
> >> that takes old and new password doesn't work, because the library is
> >> attempting to bind with the users old password, and we just get the
> >> same PasswordException as above. If I use the 'asAdmin' flag, then the
> >> old password is never checked.
> >>
> >>
> >>
> >> I don't want to change the password as admin, because I have no way to
> >> validate the user knows his old password.
> > You should not be forced to use the admin flag to change an expired
> > password. There is a paramter (pwdGraceUseTime) that let the user tries
> up a
> > given delay to change an expired password. What is the value you have set
> > for this parameter ?
> >
> > However, teh default should be infinite. I suspect there is a bug that
> > should be fixed urgently...
> >
>
> --
> Emmanuel Lecharny
>
> Symas.com
> directory.apache.org
>
>
--
Cheers
-Sam
RE: [ApacheDS | LDAP API] changing expired passwords
Posted by Mike Davis <md...@rez1.com>.
Ah, right. Congratulations!
I created DIRAPI-299.
Thanks for all your help with this.
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Monday, August 07, 2017 5:48 PM
To: users@directory.apache.org
Subject: Re: [ApacheDS | LDAP API] changing expired passwords
Hi Mike,
sorry for having left this pb aside (was working on a more important release
: a baby ;-)
You should xreate a JIRA with a description of the problem (copy/paste the
contet of your mail should be good enough).
I can't guarantee a quick fix, being pretty busy atm, but I'll have a look.
Please ping me if you don't see a response after a few days.
Thanks !
Le 08/06/2017 à 20:32, Mike Davis a écrit :
> I know this is going back a few months, but was this issue ever addressed?
> We've got some planned changes that involve a 3rd party tool that is
> going to make this issue very difficult for us to address in code.
>
> Last I heard from Emmanuel on this is likely a bug, and should be
> fixed urgently. I'm not finding anything obvious in issues.apache.org
> that relates to this.
>
> -----Original Message-----
> From: Mike Davis [mailto:mdavis@rez1.com]
> Sent: Wednesday, November 02, 2016 9:51 AM
> To: users@directory.apache.org
> Subject: RE: [ApacheDS | LDAP API] changing expired passwords
>
>
>
> Thanks. I was considering grace logins as a work around. Not my ideal
> scenario, but should work.
>
>
> Ideally, this work around should not be needed.
>
>
>
>
> Get Outlook for Android
>
>
>
>
>
>
> On Wed, Nov 2, 2016 at 9:46 AM -0400, "Accorsi, Carlo"
> <Ca...@siemens.com> wrote:
>
>
>
>
>
>
> Hi - We're using API M32 and a server version a few releases back.
>
> We use the grace logins to raise errors (to change the password)
> before it's actually expired & locked.
>
> In the password policy we set the attribute ads-pwdgraceauthnlimit=4.
> The user then gets 4 more attempts to login after the password is
> expired but before it's locked out. You'll need to raise an error or
> warning so that they do it but a valid password gives them a few more
> logins. The PasswordPolicyResponse getGraceAuthNRemaining() method
> indicates how many grace logins are left for the user. We were not
> able to get the safe password function working, we just bind with the
> creds one last time before resetting the password using an admin bind.
> (This isn't ideal however because it uses one of the user's grace
> logins. So with the grace value set to 4, we only allow 3 grace
> logins, saving the last one for the password reset).
>
> Here are some code snips and hope it helps.
>
> /**Determine if user password is expired and all grace logins are used
> from PasswordPolicyResponse code.
> * @param ctrl The PasswordPolicyResponse object containing the
> response code
> * @return true when the password and grace logins are expired and
> the user cannot login, false otherwise.
> */
> public static boolean isPasswordExpiredLocked(PasswordPolicyResponse
> ctrl)
> {
> if (ctrl != null){
> // two grace logins are needed. One to login, one to change the
> password.
> // Account must lock if only one grace login remains because there
> are no binds left to change it.
>
> // Password is forced to change, but there are no expire warnings, ok.
> if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
> ctrl.getPasswordPolicyError() &&
> ctrl.getGraceAuthNRemaining() == -1 )
> {
> return false;
> }
>
> // Password is expired and there are no grace logins to clear it, fail.
> if ((ctrl.getTimeBeforeExpiration() == -1 &&
> ctrl.getGraceAuthNRemaining() <= 1)
> || PasswordPolicyErrorEnum.PASSWORD_EXPIRED ==
> ctrl.getPasswordPolicyError()) // need to set expired flag.
> {
> return true;
> }
> }
> return false;
> }
>
>
> /**Determine if user password must change from PasswordPolicyResponse
> code.
> * @param ctrl The PasswordPolicyResponse object containing the response
> code
> * @return true when the password must change, false otherwise.
> */
> public static boolean isPasswordMustChange(PasswordPolicyResponse ctrl)
> {
> if (ctrl != null){
> if (ctrl.getTimeBeforeExpiration() == -1 ||
> (ctrl.getGraceAuthNRemaining() <= 2 && ctrl.getGraceAuthNRemaining()
> > -1)) // need to reset before LAST 2 logins
> {
> //System.out.println("Password must change. Expired in " +
> ctrl.getTimeBeforeExpiration()+ " seconds, " +
> ctrl.getGraceLoginsRemaining() + " logins remain . ");
> return true;
> }
> if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
> ctrl.getPasswordPolicyError())
> {
> //System.out.println("Password was changed by admin and must change.
> ");
> return true;
> }
> if (PasswordPolicyErrorEnum.PASSWORD_EXPIRED ==
> ctrl.getPasswordPolicyError())
> {
> //System.out.println("Password has expired and must change. ");
> return true;
> }
> }
> return false;
> }
>
> //here's our relevant config
>
> dn:
> ads-pwdId=internal,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectClass: top
> objectClass: ads-base
> objectClass: ads-passwordPolicy
> ads-pwdId: internal
> ads-pwdSafeModify: FALSE // never got this to work. Password reset using
> admin bind.
> ads-pwdMaxAge: 5184000 // 60 days
> ads-pwdFailureCountInterval: 30
> ads-pwdAttribute: userPassword
> ads-pwdMaxFailure: 5
> ads-pwdLockout: TRUE
> ads-pwdMustChange: FALSE
> ads-pwdLockoutDuration: 0 // lock indefinitely.
> ads-pwdMinLength: 6
> ads-pwdInHistory: 5
> ads-pwdExpireWarning: 345600 // 4 days
> ads-pwdMinAge: 0
> ads-pwdAllowUserChange: TRUE
> ads-pwdGraceAuthNLimit: 4 // allow 4 logins after expired (raising an
> error
> each time)
> ads-pwdCheckQuality: 1
> ads-pwdMaxLength: 0
> ads-pwdGraceExpire: 0
> ads-pwdMinDelay: 0
> ads-pwdMaxDelay: 0
> ads-pwdMaxIdle: 0
> ads-enabled: FALSE
>
>
>
> -----Original Message-----
> From: Mike Davis [mailto:mdavis@rez1.com]
> Sent: Wednesday, November 02, 2016 7:36 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS | LDAP API] changing expired passwords
>
>
>
> Thanks for the quick response.
>
>
> I have not set any of the grace login parameters at this time.
>
>
>
>
> Get Outlook for Android
>
>
>
> From: Emmanuel Lécharny
>
> Sent: Wednesday, November 2, 4:00 AM
>
> Subject: Re: [ApacheDS | LDAP API] changing expired passwords
>
> To: users@directory.apache.org
>
>
>
> Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue
> with
> either Apache DS or the Apache LDAP API, or > both. > > > > Here's the
> scenario. > > > > I have a user whose password is expired. I want to force
> the user to > change their password. However, I can't distinguish between
> a
> case where > the user knows the password and where the user doesn't. I
> always get a > PasswordException with >
> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and >
> resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that,
> the
> LdapConnectionTemplate.modifyPassword() method that > takes old and new
> password doesn't work, because the library is attempting > to bind with
> the
> users old password, and we just get the same > PasswordException as above.
> If I use the 'asAdmin' flag, then the old > password is never checked. > >
> >
> > I don't want to change the password as admin, because I have no way to
> >
> validate the user knows his old password. You should not be forced to use
> the admin flag to change an expired password. There is a paramter
> (pwdGraceUseTime) that let the user tries up a given delay to change an
> expired password. What is the value you have set for this parameter ?
> However, teh default should be infinite. I suspect there is a bug that
> should be fixed urgently...
> Hi !
>
>
> Le 01/11/16 à 22:03, Mike Davis a écrit :
>> I've run into an issue with either Apache DS or the Apache LDAP API,
>> or both.
>>
>>
>>
>> Here's the scenario.
>>
>>
>>
>> I have a user whose password is expired. I want to force the user to
>> change their password. However, I can't distinguish between a case
>> where the user knows the password and where the user doesn't. I always
>> get a PasswordException with
>> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and
>> resultCode = ResultCodeEnum.INVALID_CREDENTIALS.
>>
>>
>>
>> On top of that, the LdapConnectionTemplate.modifyPassword() method
>> that takes old and new password doesn't work, because the library is
>> attempting to bind with the users old password, and we just get the
>> same PasswordException as above. If I use the 'asAdmin' flag, then the
>> old password is never checked.
>>
>>
>>
>> I don't want to change the password as admin, because I have no way to
>> validate the user knows his old password.
> You should not be forced to use the admin flag to change an expired
> password. There is a paramter (pwdGraceUseTime) that let the user tries up
> a
> given delay to change an expired password. What is the value you have set
> for this parameter ?
>
> However, teh default should be infinite. I suspect there is a bug that
> should be fixed urgently...
>
--
Emmanuel Lecharny
Symas.com
directory.apache.org
Re: [ApacheDS | LDAP API] changing expired passwords
Posted by Emmanuel Lécharny <el...@gmail.com>.
Hi Mike,
sorry for having left this pb aside (was working on a more important
release : a baby ;-)
You should xreate a JIRA with a description of the problem (copy/paste
the contet of your mail should be good enough).
I can't guarantee a quick fix, being pretty busy atm, but I'll have a
look. Please ping me if you don't see a response after a few days.
Thanks !
Le 08/06/2017 à 20:32, Mike Davis a écrit :
> I know this is going back a few months, but was this issue ever addressed?
> We've got some planned changes that involve a 3rd party tool that is going
> to make this issue very difficult for us to address in code.
>
> Last I heard from Emmanuel on this is likely a bug, and should be fixed
> urgently. I'm not finding anything obvious in issues.apache.org that relates
> to this.
>
> -----Original Message-----
> From: Mike Davis [mailto:mdavis@rez1.com]
> Sent: Wednesday, November 02, 2016 9:51 AM
> To: users@directory.apache.org
> Subject: RE: [ApacheDS | LDAP API] changing expired passwords
>
>
>
> Thanks. I was considering grace logins as a work around. Not my ideal
> scenario, but should work.
>
>
> Ideally, this work around should not be needed.
>
>
>
>
> Get Outlook for Android
>
>
>
>
>
>
> On Wed, Nov 2, 2016 at 9:46 AM -0400, "Accorsi, Carlo"
> <Ca...@siemens.com> wrote:
>
>
>
>
>
>
> Hi - We're using API M32 and a server version a few releases back.
>
> We use the grace logins to raise errors (to change the password) before it's
> actually expired & locked.
>
> In the password policy we set the attribute ads-pwdgraceauthnlimit=4. The
> user then gets 4 more attempts to login after the password is expired but
> before it's locked out. You'll need to raise an error or warning so that
> they do it but a valid password gives them a few more logins. The
> PasswordPolicyResponse getGraceAuthNRemaining() method indicates how many
> grace logins are left for the user. We were not able to get the safe
> password function working, we just bind with the creds one last time before
> resetting the password using an admin bind. (This isn't ideal however
> because it uses one of the user's grace logins. So with the grace value set
> to 4, we only allow 3 grace logins, saving the last one for the password
> reset).
>
> Here are some code snips and hope it helps.
>
> /**Determine if user password is expired and all grace logins are used from
> PasswordPolicyResponse code.
> * @param ctrl The PasswordPolicyResponse object containing the response
> code
> * @return true when the password and grace logins are expired and the user
> cannot login, false otherwise.
> */
> public static boolean isPasswordExpiredLocked(PasswordPolicyResponse ctrl)
> {
> if (ctrl != null){
> // two grace logins are needed. One to login, one to change the password.
> // Account must lock if only one grace login remains because there are no
> binds left to change it.
>
> // Password is forced to change, but there are no expire warnings, ok.
> if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
> ctrl.getPasswordPolicyError() &&
> ctrl.getGraceAuthNRemaining() == -1 )
> {
> return false;
> }
>
> // Password is expired and there are no grace logins to clear it, fail.
> if ((ctrl.getTimeBeforeExpiration() == -1 &&
> ctrl.getGraceAuthNRemaining() <= 1)
> || PasswordPolicyErrorEnum.PASSWORD_EXPIRED ==
> ctrl.getPasswordPolicyError()) // need to set expired flag.
> {
> return true;
> }
> }
> return false;
> }
>
>
> /**Determine if user password must change from PasswordPolicyResponse code.
> * @param ctrl The PasswordPolicyResponse object containing the response
> code
> * @return true when the password must change, false otherwise.
> */
> public static boolean isPasswordMustChange(PasswordPolicyResponse ctrl)
> {
> if (ctrl != null){
> if (ctrl.getTimeBeforeExpiration() == -1 ||
> (ctrl.getGraceAuthNRemaining() <= 2 && ctrl.getGraceAuthNRemaining()
> > -1)) // need to reset before LAST 2 logins
> {
> //System.out.println("Password must change. Expired in " +
> ctrl.getTimeBeforeExpiration()+ " seconds, " +
> ctrl.getGraceLoginsRemaining() + " logins remain . ");
> return true;
> }
> if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET ==
> ctrl.getPasswordPolicyError())
> {
> //System.out.println("Password was changed by admin and must change. ");
> return true;
> }
> if (PasswordPolicyErrorEnum.PASSWORD_EXPIRED ==
> ctrl.getPasswordPolicyError())
> {
> //System.out.println("Password has expired and must change. ");
> return true;
> }
> }
> return false;
> }
>
> //here's our relevant config
>
> dn:
> ads-pwdId=internal,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectClass: top
> objectClass: ads-base
> objectClass: ads-passwordPolicy
> ads-pwdId: internal
> ads-pwdSafeModify: FALSE // never got this to work. Password reset using
> admin bind.
> ads-pwdMaxAge: 5184000 // 60 days
> ads-pwdFailureCountInterval: 30
> ads-pwdAttribute: userPassword
> ads-pwdMaxFailure: 5
> ads-pwdLockout: TRUE
> ads-pwdMustChange: FALSE
> ads-pwdLockoutDuration: 0 // lock indefinitely.
> ads-pwdMinLength: 6
> ads-pwdInHistory: 5
> ads-pwdExpireWarning: 345600 // 4 days
> ads-pwdMinAge: 0
> ads-pwdAllowUserChange: TRUE
> ads-pwdGraceAuthNLimit: 4 // allow 4 logins after expired (raising an error
> each time)
> ads-pwdCheckQuality: 1
> ads-pwdMaxLength: 0
> ads-pwdGraceExpire: 0
> ads-pwdMinDelay: 0
> ads-pwdMaxDelay: 0
> ads-pwdMaxIdle: 0
> ads-enabled: FALSE
>
>
>
> -----Original Message-----
> From: Mike Davis [mailto:mdavis@rez1.com]
> Sent: Wednesday, November 02, 2016 7:36 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS | LDAP API] changing expired passwords
>
>
>
> Thanks for the quick response.
>
>
> I have not set any of the grace login parameters at this time.
>
>
>
>
> Get Outlook for Android
>
>
>
> From: Emmanuel Lécharny
>
> Sent: Wednesday, November 2, 4:00 AM
>
> Subject: Re: [ApacheDS | LDAP API] changing expired passwords
>
> To: users@directory.apache.org
>
>
>
> Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue with
> either Apache DS or the Apache LDAP API, or > both. > > > > Here's the
> scenario. > > > > I have a user whose password is expired. I want to force
> the user to > change their password. However, I can't distinguish between a
> case where > the user knows the password and where the user doesn't. I
> always get a > PasswordException with >
> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and >
> resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that, the
> LdapConnectionTemplate.modifyPassword() method that > takes old and new
> password doesn't work, because the library is attempting > to bind with the
> users old password, and we just get the same > PasswordException as above.
> If I use the 'asAdmin' flag, then the old > password is never checked. > > >
> > I don't want to change the password as admin, because I have no way to >
> validate the user knows his old password. You should not be forced to use
> the admin flag to change an expired password. There is a paramter
> (pwdGraceUseTime) that let the user tries up a given delay to change an
> expired password. What is the value you have set for this parameter ?
> However, teh default should be infinite. I suspect there is a bug that
> should be fixed urgently...
> Hi !
>
>
> Le 01/11/16 à 22:03, Mike Davis a écrit :
>> I've run into an issue with either Apache DS or the Apache LDAP API,
>> or both.
>>
>>
>>
>> Here's the scenario.
>>
>>
>>
>> I have a user whose password is expired. I want to force the user to
>> change their password. However, I can't distinguish between a case
>> where the user knows the password and where the user doesn't. I always
>> get a PasswordException with
>> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and
>> resultCode = ResultCodeEnum.INVALID_CREDENTIALS.
>>
>>
>>
>> On top of that, the LdapConnectionTemplate.modifyPassword() method
>> that takes old and new password doesn't work, because the library is
>> attempting to bind with the users old password, and we just get the
>> same PasswordException as above. If I use the 'asAdmin' flag, then the
>> old password is never checked.
>>
>>
>>
>> I don't want to change the password as admin, because I have no way to
>> validate the user knows his old password.
> You should not be forced to use the admin flag to change an expired
> password. There is a paramter (pwdGraceUseTime) that let the user tries up a
> given delay to change an expired password. What is the value you have set
> for this parameter ?
>
> However, teh default should be infinite. I suspect there is a bug that
> should be fixed urgently...
>
--
Emmanuel Lecharny
Symas.com
directory.apache.org