You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Patricio Demitrio <pd...@scoop-gmbh.de> on 2013/01/30 12:19:59 UTC
[ApacheDS] Error 56
Hi, while trying to change the password of a user from openam (sso server)
I'm getting this error.
Message ID : 3
Modify Request
Object : 'uid=user1,ou=people,dc=example,dc=com'
Modification[0]
Operation : delete
Modification
userpassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 '
Modification[1]
Operation : add
Modification
userpassword: '0x61 0x63 0x63 0x65 0x73 0x73 0x43 0x6F 0x6E 0x74 0x72
0x6F 0x6C 0x53 0x70 0x65 ...'
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@99795eb8org.apache.directory.shared.ldap.extras.controls.ppolicy.PasswordPolicyImpl@2cd5276a:
ERR_56 Cannot remove an absent value from attribute : ATTRIBUTE_TYPE (
2.5.4.35
NAME 'userPassword'
DESC RFC2256/2307: password of user
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
USAGE userApplications
)
-----
Strange, since attribute "userPassword" is there.
does the difference between "userpassword" and "userPassword" have anything
to do with it?
Thanks in advance
PAtricio
Re: [ApacheDS] Error 56
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 1/30/13 12:19 PM, Patricio Demitrio a écrit :
> Hi, while trying to change the password of a user from openam (sso server)
> I'm getting this error.
>
> Message ID : 3
> Modify Request
> Object : 'uid=user1,ou=people,dc=example,dc=com'
> Modification[0]
> Operation : delete
> Modification
> userpassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 '
> Modification[1]
> Operation : add
> Modification
> userpassword: '0x61 0x63 0x63 0x65 0x73 0x73 0x43 0x6F 0x6E 0x74 0x72
> 0x6F 0x6C 0x53 0x70 0x65 ...'
> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@99795eb8org.apache.directory.shared.ldap.extras.controls.ppolicy.PasswordPolicyImpl@2cd5276a:
> ERR_56 Cannot remove an absent value from attribute : ATTRIBUTE_TYPE (
> 2.5.4.35
> NAME 'userPassword'
> DESC RFC2256/2307: password of user
> EQUALITY octetStringMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
> USAGE userApplications
> )
> -----
> Strange, since attribute "userPassword" is there.
> does the difference between "userpassword" and "userPassword" have anything
> to do with it?
Can you tell us a bit more about your env ? (versions etc)
Tahnks !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: [ApacheDS] Error 56
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 2/4/13 11:10 AM, Patricio Demitrio a écrit :
> Hi Kiran /everyone.
>
> I'm trying to isolate the error here. Openam is trying the following:
> ----
> Modify Request
> Object : 'uid=user8,ou=people,dc=example,dc=com'
> Modification[0]
> Operation : delete
> Modification
> userpassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 '
> Modification[1]
> Operation : add
> Modification
> userpassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x32 '
> -------
> So openam apparently is trying to remove the attribute userpassword and
> create a new one with a new value, right?
Not quite. It's remove one value from teh userPassword AT and add a new
one. This is the only way to modify a value in a multi-valued AT.
>
> Well, from apacheStudio, I'm trying to delete the attribute userpassword
> and it's not letting me. Here's the error in apacheStudio:
I'm looking at the error. Will come back later with some answer.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: [ApacheDS] Error 56
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 2/4/13 11:10 AM, Patricio Demitrio a écrit :
> Hi Kiran /everyone.
>
> Well, from apacheStudio, I'm trying to delete the attribute userpassword
> and it's not letting me. Here's the error in apacheStudio:
> ------
> Error while executing LDIF
> - [LDAP: error code 80 - OTHER: failed for MessageType : MODIFY_REQUES
> java.lang.Exception: [LDAP: error code 80 - OTHER: failed for MessageType
> : MODIFY_REQUEST
> Message ID : 25
> Modify Request
> Object : 'uid=user8,ou=people,dc=eiger,dc=com'
> Modification[0]
> Operation : delete
> Modification
> userpassword: (null)
> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@aec4e630:
> null]
This is a clear bug in Studio : when we create the modify request, we
create a ModifyRequest containing this modification :
dn: uid=user8,ou=people,dc=eiger,dc=com
changetype: modify
delete: userPassword
-
which get translated to an internal data structure (ModifyRequestImpl)
where the deletion is applied on the userPassword AttributeType but with
the null value being added (yes, we can have null values associated to
an Attrbute, but this is not frequent)?
The consequence being that we are trying to delete the null value from
the userPassword attribute, which obviously can't be found.
We will fix this issue.
> Maybe the problem has been always here
Yes.
You should try by switching to JNDI in the connection you are using in
Studio :
connection (right click)
-> properties
-> Provider : select JNDI
disconnect, reconnect.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: [ApacheDS] Error 56
Posted by Patricio Demitrio <pd...@scoop-gmbh.de>.
Hi Kiran /everyone.
I'm trying to isolate the error here. Openam is trying the following:
----
Modify Request
Object : 'uid=user8,ou=people,dc=example,dc=com'
Modification[0]
Operation : delete
Modification
userpassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 '
Modification[1]
Operation : add
Modification
userpassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x32 '
-------
So openam apparently is trying to remove the attribute userpassword and
create a new one with a new value, right?
Well, from apacheStudio, I'm trying to delete the attribute userpassword
and it's not letting me. Here's the error in apacheStudio:
------
Error while executing LDIF
- [LDAP: error code 80 - OTHER: failed for MessageType : MODIFY_REQUES
java.lang.Exception: [LDAP: error code 80 - OTHER: failed for MessageType
: MODIFY_REQUEST
Message ID : 25
Modify Request
Object : 'uid=user8,ou=people,dc=eiger,dc=com'
Modification[0]
Operation : delete
Modification
userpassword: (null)
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@aec4e630:
null]
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1271)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$600(DirectoryApiConnectionWrapper.java:110)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$4.run(DirectoryApiConnectionWrapper.java:726)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1173)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1107)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.modifyEntry(DirectoryApiConnectionWrapper.java:748)
at
org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdifRecord(ImportLdifRunnable.java:514)
at
org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdif(ImportLdifRunnable.java:272)
at
org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.executeLdif(ExecuteLdifRunnable.java:157)
at
org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.run(ExecuteLdifRunnable.java:123)
at
org.apache.directory.studio.ldapbrowser.core.jobs.UpdateEntryRunnable.run(UpdateEntryRunnable.java:59)
at
org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:113)
at
org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
[LDAP: error code 80 - OTHER: failed for MessageType : MODIFY_REQUEST
Message ID : 25
Modify Request
Object : 'uid=user8,ou=people,dc=eiger,dc=com'
Modification[0]
Operation : delete
Modification
userpassword: (null)
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@aec4e630:
null]
-----------
Maybe the problem has been always here
On Sun, Feb 3, 2013 at 5:12 PM, Kiran Ayyagari <ka...@apache.org> wrote:
> forwarding to the correct ML
>
> ---------- Forwarded message ----------
> From: Emmanuel Lécharny <el...@gmail.com>
> Date: Fri, Feb 1, 2013 at 10:53 PM
> Subject: Re: [ApacheDS] Error 56
> To: "users@mina.apache.org" <us...@mina.apache.org>
>
>
> Le 2/1/13 6:00 PM, Patricio Demitrio a écrit :
> > Hi Again,
> >
> > ads-pwdcheckquality is set to 0
> > current password for user8 is "password", and in the database is
> > {SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw==
> > and when I open it showing the ldif perspective, it shows this:
> > e1NTSEF9eCtUTDBtSis5cDVWZnhtd0Vnc0tSWnVoNVozSCs4d0V4QWUyYnc9PQ==
>
> which is {SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw==
>
> The pb is that 'password' once hashed does not resolve to
> {SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw== but to
> {SSHA}Dqnp0N8cy7nj0Sn+OCZA6L0yq5ewFrPf/YvmBA==, and this is why the
> server does not find it.
>
> Now, the question is why does the hashed value is different ? Can you
> change SSHA to SMD5, and see if it's any better ?
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Fwd: [ApacheDS] Error 56
Posted by Kiran Ayyagari <ka...@apache.org>.
forwarding to the correct ML
---------- Forwarded message ----------
From: Emmanuel Lécharny <el...@gmail.com>
Date: Fri, Feb 1, 2013 at 10:53 PM
Subject: Re: [ApacheDS] Error 56
To: "users@mina.apache.org" <us...@mina.apache.org>
Le 2/1/13 6:00 PM, Patricio Demitrio a écrit :
> Hi Again,
>
> ads-pwdcheckquality is set to 0
> current password for user8 is "password", and in the database is
> {SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw==
> and when I open it showing the ldif perspective, it shows this:
> e1NTSEF9eCtUTDBtSis5cDVWZnhtd0Vnc0tSWnVoNVozSCs4d0V4QWUyYnc9PQ==
which is {SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw==
The pb is that 'password' once hashed does not resolve to
{SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw== but to
{SSHA}Dqnp0N8cy7nj0Sn+OCZA6L0yq5ewFrPf/YvmBA==, and this is why the
server does not find it.
Now, the question is why does the hashed value is different ? Can you
change SSHA to SMD5, and see if it's any better ?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
--
Kiran Ayyagari
http://keydap.com
Re: [ApacheDS] Error 56
Posted by Julien Vermillard <jv...@gmail.com>.
wrong ML ?
On Fri, Feb 1, 2013 at 6:23 PM, Emmanuel Lécharny <el...@gmail.com>wrote:
> Le 2/1/13 6:00 PM, Patricio Demitrio a écrit :
> > Hi Again,
> >
> > ads-pwdcheckquality is set to 0
> > current password for user8 is "password", and in the database is
> > {SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw==
> > and when I open it showing the ldif perspective, it shows this:
> > e1NTSEF9eCtUTDBtSis5cDVWZnhtd0Vnc0tSWnVoNVozSCs4d0V4QWUyYnc9PQ==
>
> which is {SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw==
>
> The pb is that 'password' once hashed does not resolve to
> {SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw== but to
> {SSHA}Dqnp0N8cy7nj0Sn+OCZA6L0yq5ewFrPf/YvmBA==, and this is why the
> server does not find it.
>
> Now, the question is why does the hashed value is different ? Can you
> change SSHA to SMD5, and see if it's any better ?
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
Re: [ApacheDS] Error 56
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 2/1/13 6:00 PM, Patricio Demitrio a écrit :
> Hi Again,
>
> ads-pwdcheckquality is set to 0
> current password for user8 is "password", and in the database is
> {SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw==
> and when I open it showing the ldif perspective, it shows this:
> e1NTSEF9eCtUTDBtSis5cDVWZnhtd0Vnc0tSWnVoNVozSCs4d0V4QWUyYnc9PQ==
which is {SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw==
The pb is that 'password' once hashed does not resolve to
{SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw== but to
{SSHA}Dqnp0N8cy7nj0Sn+OCZA6L0yq5ewFrPf/YvmBA==, and this is why the
server does not find it.
Now, the question is why does the hashed value is different ? Can you
change SSHA to SMD5, and see if it's any better ?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: [ApacheDS] Error 56
Posted by Patricio Demitrio <pd...@scoop-gmbh.de>.
Hi Again,
ads-pwdcheckquality is set to 0
current password for user8 is "password", and in the database is
{SSHA}x+TL0mJ+9p5VfxmwEgsKRZuh5Z3H+8wExAe2bw==
and when I open it showing the ldif perspective, it shows this:
e1NTSEF9eCtUTDBtSis5cDVWZnhtd0Vnc0tSWnVoNVozSCs4d0V4QWUyYnc9PQ==
On Fri, Feb 1, 2013 at 5:44 PM, Emmanuel Lécharny <el...@gmail.com>wrote:
> Le 2/1/13 4:52 PM, Patricio Demitrio a écrit :
> > Ok, I captured the operation using wireshark, I have no idea if this is
> > useful or not. I'm attaching two files (wireshark format and plain text,
> > both have same content).
> Ok, forget about my last mail, it makes no sense at all.
>
> So here is what's happening :
>
> - a BindRequest is issued, with 'uid=user8,ou=people,dc=eiger,dc=com',
> and password in plain text ('password')
>
> - a BindResponse is received (success)
>
> - a ModifyRequest is issued (changing 'password' to 'Password!'):
>
> 'uid=user8,ou=people,dc=eiger,dc=com'
> delete userpassword, password
> add userpassword, Password!
> with the PasswordPolicy control set
>
> - And we get a ModifyResponse which is a NO_SUCH_ATTRIBUTE error.
>
> A few things :
> - The password is a PlainText password, it might not be accepted when
> the PasswordPolicy control is set.
> - The SSHA encoding for password is
> {SSHA}Dqnp0N8cy7nj0Sn+OCZA6L0yq5ewFrPf/YvmBA==
> - The SSHA encodingf or Password! is
> {SSHA}fmhrau3bfE84FIy/jiXdyrwOUOpy2qI58JIWZA==
>
> Can you check the ads-pwdcheckquality value in
>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> ?
>
> Can you also check that the current uid=user8,ou=people,dc=eiger,dc=com
> entry's userPassword contains one of the two SSHA hash value I exposed
> above ?
>
> Thanks !
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
Re: [ApacheDS] Error 56
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 2/1/13 4:52 PM, Patricio Demitrio a écrit :
> Ok, I captured the operation using wireshark, I have no idea if this is
> useful or not. I'm attaching two files (wireshark format and plain text,
> both have same content).
Ok, forget about my last mail, it makes no sense at all.
So here is what's happening :
- a BindRequest is issued, with 'uid=user8,ou=people,dc=eiger,dc=com',
and password in plain text ('password')
- a BindResponse is received (success)
- a ModifyRequest is issued (changing 'password' to 'Password!'):
'uid=user8,ou=people,dc=eiger,dc=com'
delete userpassword, password
add userpassword, Password!
with the PasswordPolicy control set
- And we get a ModifyResponse which is a NO_SUCH_ATTRIBUTE error.
A few things :
- The password is a PlainText password, it might not be accepted when
the PasswordPolicy control is set.
- The SSHA encoding for password is
{SSHA}Dqnp0N8cy7nj0Sn+OCZA6L0yq5ewFrPf/YvmBA==
- The SSHA encodingf or Password! is
{SSHA}fmhrau3bfE84FIy/jiXdyrwOUOpy2qI58JIWZA==
Can you check the ads-pwdcheckquality value in
ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
?
Can you also check that the current uid=user8,ou=people,dc=eiger,dc=com
entry's userPassword contains one of the two SSHA hash value I exposed
above ?
Thanks !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: [ApacheDS] Error 56
Posted by Patricio Demitrio <pd...@scoop-gmbh.de>.
Ok, I captured the operation using wireshark, I have no idea if this is
useful or not. I'm attaching two files (wireshark format and plain text,
both have same content).
And here is an answer from a developer of openam, I'm copying it since
maybe it helps.
-----------
This error message is now coming
out of LDAP authentication module, and not from the UMUserChangePassword
page..
The LDAP authentication module grabs the existing password and creates a
MODIFY request:
remove userpassword: currentvalue
add userpassword: newvvalue
Looks like this is not really handled by Apache DS for some reason,
which is quite strange. The other way is to simply run one operation of:
replace userpassword: newvalue
but this could be only done by a privileged user (who can reset
passwords for arbitrary users).
On Fri, Feb 1, 2013 at 3:51 PM, Emmanuel Lécharny <el...@gmail.com>wrote:
> There is somethong *extremelly* weird...
>
> The userPassword value you are trying to modify is :
>
> e1NTSEF9NGx1QXphMkw...tM2F3SHFZN0E9PQ==
>
> which once decoded gives :
>
> {SSHA}4luAza2L+0Xyut...VVm3awHqY7A==
>
> and now, the password value is a base64 value, which makes no sense...
>
> Something in OpenAM should encode the real SSHA salted password in
> base64, then add {SSHA) into the value, and try to remove this value
> from the server.
>
> I would expect the real value to be :
>
> {SSHA}â[€Í‹ûE...VmÚÀz˜ì
>
> instead...
>
> Is it possible that you capture the PDU being exchanged between OpenAM
> and ApacheDS using wireshark ?
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
Re: [ApacheDS] Error 56
Posted by Emmanuel Lécharny <el...@gmail.com>.
There is somethong *extremelly* weird...
The userPassword value you are trying to modify is :
e1NTSEF9NGx1QXphMkw...tM2F3SHFZN0E9PQ==
which once decoded gives :
{SSHA}4luAza2L+0Xyut...VVm3awHqY7A==
and now, the password value is a base64 value, which makes no sense...
Something in OpenAM should encode the real SSHA salted password in
base64, then add {SSHA) into the value, and try to remove this value
from the server.
I would expect the real value to be :
{SSHA}â[€Í‹ûE...VmÚÀz˜ì
instead...
Is it possible that you capture the PDU being exchanged between OpenAM
and ApacheDS using wireshark ?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: [ApacheDS] Error 56
Posted by Ca...@ibs-ag.com.
Hi,
Can you change the password on the user, from the Apache Directory Studio? This would be helpful to know.
There could be potentially of two problems. First, your stack trace shows are two modifications for the password. A delete , then add.
If this is how openam is 'updating' the password, I'm not sure this will work with the password policy functionality.
I'm pretty sure the operation needs to 'modify' the attribute, not delete it then put a new one back.
Then regarding this exception ..
org.forgerock.opendj.ldap.ErrorResultException: No Such Attribute:
I would take a good look at the user[Pp]assword case differences.
openam may be forcing your attribute definition to lowercase and this could be causing some grief.
-----Original Message-----
From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
Sent: Friday, February 01, 2013 9:23 AM
To: users@directory.apache.org; elecharny@apache.org
Subject: Re: [ApacheDS] Error 56
Just a quick heads up. I was able to force openam to use the ldapv3 protocol. And I changed the attibute "userPassword" to "userpassword" in the schema to match it to openam's
Maybe this is progress:
Now, apacheds is telling me:
----------------
[15:13:40] ERROR
[org.apache.directory.server.core.schema.SchemaInterceptor] - ERR_56 Cannot remove an absent value from attribute : ATTRIBUTE_TYPE ( 2.5.4.35 NAME 'userpassword'
DESC RFC2256/2307: password of user
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
USAGE userApplications
)
------------------
and openam is telling me:
-------------------------
amLoginModule:02/01/2013 03:13:40:530 PM CET:
Thread[http-bio-8443-exec-8,5,main]
Validating password...
amAuthLDAP:02/01/2013 03:13:40:541 PM CET:
Thread[http-bio-8443-exec-8,5,main]
WARNING: Cannot update :
org.forgerock.opendj.ldap.ErrorResultException: No Such Attribute:
NO_SUCH_ATTRIBUTE: failed for MessageType : MODIFY_REQUEST Message ID : 6
Modify Request
Object : 'uid=user8,ou=people,dc=example,dc=com'
Modification[0]
Operation : delete
Modification
userpassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 '
Modification[1]
Operation : add
Modification
userpassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x32 '
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@6e2352a9org.apache.directory.shared.ldap.extras.controls.ppolicy.PasswordPolicyImpl@5c71949b:
ERR_56 Cannot remove an absent value from attribute : ATTRIBUTE_TYPE (
2.5.4.35
NAME 'userpassword'
DESC RFC2256/2307: password of user
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
USAGE userApplications
)
at
org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:235)
at
com.forgerock.opendj.ldap.AbstractLDAPFutureResultImpl.setResultOrError(AbstractLDAPFutureResultImpl.java:160)
at
com.forgerock.opendj.ldap.LDAPClientFilter$1.modifyResult(LDAPClientFilter.java:378)
at
com.forgerock.opendj.ldap.LDAPClientFilter$1.modifyResult(LDAPClientFilter.java:73)
at
com.forgerock.opendj.ldap.LDAPReader.decodeModifyResult(LDAPReader.java:1297)
at
com.forgerock.opendj.ldap.LDAPReader.decodeProtocolOp(LDAPReader.java:1393)
at com.forgerock.opendj.ldap.LDAPReader.decode(LDAPReader.java:172)
at
com.forgerock.opendj.ldap.LDAPClientFilter.handleRead(LDAPClientFilter.java:614)
at
org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:286)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:223)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:155)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:134)
at
org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:78)
at
org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:829)
at
org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:103)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:111)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:131)
at
org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:508)
at
org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:488)
at java.lang.Thread.run(Unknown Source)
---------------------
On Fri, Feb 1, 2013 at 11:09 AM, Emmanuel Lécharny <el...@gmail.com>wrote:
> Le 2/1/13 10:45 AM, Patricio Demitrio a écrit :
> > Hi Carlo, I got an answer from the openam team.
> > Apparently openam is using ldapv2 to change the password, and that
> > is
> where
> > the problem probably resides.
> >
> > So I'm guessing I'm reaching a dead end here, unless I configure
> > apacheds to work with ldapv2, but I don't know if that's an option.
> ApacheDS should work with LDAPV2, but there might have some specific
> part that might need some tweaking, and I have no idea what kind of
> tweaks need to be done atm...
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
Re: [ApacheDS] Error 56
Posted by Patricio Demitrio <pd...@scoop-gmbh.de>.
Just a quick heads up. I was able to force openam to use the ldapv3
protocol. And I changed the attibute "userPassword" to "userpassword" in
the schema to match it to openam's
Maybe this is progress:
Now, apacheds is telling me:
----------------
[15:13:40] ERROR
[org.apache.directory.server.core.schema.SchemaInterceptor] - ERR_56 Cannot
remove an absent value from attribute : ATTRIBUTE_TYPE ( 2.5.4.35
NAME 'userpassword'
DESC RFC2256/2307: password of user
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
USAGE userApplications
)
------------------
and openam is telling me:
-------------------------
amLoginModule:02/01/2013 03:13:40:530 PM CET:
Thread[http-bio-8443-exec-8,5,main]
Validating password...
amAuthLDAP:02/01/2013 03:13:40:541 PM CET:
Thread[http-bio-8443-exec-8,5,main]
WARNING: Cannot update :
org.forgerock.opendj.ldap.ErrorResultException: No Such Attribute:
NO_SUCH_ATTRIBUTE: failed for MessageType : MODIFY_REQUEST
Message ID : 6
Modify Request
Object : 'uid=user8,ou=people,dc=example,dc=com'
Modification[0]
Operation : delete
Modification
userpassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 '
Modification[1]
Operation : add
Modification
userpassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x32 '
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@6e2352a9org.apache.directory.shared.ldap.extras.controls.ppolicy.PasswordPolicyImpl@5c71949b:
ERR_56 Cannot remove an absent value from attribute : ATTRIBUTE_TYPE (
2.5.4.35
NAME 'userpassword'
DESC RFC2256/2307: password of user
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
USAGE userApplications
)
at
org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:235)
at
com.forgerock.opendj.ldap.AbstractLDAPFutureResultImpl.setResultOrError(AbstractLDAPFutureResultImpl.java:160)
at
com.forgerock.opendj.ldap.LDAPClientFilter$1.modifyResult(LDAPClientFilter.java:378)
at
com.forgerock.opendj.ldap.LDAPClientFilter$1.modifyResult(LDAPClientFilter.java:73)
at
com.forgerock.opendj.ldap.LDAPReader.decodeModifyResult(LDAPReader.java:1297)
at
com.forgerock.opendj.ldap.LDAPReader.decodeProtocolOp(LDAPReader.java:1393)
at com.forgerock.opendj.ldap.LDAPReader.decode(LDAPReader.java:172)
at
com.forgerock.opendj.ldap.LDAPClientFilter.handleRead(LDAPClientFilter.java:614)
at
org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:286)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:223)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:155)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:134)
at
org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:78)
at
org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:829)
at
org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:103)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:111)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:131)
at
org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:508)
at
org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:488)
at java.lang.Thread.run(Unknown Source)
---------------------
On Fri, Feb 1, 2013 at 11:09 AM, Emmanuel Lécharny <el...@gmail.com>wrote:
> Le 2/1/13 10:45 AM, Patricio Demitrio a écrit :
> > Hi Carlo, I got an answer from the openam team.
> > Apparently openam is using ldapv2 to change the password, and that is
> where
> > the problem probably resides.
> >
> > So I'm guessing I'm reaching a dead end here, unless I configure apacheds
> > to work with ldapv2, but I don't know if that's an option.
> ApacheDS should work with LDAPV2, but there might have some specific
> part that might need some tweaking, and I have no idea what kind of
> tweaks need to be done atm...
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
Re: [ApacheDS] Error 56
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 2/1/13 10:45 AM, Patricio Demitrio a écrit :
> Hi Carlo, I got an answer from the openam team.
> Apparently openam is using ldapv2 to change the password, and that is where
> the problem probably resides.
>
> So I'm guessing I'm reaching a dead end here, unless I configure apacheds
> to work with ldapv2, but I don't know if that's an option.
ApacheDS should work with LDAPV2, but there might have some specific
part that might need some tweaking, and I have no idea what kind of
tweaks need to be done atm...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: [ApacheDS] Error 56
Posted by Patricio Demitrio <pd...@scoop-gmbh.de>.
Hi Carlo, I got an answer from the openam team.
Apparently openam is using ldapv2 to change the password, and that is where
the problem probably resides.
So I'm guessing I'm reaching a dead end here, unless I configure apacheds
to work with ldapv2, but I don't know if that's an option.
Is it?
Thanks
Patricio
On Thu, Jan 31, 2013 at 11:11 PM, <Ca...@ibs-ag.com> wrote:
> Not sure.. I would verify that using Apache Studio, and connecting with
> the user's credentials (not an admin) you can change his own password.
> If you can't, you've got a server config or password policy issue.
> If you can, your ldap client many be configured incorrectly or is
> connecting with LDAP v2.
>
>
> -----Original Message-----
> From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> Sent: Thursday, January 31, 2013 11:12 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] Error 56
>
> Hi Carlo,
> unfortunately, after restarting the server the user was not even able to
> log in.
>
> I'm almost sure this has something to do with how openam handles the user,
> and here's why:
>
> - I created a clean user, only with cn, sn and userpassword. The user is
> able to log in.
> - If the user wants to change his password, it fails as described before.
> - If the admin logs in, and performs a forced password change (just typing
> the new password, without entering the previous one), the modify is
> successful.
>
> So in the end, the error is related to the validation of the password
> while trying to change it. This problem goes beyond pwdPolicy or
> ads-passwordPolicy
>
> I'll try my best to solve this and let you know
>
> thanks to everyone
>
>
> On Thu, Jan 31, 2013 at 4:36 PM, <Ca...@ibs-ag.com> wrote:
>
> > One last thing. I've found that adding a password policy entry, or
> > making changes to and existing policy require a restart of the server.
> > This was my experience in pre M9 builds but that may be different now.
> > There's probably some interval in which changes to policy settings
> > occur without restarting but for testing purposes I restart the server
> > after password policy changes of any kind.
> >
> >
> > -----Original Message-----
> > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > Sent: Thursday, January 31, 2013 10:15 AM
> > To: users@directory.apache.org
> > Subject: Re: [ApacheDS] Error 56
> >
> > Thank you all for your big help.
> >
> > Kiran: I am using openam
> >
> > I did exactly as told in the previous mail.
> >
> > The error now is much different.
> > First, although I set ads-pwdmustchange: TRUE, I was able to log in, I
> > don't know if that's normal.
> > Then, when I tried to update the password, I got the following error:
> > ------------
> > [16:04:44] ERROR
> > [org.apache.directory.server.ldap.handlers.BindHandler] -
> > ERR_162 Bind error : Only LDAP v3 is supported.
> > [16:04:44] ERROR
> > [org.apache.directory.server.ldap.handlers.UnbindHandler]
> > - ERR_169 failed to unbind session properly
> >
> > ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler] -
> > ERR_169 failed to unbind session properly
> >
> org.apache.directory.shared.ldap.model.exception.LdapNoSuchObjectException:
> > ERR_268 Cannot find a partition for
> > at
> >
> > org.apache.directory.server.core.shared.partition.DefaultPartitionNexu
> > s.getPartition(DefaultPartitionNexus.java:979)
> > at
> >
> > org.apache.directory.server.core.shared.partition.DefaultPartitionNexu
> > s.unbind(DefaultPartitionNexus.java:847)
> > at
> >
> > org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unb
> > ind(BaseInterceptor.java:267)
> > at
> >
> > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(
> > BaseInterceptor.java:712)
> > at
> >
> > org.apache.directory.server.core.authn.AuthenticationInterceptor.unbin
> > d(AuthenticationInterceptor.java:1129)
> > at
> >
> > org.apache.directory.server.core.DefaultOperationManager.unbind(Defaul
> > tOperationManager.java:1050)
> > at
> >
> > org.apache.directory.server.core.shared.DefaultCoreSession.unbind(Defa
> > ultCoreSession.java:1107)
> > at
> >
> > org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindH
> > andler.java:48)
> > at
> >
> > org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindH
> > andler.java:37)
> > at
> >
> > org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMes
> > sage(LdapRequestHandler.java:221)
> > at
> >
> > org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMes
> > sage(LdapRequestHandler.java:56)
> > at
> >
> > org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(Demuxi
> > ngIoHandler.java:232)
> > at
> >
> > org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(L
> > dapProtocolHandler.java:209)
> > at
> >
> > org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messa
> > geReceived(DefaultIoFilterChain.java:716)
> > at
> >
> > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageR
> > eceived(DefaultIoFilterChain.java:434)
> > at
> >
> > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(Defa
> > ultIoFilterChain.java:46)
> > at
> >
> > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.mess
> > ageReceived(DefaultIoFilterChain.java:796)
> > at
> > org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java
> > :75) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> > at
> >
> > org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run
> > Task(UnorderedThreadPoolExecutor.java:480)
> > at
> >
> > org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run
> > (UnorderedThreadPoolExecutor.java:434)
> > at java.lang.Thread.run(Thread.java:662)
> > ---------------------
> >
> > I don't know if this helps, but if I try the same thing with OpenDJ,
> > it works, the password is updated, so maybe there is some clue on how
> > openam deals with the password field.
> >
> >
> > Thanks again to everyone
> >
> >
> > On Thu, Jan 31, 2013 at 3:29 PM, <Ca...@ibs-ag.com> wrote:
> >
> > > To Karin's point, you need a password policy entry, then the user
> > > references the policy via the pwdPolicySubEntry attribute
> > >
> > > Here's an example policy that expires the password after two minutes.
> > >
> > > dn:
> > > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationI
> > > nt erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > > objectclass: top
> > > objectclass: ads-base
> > > objectclass: ads-passwordPolicy
> > > ads-pwdattribute: userPassword
> > > ads-pwdid: test
> > > ads-enabled: TRUE
> > > ads-pwdallowuserchange: TRUE
> > > ads-pwdcheckquality: 1
> > > ads-pwdexpirewarning: 60
> > > ads-pwdfailurecountinterval: 30
> > > ads-pwdgraceauthnlimit: 3
> > > ads-pwdgraceexpire: 0
> > > ads-pwdinhistory: 5
> > > ads-pwdlockout: TRUE
> > > ads-pwdlockoutduration: 0
> > > ads-pwdmaxage: 120
> > > ads-pwdmaxdelay: 0
> > > ads-pwdmaxfailure: 5
> > > ads-pwdmaxidle: 0
> > > ads-pwdmaxlength: 0
> > > ads-pwdminage: 0
> > > ads-pwdmindelay: 0
> > > ads-pwdminlength: 5
> > > ads-pwdmustchange: TRUE
> > > ads-pwdsafemodify: FALSE
> > >
> > >
> > > You user would then look like this, referencing the policy:
> > >
> > > dn: uid=user1,ou=people,dc=example,dc=com
> > > objectClass: organizationalPerson
> > > objectClass: person
> > > objectClass: inetOrgPerson
> > > objectClass: top
> > > cn: user1
> > > sn: user1
> > > uid: user1
> > > userPassword::
> > > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9PQ==
> > > pwdPolicySubEntry:
> > > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationI
> > > nt erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > > Sent: Thursday, January 31, 2013 8:36 AM
> > > To: users@directory.apache.org
> > > Cc: elecharny@apache.org
> > > Subject: Re: [ApacheDS] Error 56
> > >
> > > Hi Carlo, I changed the value and it continues to fail.
> > >
> > > Please remember that the login process works, but the change
> > > password process fail. Maybe the sso server encrypts the entered
> > > password in a different way, but when logging in, it uses the same
> process as apacheds.
> > >
> > > I'm trying to read and understand a little bit what's going on in
> > > the backend...
> > >
> > > Thanks again
> > >
> > >
> > > On Thu, Jan 31, 2013 at 1:19 PM, <Ca...@ibs-ag.com> wrote:
> > >
> > > > Hi, the case differences between your policy definition of the
> > > > password attribute and the actual name 'userpassword' might be
> > > > causing a
> > > problem.
> > > >
> > > > pwdAttribute: userPassword
> > > >
> > > > attribute name 'userpassword'
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > > > Sent: Thursday, January 31, 2013 5:14 AM
> > > > To: users@directory.apache.org; elecharny@apache.org
> > > > Subject: Re: [ApacheDS] Error 56
> > > >
> > > > Hi Emmanuel,
> > > >
> > > > Here's the user full profile, according to apache directory studio:
> > > > ----
> > > > dn: uid=user1,ou=people,dc=example,dc=com
> > > > objectClass: organizationalPerson
> > > > objectClass: person
> > > > objectClass: pwdPolicy
> > > > objectClass: inetOrgPerson
> > > > objectClass: top
> > > > cn: user1
> > > > pwdAttribute: userPassword
> > > > sn: user1
> > > > pwdAllowUserChange: true
> > > > pwdMustChange: true
> > > > uid: user1
> > > > userpassword::
> > > > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> > > > Q==
> > > > createTimestamp: 20130129134743Z
> > > > creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > > entryCSN: 20130130121851.729000Z#000000#000#000000
> > > > entryParentId: 4
> > > > entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> > > > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > > modifyTimestamp: 20130130121851Z
> > > > pwdHistory::
> > > > MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > > yI2NHRnpjM2R2Y21RPQ==
> > > > pwdHistory::
> > > > MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > > yI2NHRnpjM2R2Y21ReA==
> > > > pwdHistory::
> > > > MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > > yI2NHRnpjM2R2Y21Reg==
> > > > pwdHistory::
> > > > MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > > yI2NHRnpjM2R2Y21RMA==
> > > > pwdHistory::
> > > > MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > > yI2NHRnpjM2R2Y21RMQ==
> > > > pwdReset: true
> > > > ----------
> > > >
> > > > the user password is: password5.
> > > > I'm trying to change it to: password6 (not used before)
> > > >
> > > >
> > > > If I disable the pwdReset flag, the user logs properly to the
> > > > system, so the password is the correct one.
> > > > Thanks
> > > >
> > > >
> > > > On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny
> > > > <elecharny@gmail.com
> > > > >wrote:
> > > >
> > > > > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > > > > Hi Emanuel, thanks for your answer.
> > > > > >
> > > > > > I'm using apacheds-2.0.0-M9.
> > > > > >
> > > > > > The modify request comes from openam 10.0.1, a sso server that
> > > > > > gives you the option to reset the user password when pwdReset
> > > > > > in pwdPolicy
> > > > is true.
> > > > > >
> > > > > > Is there some specific clue that I can give you here?
> > > > >
> > > > > AFAICT, the only reason to get this reason is that the value you
> > > > > are trying to remove is not present in the atribute. Like, say,
> > > > > you want to remove 'secret' when the password is 'magic' or
> > > > > anything but
> > > 'secret'.
> > > > >
> > > > > What would help is to provide the entry with all its attributes,
> > > > > so that we can compare with the modification you want to apply
> > > > > (of course, be careful to 'anonymize' the passwords :)
> > > > >
> > > > > Another possibility - but unlikely - is that we have a bug in
> > > > > teh way we check for the presence of a value in a binary
> AttributeType.
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Cordialement,
> > > > > Emmanuel Lécharny
> > > > > www.iktek.com
> > > > >
> > > > >
> > > >
> > >
> >
>
RE: [ApacheDS] Error 56
Posted by Ca...@ibs-ag.com.
Not sure.. I would verify that using Apache Studio, and connecting with the user's credentials (not an admin) you can change his own password.
If you can't, you've got a server config or password policy issue.
If you can, your ldap client many be configured incorrectly or is connecting with LDAP v2.
-----Original Message-----
From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
Sent: Thursday, January 31, 2013 11:12 AM
To: users@directory.apache.org
Subject: Re: [ApacheDS] Error 56
Hi Carlo,
unfortunately, after restarting the server the user was not even able to log in.
I'm almost sure this has something to do with how openam handles the user, and here's why:
- I created a clean user, only with cn, sn and userpassword. The user is able to log in.
- If the user wants to change his password, it fails as described before.
- If the admin logs in, and performs a forced password change (just typing the new password, without entering the previous one), the modify is successful.
So in the end, the error is related to the validation of the password while trying to change it. This problem goes beyond pwdPolicy or ads-passwordPolicy
I'll try my best to solve this and let you know
thanks to everyone
On Thu, Jan 31, 2013 at 4:36 PM, <Ca...@ibs-ag.com> wrote:
> One last thing. I've found that adding a password policy entry, or
> making changes to and existing policy require a restart of the server.
> This was my experience in pre M9 builds but that may be different now.
> There's probably some interval in which changes to policy settings
> occur without restarting but for testing purposes I restart the server
> after password policy changes of any kind.
>
>
> -----Original Message-----
> From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> Sent: Thursday, January 31, 2013 10:15 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] Error 56
>
> Thank you all for your big help.
>
> Kiran: I am using openam
>
> I did exactly as told in the previous mail.
>
> The error now is much different.
> First, although I set ads-pwdmustchange: TRUE, I was able to log in, I
> don't know if that's normal.
> Then, when I tried to update the password, I got the following error:
> ------------
> [16:04:44] ERROR
> [org.apache.directory.server.ldap.handlers.BindHandler] -
> ERR_162 Bind error : Only LDAP v3 is supported.
> [16:04:44] ERROR
> [org.apache.directory.server.ldap.handlers.UnbindHandler]
> - ERR_169 failed to unbind session properly
>
> ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler] -
> ERR_169 failed to unbind session properly
> org.apache.directory.shared.ldap.model.exception.LdapNoSuchObjectException:
> ERR_268 Cannot find a partition for
> at
>
> org.apache.directory.server.core.shared.partition.DefaultPartitionNexu
> s.getPartition(DefaultPartitionNexus.java:979)
> at
>
> org.apache.directory.server.core.shared.partition.DefaultPartitionNexu
> s.unbind(DefaultPartitionNexus.java:847)
> at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unb
> ind(BaseInterceptor.java:267)
> at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(
> BaseInterceptor.java:712)
> at
>
> org.apache.directory.server.core.authn.AuthenticationInterceptor.unbin
> d(AuthenticationInterceptor.java:1129)
> at
>
> org.apache.directory.server.core.DefaultOperationManager.unbind(Defaul
> tOperationManager.java:1050)
> at
>
> org.apache.directory.server.core.shared.DefaultCoreSession.unbind(Defa
> ultCoreSession.java:1107)
> at
>
> org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindH
> andler.java:48)
> at
>
> org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindH
> andler.java:37)
> at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMes
> sage(LdapRequestHandler.java:221)
> at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMes
> sage(LdapRequestHandler.java:56)
> at
>
> org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(Demuxi
> ngIoHandler.java:232)
> at
>
> org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(L
> dapProtocolHandler.java:209)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messa
> geReceived(DefaultIoFilterChain.java:716)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageR
> eceived(DefaultIoFilterChain.java:434)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(Defa
> ultIoFilterChain.java:46)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.mess
> ageReceived(DefaultIoFilterChain.java:796)
> at
> org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java
> :75) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run
> Task(UnorderedThreadPoolExecutor.java:480)
> at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run
> (UnorderedThreadPoolExecutor.java:434)
> at java.lang.Thread.run(Thread.java:662)
> ---------------------
>
> I don't know if this helps, but if I try the same thing with OpenDJ,
> it works, the password is updated, so maybe there is some clue on how
> openam deals with the password field.
>
>
> Thanks again to everyone
>
>
> On Thu, Jan 31, 2013 at 3:29 PM, <Ca...@ibs-ag.com> wrote:
>
> > To Karin's point, you need a password policy entry, then the user
> > references the policy via the pwdPolicySubEntry attribute
> >
> > Here's an example policy that expires the password after two minutes.
> >
> > dn:
> > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationI
> > nt erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > objectclass: top
> > objectclass: ads-base
> > objectclass: ads-passwordPolicy
> > ads-pwdattribute: userPassword
> > ads-pwdid: test
> > ads-enabled: TRUE
> > ads-pwdallowuserchange: TRUE
> > ads-pwdcheckquality: 1
> > ads-pwdexpirewarning: 60
> > ads-pwdfailurecountinterval: 30
> > ads-pwdgraceauthnlimit: 3
> > ads-pwdgraceexpire: 0
> > ads-pwdinhistory: 5
> > ads-pwdlockout: TRUE
> > ads-pwdlockoutduration: 0
> > ads-pwdmaxage: 120
> > ads-pwdmaxdelay: 0
> > ads-pwdmaxfailure: 5
> > ads-pwdmaxidle: 0
> > ads-pwdmaxlength: 0
> > ads-pwdminage: 0
> > ads-pwdmindelay: 0
> > ads-pwdminlength: 5
> > ads-pwdmustchange: TRUE
> > ads-pwdsafemodify: FALSE
> >
> >
> > You user would then look like this, referencing the policy:
> >
> > dn: uid=user1,ou=people,dc=example,dc=com
> > objectClass: organizationalPerson
> > objectClass: person
> > objectClass: inetOrgPerson
> > objectClass: top
> > cn: user1
> > sn: user1
> > uid: user1
> > userPassword::
> > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9PQ==
> > pwdPolicySubEntry:
> > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationI
> > nt erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> >
> >
> >
> > -----Original Message-----
> > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > Sent: Thursday, January 31, 2013 8:36 AM
> > To: users@directory.apache.org
> > Cc: elecharny@apache.org
> > Subject: Re: [ApacheDS] Error 56
> >
> > Hi Carlo, I changed the value and it continues to fail.
> >
> > Please remember that the login process works, but the change
> > password process fail. Maybe the sso server encrypts the entered
> > password in a different way, but when logging in, it uses the same process as apacheds.
> >
> > I'm trying to read and understand a little bit what's going on in
> > the backend...
> >
> > Thanks again
> >
> >
> > On Thu, Jan 31, 2013 at 1:19 PM, <Ca...@ibs-ag.com> wrote:
> >
> > > Hi, the case differences between your policy definition of the
> > > password attribute and the actual name 'userpassword' might be
> > > causing a
> > problem.
> > >
> > > pwdAttribute: userPassword
> > >
> > > attribute name 'userpassword'
> > >
> > >
> > > -----Original Message-----
> > > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > > Sent: Thursday, January 31, 2013 5:14 AM
> > > To: users@directory.apache.org; elecharny@apache.org
> > > Subject: Re: [ApacheDS] Error 56
> > >
> > > Hi Emmanuel,
> > >
> > > Here's the user full profile, according to apache directory studio:
> > > ----
> > > dn: uid=user1,ou=people,dc=example,dc=com
> > > objectClass: organizationalPerson
> > > objectClass: person
> > > objectClass: pwdPolicy
> > > objectClass: inetOrgPerson
> > > objectClass: top
> > > cn: user1
> > > pwdAttribute: userPassword
> > > sn: user1
> > > pwdAllowUserChange: true
> > > pwdMustChange: true
> > > uid: user1
> > > userpassword::
> > > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> > > Q==
> > > createTimestamp: 20130129134743Z
> > > creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > entryCSN: 20130130121851.729000Z#000000#000#000000
> > > entryParentId: 4
> > > entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> > > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > modifyTimestamp: 20130130121851Z
> > > pwdHistory::
> > > MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > yI2NHRnpjM2R2Y21RPQ==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > yI2NHRnpjM2R2Y21ReA==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > yI2NHRnpjM2R2Y21Reg==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > yI2NHRnpjM2R2Y21RMA==
> > > pwdHistory::
> > > MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > yI2NHRnpjM2R2Y21RMQ==
> > > pwdReset: true
> > > ----------
> > >
> > > the user password is: password5.
> > > I'm trying to change it to: password6 (not used before)
> > >
> > >
> > > If I disable the pwdReset flag, the user logs properly to the
> > > system, so the password is the correct one.
> > > Thanks
> > >
> > >
> > > On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny
> > > <elecharny@gmail.com
> > > >wrote:
> > >
> > > > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > > > Hi Emanuel, thanks for your answer.
> > > > >
> > > > > I'm using apacheds-2.0.0-M9.
> > > > >
> > > > > The modify request comes from openam 10.0.1, a sso server that
> > > > > gives you the option to reset the user password when pwdReset
> > > > > in pwdPolicy
> > > is true.
> > > > >
> > > > > Is there some specific clue that I can give you here?
> > > >
> > > > AFAICT, the only reason to get this reason is that the value you
> > > > are trying to remove is not present in the atribute. Like, say,
> > > > you want to remove 'secret' when the password is 'magic' or
> > > > anything but
> > 'secret'.
> > > >
> > > > What would help is to provide the entry with all its attributes,
> > > > so that we can compare with the modification you want to apply
> > > > (of course, be careful to 'anonymize' the passwords :)
> > > >
> > > > Another possibility - but unlikely - is that we have a bug in
> > > > teh way we check for the presence of a value in a binary AttributeType.
> > > >
> > > > --
> > > > Regards,
> > > > Cordialement,
> > > > Emmanuel Lécharny
> > > > www.iktek.com
> > > >
> > > >
> > >
> >
>
Re: [ApacheDS] Error 56
Posted by Patricio Demitrio <pd...@scoop-gmbh.de>.
Hi Carlo,
unfortunately, after restarting the server the user was not even able to
log in.
I'm almost sure this has something to do with how openam handles the user,
and here's why:
- I created a clean user, only with cn, sn and userpassword. The user is
able to log in.
- If the user wants to change his password, it fails as described before.
- If the admin logs in, and performs a forced password change (just typing
the new password, without entering the previous one), the modify is
successful.
So in the end, the error is related to the validation of the password while
trying to change it. This problem goes beyond pwdPolicy or
ads-passwordPolicy
I'll try my best to solve this and let you know
thanks to everyone
On Thu, Jan 31, 2013 at 4:36 PM, <Ca...@ibs-ag.com> wrote:
> One last thing. I've found that adding a password policy entry, or making
> changes to and existing policy require a restart of the server. This was my
> experience in pre M9 builds but that may be different now.
> There's probably some interval in which changes to policy settings occur
> without restarting but for testing purposes I restart the server after
> password policy changes of any kind.
>
>
> -----Original Message-----
> From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> Sent: Thursday, January 31, 2013 10:15 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] Error 56
>
> Thank you all for your big help.
>
> Kiran: I am using openam
>
> I did exactly as told in the previous mail.
>
> The error now is much different.
> First, although I set ads-pwdmustchange: TRUE, I was able to log in, I
> don't know if that's normal.
> Then, when I tried to update the password, I got the following error:
> ------------
> [16:04:44] ERROR [org.apache.directory.server.ldap.handlers.BindHandler] -
> ERR_162 Bind error : Only LDAP v3 is supported.
> [16:04:44] ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler]
> - ERR_169 failed to unbind session properly
>
> ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler] - ERR_169
> failed to unbind session properly
> org.apache.directory.shared.ldap.model.exception.LdapNoSuchObjectException:
> ERR_268 Cannot find a partition for
> at
>
> org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:979)
> at
>
> org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.unbind(DefaultPartitionNexus.java:847)
> at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unbind(BaseInterceptor.java:267)
> at
>
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:712)
> at
>
> org.apache.directory.server.core.authn.AuthenticationInterceptor.unbind(AuthenticationInterceptor.java:1129)
> at
>
> org.apache.directory.server.core.DefaultOperationManager.unbind(DefaultOperationManager.java:1050)
> at
>
> org.apache.directory.server.core.shared.DefaultCoreSession.unbind(DefaultCoreSession.java:1107)
> at
>
> org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandler.java:48)
> at
>
> org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandler.java:37)
> at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:221)
> at
>
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
> at
>
> org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:232)
> at
>
> org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:209)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> at
> org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:75)
> at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:480)
> at
>
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:434)
> at java.lang.Thread.run(Thread.java:662)
> ---------------------
>
> I don't know if this helps, but if I try the same thing with OpenDJ, it
> works, the password is updated, so maybe there is some clue on how openam
> deals with the password field.
>
>
> Thanks again to everyone
>
>
> On Thu, Jan 31, 2013 at 3:29 PM, <Ca...@ibs-ag.com> wrote:
>
> > To Karin's point, you need a password policy entry, then the user
> > references the policy via the pwdPolicySubEntry attribute
> >
> > Here's an example policy that expires the password after two minutes.
> >
> > dn:
> > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInt
> > erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> > objectclass: top
> > objectclass: ads-base
> > objectclass: ads-passwordPolicy
> > ads-pwdattribute: userPassword
> > ads-pwdid: test
> > ads-enabled: TRUE
> > ads-pwdallowuserchange: TRUE
> > ads-pwdcheckquality: 1
> > ads-pwdexpirewarning: 60
> > ads-pwdfailurecountinterval: 30
> > ads-pwdgraceauthnlimit: 3
> > ads-pwdgraceexpire: 0
> > ads-pwdinhistory: 5
> > ads-pwdlockout: TRUE
> > ads-pwdlockoutduration: 0
> > ads-pwdmaxage: 120
> > ads-pwdmaxdelay: 0
> > ads-pwdmaxfailure: 5
> > ads-pwdmaxidle: 0
> > ads-pwdmaxlength: 0
> > ads-pwdminage: 0
> > ads-pwdmindelay: 0
> > ads-pwdminlength: 5
> > ads-pwdmustchange: TRUE
> > ads-pwdsafemodify: FALSE
> >
> >
> > You user would then look like this, referencing the policy:
> >
> > dn: uid=user1,ou=people,dc=example,dc=com
> > objectClass: organizationalPerson
> > objectClass: person
> > objectClass: inetOrgPerson
> > objectClass: top
> > cn: user1
> > sn: user1
> > uid: user1
> > userPassword::
> > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9PQ==
> > pwdPolicySubEntry:
> > ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInt
> > erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> >
> >
> >
> > -----Original Message-----
> > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > Sent: Thursday, January 31, 2013 8:36 AM
> > To: users@directory.apache.org
> > Cc: elecharny@apache.org
> > Subject: Re: [ApacheDS] Error 56
> >
> > Hi Carlo, I changed the value and it continues to fail.
> >
> > Please remember that the login process works, but the change password
> > process fail. Maybe the sso server encrypts the entered password in a
> > different way, but when logging in, it uses the same process as apacheds.
> >
> > I'm trying to read and understand a little bit what's going on in the
> > backend...
> >
> > Thanks again
> >
> >
> > On Thu, Jan 31, 2013 at 1:19 PM, <Ca...@ibs-ag.com> wrote:
> >
> > > Hi, the case differences between your policy definition of the
> > > password attribute and the actual name 'userpassword' might be
> > > causing a
> > problem.
> > >
> > > pwdAttribute: userPassword
> > >
> > > attribute name 'userpassword'
> > >
> > >
> > > -----Original Message-----
> > > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > > Sent: Thursday, January 31, 2013 5:14 AM
> > > To: users@directory.apache.org; elecharny@apache.org
> > > Subject: Re: [ApacheDS] Error 56
> > >
> > > Hi Emmanuel,
> > >
> > > Here's the user full profile, according to apache directory studio:
> > > ----
> > > dn: uid=user1,ou=people,dc=example,dc=com
> > > objectClass: organizationalPerson
> > > objectClass: person
> > > objectClass: pwdPolicy
> > > objectClass: inetOrgPerson
> > > objectClass: top
> > > cn: user1
> > > pwdAttribute: userPassword
> > > sn: user1
> > > pwdAllowUserChange: true
> > > pwdMustChange: true
> > > uid: user1
> > > userpassword::
> > > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> > > Q==
> > > createTimestamp: 20130129134743Z
> > > creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > entryCSN: 20130130121851.729000Z#000000#000#000000
> > > entryParentId: 4
> > > entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> > > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > > modifyTimestamp: 20130130121851Z
> > > pwdHistory::
> > > MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > yI2NHRnpjM2R2Y21RPQ==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > yI2NHRnpjM2R2Y21ReA==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > yI2NHRnpjM2R2Y21Reg==
> > > pwdHistory::
> > > MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > yI2NHRnpjM2R2Y21RMA==
> > > pwdHistory::
> > > MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > > yI2NHRnpjM2R2Y21RMQ==
> > > pwdReset: true
> > > ----------
> > >
> > > the user password is: password5.
> > > I'm trying to change it to: password6 (not used before)
> > >
> > >
> > > If I disable the pwdReset flag, the user logs properly to the
> > > system, so the password is the correct one.
> > > Thanks
> > >
> > >
> > > On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny
> > > <elecharny@gmail.com
> > > >wrote:
> > >
> > > > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > > > Hi Emanuel, thanks for your answer.
> > > > >
> > > > > I'm using apacheds-2.0.0-M9.
> > > > >
> > > > > The modify request comes from openam 10.0.1, a sso server that
> > > > > gives you the option to reset the user password when pwdReset in
> > > > > pwdPolicy
> > > is true.
> > > > >
> > > > > Is there some specific clue that I can give you here?
> > > >
> > > > AFAICT, the only reason to get this reason is that the value you
> > > > are trying to remove is not present in the atribute. Like, say,
> > > > you want to remove 'secret' when the password is 'magic' or
> > > > anything but
> > 'secret'.
> > > >
> > > > What would help is to provide the entry with all its attributes,
> > > > so that we can compare with the modification you want to apply (of
> > > > course, be careful to 'anonymize' the passwords :)
> > > >
> > > > Another possibility - but unlikely - is that we have a bug in teh
> > > > way we check for the presence of a value in a binary AttributeType.
> > > >
> > > > --
> > > > Regards,
> > > > Cordialement,
> > > > Emmanuel Lécharny
> > > > www.iktek.com
> > > >
> > > >
> > >
> >
>
RE: [ApacheDS] Error 56
Posted by Ca...@ibs-ag.com.
One last thing. I've found that adding a password policy entry, or making changes to and existing policy require a restart of the server. This was my experience in pre M9 builds but that may be different now.
There's probably some interval in which changes to policy settings occur without restarting but for testing purposes I restart the server after password policy changes of any kind.
-----Original Message-----
From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
Sent: Thursday, January 31, 2013 10:15 AM
To: users@directory.apache.org
Subject: Re: [ApacheDS] Error 56
Thank you all for your big help.
Kiran: I am using openam
I did exactly as told in the previous mail.
The error now is much different.
First, although I set ads-pwdmustchange: TRUE, I was able to log in, I don't know if that's normal.
Then, when I tried to update the password, I got the following error:
------------
[16:04:44] ERROR [org.apache.directory.server.ldap.handlers.BindHandler] -
ERR_162 Bind error : Only LDAP v3 is supported.
[16:04:44] ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler]
- ERR_169 failed to unbind session properly
ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler] - ERR_169 failed to unbind session properly
org.apache.directory.shared.ldap.model.exception.LdapNoSuchObjectException:
ERR_268 Cannot find a partition for
at
org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:979)
at
org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.unbind(DefaultPartitionNexus.java:847)
at
org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unbind(BaseInterceptor.java:267)
at
org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:712)
at
org.apache.directory.server.core.authn.AuthenticationInterceptor.unbind(AuthenticationInterceptor.java:1129)
at
org.apache.directory.server.core.DefaultOperationManager.unbind(DefaultOperationManager.java:1050)
at
org.apache.directory.server.core.shared.DefaultCoreSession.unbind(DefaultCoreSession.java:1107)
at
org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandler.java:48)
at
org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandler.java:37)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:221)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:232)
at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:209)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
at
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:75)
at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:480)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:434)
at java.lang.Thread.run(Thread.java:662)
---------------------
I don't know if this helps, but if I try the same thing with OpenDJ, it works, the password is updated, so maybe there is some clue on how openam deals with the password field.
Thanks again to everyone
On Thu, Jan 31, 2013 at 3:29 PM, <Ca...@ibs-ag.com> wrote:
> To Karin's point, you need a password policy entry, then the user
> references the policy via the pwdPolicySubEntry attribute
>
> Here's an example policy that expires the password after two minutes.
>
> dn:
> ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInt
> erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectclass: top
> objectclass: ads-base
> objectclass: ads-passwordPolicy
> ads-pwdattribute: userPassword
> ads-pwdid: test
> ads-enabled: TRUE
> ads-pwdallowuserchange: TRUE
> ads-pwdcheckquality: 1
> ads-pwdexpirewarning: 60
> ads-pwdfailurecountinterval: 30
> ads-pwdgraceauthnlimit: 3
> ads-pwdgraceexpire: 0
> ads-pwdinhistory: 5
> ads-pwdlockout: TRUE
> ads-pwdlockoutduration: 0
> ads-pwdmaxage: 120
> ads-pwdmaxdelay: 0
> ads-pwdmaxfailure: 5
> ads-pwdmaxidle: 0
> ads-pwdmaxlength: 0
> ads-pwdminage: 0
> ads-pwdmindelay: 0
> ads-pwdminlength: 5
> ads-pwdmustchange: TRUE
> ads-pwdsafemodify: FALSE
>
>
> You user would then look like this, referencing the policy:
>
> dn: uid=user1,ou=people,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: top
> cn: user1
> sn: user1
> uid: user1
> userPassword::
> e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9PQ==
> pwdPolicySubEntry:
> ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInt
> erceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>
>
>
> -----Original Message-----
> From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> Sent: Thursday, January 31, 2013 8:36 AM
> To: users@directory.apache.org
> Cc: elecharny@apache.org
> Subject: Re: [ApacheDS] Error 56
>
> Hi Carlo, I changed the value and it continues to fail.
>
> Please remember that the login process works, but the change password
> process fail. Maybe the sso server encrypts the entered password in a
> different way, but when logging in, it uses the same process as apacheds.
>
> I'm trying to read and understand a little bit what's going on in the
> backend...
>
> Thanks again
>
>
> On Thu, Jan 31, 2013 at 1:19 PM, <Ca...@ibs-ag.com> wrote:
>
> > Hi, the case differences between your policy definition of the
> > password attribute and the actual name 'userpassword' might be
> > causing a
> problem.
> >
> > pwdAttribute: userPassword
> >
> > attribute name 'userpassword'
> >
> >
> > -----Original Message-----
> > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > Sent: Thursday, January 31, 2013 5:14 AM
> > To: users@directory.apache.org; elecharny@apache.org
> > Subject: Re: [ApacheDS] Error 56
> >
> > Hi Emmanuel,
> >
> > Here's the user full profile, according to apache directory studio:
> > ----
> > dn: uid=user1,ou=people,dc=example,dc=com
> > objectClass: organizationalPerson
> > objectClass: person
> > objectClass: pwdPolicy
> > objectClass: inetOrgPerson
> > objectClass: top
> > cn: user1
> > pwdAttribute: userPassword
> > sn: user1
> > pwdAllowUserChange: true
> > pwdMustChange: true
> > uid: user1
> > userpassword::
> > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> > Q==
> > createTimestamp: 20130129134743Z
> > creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > entryCSN: 20130130121851.729000Z#000000#000#000000
> > entryParentId: 4
> > entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > modifyTimestamp: 20130130121851Z
> > pwdHistory::
> > MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > yI2NHRnpjM2R2Y21RPQ==
> > pwdHistory::
> > MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > yI2NHRnpjM2R2Y21ReA==
> > pwdHistory::
> > MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > yI2NHRnpjM2R2Y21Reg==
> > pwdHistory::
> > MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > yI2NHRnpjM2R2Y21RMA==
> > pwdHistory::
> > MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > yI2NHRnpjM2R2Y21RMQ==
> > pwdReset: true
> > ----------
> >
> > the user password is: password5.
> > I'm trying to change it to: password6 (not used before)
> >
> >
> > If I disable the pwdReset flag, the user logs properly to the
> > system, so the password is the correct one.
> > Thanks
> >
> >
> > On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny
> > <elecharny@gmail.com
> > >wrote:
> >
> > > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > > Hi Emanuel, thanks for your answer.
> > > >
> > > > I'm using apacheds-2.0.0-M9.
> > > >
> > > > The modify request comes from openam 10.0.1, a sso server that
> > > > gives you the option to reset the user password when pwdReset in
> > > > pwdPolicy
> > is true.
> > > >
> > > > Is there some specific clue that I can give you here?
> > >
> > > AFAICT, the only reason to get this reason is that the value you
> > > are trying to remove is not present in the atribute. Like, say,
> > > you want to remove 'secret' when the password is 'magic' or
> > > anything but
> 'secret'.
> > >
> > > What would help is to provide the entry with all its attributes,
> > > so that we can compare with the modification you want to apply (of
> > > course, be careful to 'anonymize' the passwords :)
> > >
> > > Another possibility - but unlikely - is that we have a bug in teh
> > > way we check for the presence of a value in a binary AttributeType.
> > >
> > > --
> > > Regards,
> > > Cordialement,
> > > Emmanuel Lécharny
> > > www.iktek.com
> > >
> > >
> >
>
Re: [ApacheDS] Error 56
Posted by Patricio Demitrio <pd...@scoop-gmbh.de>.
Thank you all for your big help.
Kiran: I am using openam
I did exactly as told in the previous mail.
The error now is much different.
First, although I set ads-pwdmustchange: TRUE, I was able to log in, I
don't know if that's normal.
Then, when I tried to update the password, I got the following error:
------------
[16:04:44] ERROR [org.apache.directory.server.ldap.handlers.BindHandler] -
ERR_162 Bind error : Only LDAP v3 is supported.
[16:04:44] ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler]
- ERR_169 failed to unbind session properly
ERROR [org.apache.directory.server.ldap.handlers.UnbindHandler] - ERR_169
failed to unbind session properly
org.apache.directory.shared.ldap.model.exception.LdapNoSuchObjectException:
ERR_268 Cannot find a partition for
at
org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.getPartition(DefaultPartitionNexus.java:979)
at
org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.unbind(DefaultPartitionNexus.java:847)
at
org.apache.directory.server.core.api.interceptor.BaseInterceptor$1.unbind(BaseInterceptor.java:267)
at
org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:712)
at
org.apache.directory.server.core.authn.AuthenticationInterceptor.unbind(AuthenticationInterceptor.java:1129)
at
org.apache.directory.server.core.DefaultOperationManager.unbind(DefaultOperationManager.java:1050)
at
org.apache.directory.server.core.shared.DefaultCoreSession.unbind(DefaultCoreSession.java:1107)
at
org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandler.java:48)
at
org.apache.directory.server.ldap.handlers.UnbindHandler.handle(UnbindHandler.java:37)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:221)
at
org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
at
org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:232)
at
org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:209)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
at
org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:75)
at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:480)
at
org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:434)
at java.lang.Thread.run(Thread.java:662)
---------------------
I don't know if this helps, but if I try the same thing with OpenDJ, it
works, the password is updated, so maybe there is some clue on how openam
deals with the password field.
Thanks again to everyone
On Thu, Jan 31, 2013 at 3:29 PM, <Ca...@ibs-ag.com> wrote:
> To Karin's point, you need a password policy entry, then the user
> references the policy via the pwdPolicySubEntry attribute
>
> Here's an example policy that expires the password after two minutes.
>
> dn:
> ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectclass: top
> objectclass: ads-base
> objectclass: ads-passwordPolicy
> ads-pwdattribute: userPassword
> ads-pwdid: test
> ads-enabled: TRUE
> ads-pwdallowuserchange: TRUE
> ads-pwdcheckquality: 1
> ads-pwdexpirewarning: 60
> ads-pwdfailurecountinterval: 30
> ads-pwdgraceauthnlimit: 3
> ads-pwdgraceexpire: 0
> ads-pwdinhistory: 5
> ads-pwdlockout: TRUE
> ads-pwdlockoutduration: 0
> ads-pwdmaxage: 120
> ads-pwdmaxdelay: 0
> ads-pwdmaxfailure: 5
> ads-pwdmaxidle: 0
> ads-pwdmaxlength: 0
> ads-pwdminage: 0
> ads-pwdmindelay: 0
> ads-pwdminlength: 5
> ads-pwdmustchange: TRUE
> ads-pwdsafemodify: FALSE
>
>
> You user would then look like this, referencing the policy:
>
> dn: uid=user1,ou=people,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: top
> cn: user1
> sn: user1
> uid: user1
> userPassword::
> e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9PQ==
> pwdPolicySubEntry:
> ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>
>
>
> -----Original Message-----
> From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> Sent: Thursday, January 31, 2013 8:36 AM
> To: users@directory.apache.org
> Cc: elecharny@apache.org
> Subject: Re: [ApacheDS] Error 56
>
> Hi Carlo, I changed the value and it continues to fail.
>
> Please remember that the login process works, but the change password
> process fail. Maybe the sso server encrypts the entered password in a
> different way, but when logging in, it uses the same process as apacheds.
>
> I'm trying to read and understand a little bit what's going on in the
> backend...
>
> Thanks again
>
>
> On Thu, Jan 31, 2013 at 1:19 PM, <Ca...@ibs-ag.com> wrote:
>
> > Hi, the case differences between your policy definition of the
> > password attribute and the actual name 'userpassword' might be causing a
> problem.
> >
> > pwdAttribute: userPassword
> >
> > attribute name 'userpassword'
> >
> >
> > -----Original Message-----
> > From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> > Sent: Thursday, January 31, 2013 5:14 AM
> > To: users@directory.apache.org; elecharny@apache.org
> > Subject: Re: [ApacheDS] Error 56
> >
> > Hi Emmanuel,
> >
> > Here's the user full profile, according to apache directory studio:
> > ----
> > dn: uid=user1,ou=people,dc=example,dc=com
> > objectClass: organizationalPerson
> > objectClass: person
> > objectClass: pwdPolicy
> > objectClass: inetOrgPerson
> > objectClass: top
> > cn: user1
> > pwdAttribute: userPassword
> > sn: user1
> > pwdAllowUserChange: true
> > pwdMustChange: true
> > uid: user1
> > userpassword::
> > e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> > Q==
> > createTimestamp: 20130129134743Z
> > creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > entryCSN: 20130130121851.729000Z#000000#000#000000
> > entryParentId: 4
> > entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> > modifyTimestamp: 20130130121851Z
> > pwdHistory::
> > MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > yI2NHRnpjM2R2Y21RPQ==
> > pwdHistory::
> > MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > yI2NHRnpjM2R2Y21ReA==
> > pwdHistory::
> > MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > yI2NHRnpjM2R2Y21Reg==
> > pwdHistory::
> > MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > yI2NHRnpjM2R2Y21RMA==
> > pwdHistory::
> > MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> > yI2NHRnpjM2R2Y21RMQ==
> > pwdReset: true
> > ----------
> >
> > the user password is: password5.
> > I'm trying to change it to: password6 (not used before)
> >
> >
> > If I disable the pwdReset flag, the user logs properly to the system,
> > so the password is the correct one.
> > Thanks
> >
> >
> > On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny
> > <elecharny@gmail.com
> > >wrote:
> >
> > > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > > Hi Emanuel, thanks for your answer.
> > > >
> > > > I'm using apacheds-2.0.0-M9.
> > > >
> > > > The modify request comes from openam 10.0.1, a sso server that
> > > > gives you the option to reset the user password when pwdReset in
> > > > pwdPolicy
> > is true.
> > > >
> > > > Is there some specific clue that I can give you here?
> > >
> > > AFAICT, the only reason to get this reason is that the value you are
> > > trying to remove is not present in the atribute. Like, say, you want
> > > to remove 'secret' when the password is 'magic' or anything but
> 'secret'.
> > >
> > > What would help is to provide the entry with all its attributes, so
> > > that we can compare with the modification you want to apply (of
> > > course, be careful to 'anonymize' the passwords :)
> > >
> > > Another possibility - but unlikely - is that we have a bug in teh
> > > way we check for the presence of a value in a binary AttributeType.
> > >
> > > --
> > > Regards,
> > > Cordialement,
> > > Emmanuel Lécharny
> > > www.iktek.com
> > >
> > >
> >
>
RE: [ApacheDS] Error 56
Posted by Ca...@ibs-ag.com.
To Karin's point, you need a password policy entry, then the user references the policy via the pwdPolicySubEntry attribute
Here's an example policy that expires the password after two minutes.
dn: ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectclass: top
objectclass: ads-base
objectclass: ads-passwordPolicy
ads-pwdattribute: userPassword
ads-pwdid: test
ads-enabled: TRUE
ads-pwdallowuserchange: TRUE
ads-pwdcheckquality: 1
ads-pwdexpirewarning: 60
ads-pwdfailurecountinterval: 30
ads-pwdgraceauthnlimit: 3
ads-pwdgraceexpire: 0
ads-pwdinhistory: 5
ads-pwdlockout: TRUE
ads-pwdlockoutduration: 0
ads-pwdmaxage: 120
ads-pwdmaxdelay: 0
ads-pwdmaxfailure: 5
ads-pwdmaxidle: 0
ads-pwdmaxlength: 0
ads-pwdminage: 0
ads-pwdmindelay: 0
ads-pwdminlength: 5
ads-pwdmustchange: TRUE
ads-pwdsafemodify: FALSE
You user would then look like this, referencing the policy:
dn: uid=user1,ou=people,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: user1
sn: user1
uid: user1
userPassword:: e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9PQ==
pwdPolicySubEntry: ads-pwdId=test,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
-----Original Message-----
From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
Sent: Thursday, January 31, 2013 8:36 AM
To: users@directory.apache.org
Cc: elecharny@apache.org
Subject: Re: [ApacheDS] Error 56
Hi Carlo, I changed the value and it continues to fail.
Please remember that the login process works, but the change password process fail. Maybe the sso server encrypts the entered password in a different way, but when logging in, it uses the same process as apacheds.
I'm trying to read and understand a little bit what's going on in the backend...
Thanks again
On Thu, Jan 31, 2013 at 1:19 PM, <Ca...@ibs-ag.com> wrote:
> Hi, the case differences between your policy definition of the
> password attribute and the actual name 'userpassword' might be causing a problem.
>
> pwdAttribute: userPassword
>
> attribute name 'userpassword'
>
>
> -----Original Message-----
> From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> Sent: Thursday, January 31, 2013 5:14 AM
> To: users@directory.apache.org; elecharny@apache.org
> Subject: Re: [ApacheDS] Error 56
>
> Hi Emmanuel,
>
> Here's the user full profile, according to apache directory studio:
> ----
> dn: uid=user1,ou=people,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: pwdPolicy
> objectClass: inetOrgPerson
> objectClass: top
> cn: user1
> pwdAttribute: userPassword
> sn: user1
> pwdAllowUserChange: true
> pwdMustChange: true
> uid: user1
> userpassword::
> e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> Q==
> createTimestamp: 20130129134743Z
> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> entryCSN: 20130130121851.729000Z#000000#000#000000
> entryParentId: 4
> entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> modifyTimestamp: 20130130121851Z
> pwdHistory::
> MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21RPQ==
> pwdHistory::
> MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21ReA==
> pwdHistory::
> MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21Reg==
> pwdHistory::
> MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21RMA==
> pwdHistory::
> MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21RMQ==
> pwdReset: true
> ----------
>
> the user password is: password5.
> I'm trying to change it to: password6 (not used before)
>
>
> If I disable the pwdReset flag, the user logs properly to the system,
> so the password is the correct one.
> Thanks
>
>
> On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny
> <elecharny@gmail.com
> >wrote:
>
> > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > Hi Emanuel, thanks for your answer.
> > >
> > > I'm using apacheds-2.0.0-M9.
> > >
> > > The modify request comes from openam 10.0.1, a sso server that
> > > gives you the option to reset the user password when pwdReset in
> > > pwdPolicy
> is true.
> > >
> > > Is there some specific clue that I can give you here?
> >
> > AFAICT, the only reason to get this reason is that the value you are
> > trying to remove is not present in the atribute. Like, say, you want
> > to remove 'secret' when the password is 'magic' or anything but 'secret'.
> >
> > What would help is to provide the entry with all its attributes, so
> > that we can compare with the modification you want to apply (of
> > course, be careful to 'anonymize' the passwords :)
> >
> > Another possibility - but unlikely - is that we have a bug in teh
> > way we check for the presence of a value in a binary AttributeType.
> >
> > --
> > Regards,
> > Cordialement,
> > Emmanuel Lécharny
> > www.iktek.com
> >
> >
>
Re: [ApacheDS] Error 56
Posted by Patricio Demitrio <pd...@scoop-gmbh.de>.
Hi Carlo, I changed the value and it continues to fail.
Please remember that the login process works, but the change password
process fail. Maybe the sso server encrypts the entered password in a
different way, but when logging in, it uses the same process as apacheds.
I'm trying to read and understand a little bit what's going on in the
backend...
Thanks again
On Thu, Jan 31, 2013 at 1:19 PM, <Ca...@ibs-ag.com> wrote:
> Hi, the case differences between your policy definition of the password
> attribute and the actual name 'userpassword' might be causing a problem.
>
> pwdAttribute: userPassword
>
> attribute name 'userpassword'
>
>
> -----Original Message-----
> From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
> Sent: Thursday, January 31, 2013 5:14 AM
> To: users@directory.apache.org; elecharny@apache.org
> Subject: Re: [ApacheDS] Error 56
>
> Hi Emmanuel,
>
> Here's the user full profile, according to apache directory studio:
> ----
> dn: uid=user1,ou=people,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: pwdPolicy
> objectClass: inetOrgPerson
> objectClass: top
> cn: user1
> pwdAttribute: userPassword
> sn: user1
> pwdAllowUserChange: true
> pwdMustChange: true
> uid: user1
> userpassword::
> e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> Q==
> createTimestamp: 20130129134743Z
> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> entryCSN: 20130130121851.729000Z#000000#000#000000
> entryParentId: 4
> entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> modifyTimestamp: 20130130121851Z
> pwdHistory::
> MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21RPQ==
> pwdHistory::
> MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21ReA==
> pwdHistory::
> MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21Reg==
> pwdHistory::
> MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21RMA==
> pwdHistory::
> MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21RMQ==
> pwdReset: true
> ----------
>
> the user password is: password5.
> I'm trying to change it to: password6 (not used before)
>
>
> If I disable the pwdReset flag, the user logs properly to the system, so
> the password is the correct one.
> Thanks
>
>
> On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny <elecharny@gmail.com
> >wrote:
>
> > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > Hi Emanuel, thanks for your answer.
> > >
> > > I'm using apacheds-2.0.0-M9.
> > >
> > > The modify request comes from openam 10.0.1, a sso server that gives
> > > you the option to reset the user password when pwdReset in pwdPolicy
> is true.
> > >
> > > Is there some specific clue that I can give you here?
> >
> > AFAICT, the only reason to get this reason is that the value you are
> > trying to remove is not present in the atribute. Like, say, you want
> > to remove 'secret' when the password is 'magic' or anything but 'secret'.
> >
> > What would help is to provide the entry with all its attributes, so
> > that we can compare with the modification you want to apply (of
> > course, be careful to 'anonymize' the passwords :)
> >
> > Another possibility - but unlikely - is that we have a bug in teh way
> > we check for the presence of a value in a binary AttributeType.
> >
> > --
> > Regards,
> > Cordialement,
> > Emmanuel Lécharny
> > www.iktek.com
> >
> >
>
RE: [ApacheDS] Error 56
Posted by Ca...@ibs-ag.com.
Hi, the case differences between your policy definition of the password attribute and the actual name 'userpassword' might be causing a problem.
pwdAttribute: userPassword
attribute name 'userpassword'
-----Original Message-----
From: Patricio Demitrio [mailto:pdemitrio@scoop-gmbh.de]
Sent: Thursday, January 31, 2013 5:14 AM
To: users@directory.apache.org; elecharny@apache.org
Subject: Re: [ApacheDS] Error 56
Hi Emmanuel,
Here's the user full profile, according to apache directory studio:
----
dn: uid=user1,ou=people,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: pwdPolicy
objectClass: inetOrgPerson
objectClass: top
cn: user1
pwdAttribute: userPassword
sn: user1
pwdAllowUserChange: true
pwdMustChange: true
uid: user1
userpassword:: e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
Q==
createTimestamp: 20130129134743Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20130130121851.729000Z#000000#000#000000
entryParentId: 4
entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifyTimestamp: 20130130121851Z
pwdHistory:: MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
yI2NHRnpjM2R2Y21RPQ==
pwdHistory:: MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
yI2NHRnpjM2R2Y21ReA==
pwdHistory:: MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
yI2NHRnpjM2R2Y21Reg==
pwdHistory:: MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
yI2NHRnpjM2R2Y21RMA==
pwdHistory:: MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
yI2NHRnpjM2R2Y21RMQ==
pwdReset: true
----------
the user password is: password5.
I'm trying to change it to: password6 (not used before)
If I disable the pwdReset flag, the user logs properly to the system, so the password is the correct one.
Thanks
On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny <el...@gmail.com>wrote:
> Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > Hi Emanuel, thanks for your answer.
> >
> > I'm using apacheds-2.0.0-M9.
> >
> > The modify request comes from openam 10.0.1, a sso server that gives
> > you the option to reset the user password when pwdReset in pwdPolicy is true.
> >
> > Is there some specific clue that I can give you here?
>
> AFAICT, the only reason to get this reason is that the value you are
> trying to remove is not present in the atribute. Like, say, you want
> to remove 'secret' when the password is 'magic' or anything but 'secret'.
>
> What would help is to provide the entry with all its attributes, so
> that we can compare with the modification you want to apply (of
> course, be careful to 'anonymize' the passwords :)
>
> Another possibility - but unlikely - is that we have a bug in teh way
> we check for the presence of a value in a binary AttributeType.
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
Re: [ApacheDS] Error 56
Posted by Kiran Ayyagari <ka...@apache.org>.
Patricio,
Are your users maintained by openam (or whichever software connecting to
ApacheDS)?
If yes, then this might be an issue[1] with the way openam is modifying
the userPassword attribute
(attribute names are case insensitive in LDAP)
[1] your user entry has 'pwdPolicy' object class (objectClass: pwdPolicy)
which is not generally used
as part of a user entry but rather injecting pwdPolicySubentry
attribute is a correct way to enforce
password policy
On Thu, Jan 31, 2013 at 3:44 PM, Patricio Demitrio
<pd...@scoop-gmbh.de>wrote:
> Hi Emmanuel,
>
> Here's the user full profile, according to apache directory studio:
> ----
> dn: uid=user1,ou=people,dc=example,dc=com
> objectClass: organizationalPerson
> objectClass: person
> objectClass: pwdPolicy
> objectClass: inetOrgPerson
> objectClass: top
> cn: user1
> pwdAttribute: userPassword
> sn: user1
> pwdAllowUserChange: true
> pwdMustChange: true
> uid: user1
> userpassword::
> e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
> Q==
> createTimestamp: 20130129134743Z
> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> entryCSN: 20130130121851.729000Z#000000#000#000000
> entryParentId: 4
> entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> modifyTimestamp: 20130130121851Z
> pwdHistory::
> MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21RPQ==
> pwdHistory::
> MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21ReA==
> pwdHistory::
> MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21Reg==
> pwdHistory::
> MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21RMA==
> pwdHistory::
> MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
> yI2NHRnpjM2R2Y21RMQ==
> pwdReset: true
> ----------
>
> the user password is: password5.
> I'm trying to change it to: password6 (not used before)
>
>
> If I disable the pwdReset flag, the user logs properly to the system, so
> the password is the correct one.
> Thanks
>
>
> On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny <elecharny@gmail.com
> >wrote:
>
> > Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > > Hi Emanuel, thanks for your answer.
> > >
> > > I'm using apacheds-2.0.0-M9.
> > >
> > > The modify request comes from openam 10.0.1, a sso server that gives
> you
> > > the option to reset the user password when pwdReset in pwdPolicy is
> true.
> > >
> > > Is there some specific clue that I can give you here?
> >
> > AFAICT, the only reason to get this reason is that the value you are
> > trying to remove is not present in the atribute. Like, say, you want to
> > remove 'secret' when the password is 'magic' or anything but 'secret'.
> >
> > What would help is to provide the entry with all its attributes, so that
> > we can compare with the modification you want to apply (of course, be
> > careful to 'anonymize' the passwords :)
> >
> > Another possibility - but unlikely - is that we have a bug in teh way we
> > check for the presence of a value in a binary AttributeType.
> >
> > --
> > Regards,
> > Cordialement,
> > Emmanuel Lécharny
> > www.iktek.com
> >
> >
>
--
Kiran Ayyagari
http://keydap.com
Re: [ApacheDS] Error 56
Posted by Patricio Demitrio <pd...@scoop-gmbh.de>.
Hi Emmanuel,
Here's the user full profile, according to apache directory studio:
----
dn: uid=user1,ou=people,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: pwdPolicy
objectClass: inetOrgPerson
objectClass: top
cn: user1
pwdAttribute: userPassword
sn: user1
pwdAllowUserChange: true
pwdMustChange: true
uid: user1
userpassword:: e1NTSEF9NGx1QXphMkwrMFh5dXQvSWxlNllLZmxnR09LVlZtM2F3SHFZN0E9P
Q==
createTimestamp: 20130129134743Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20130130121851.729000Z#000000#000#000000
entryParentId: 4
entryUUID:: MzUyZGZhZmQtNDQ3My00M2Q4LWJkZDQtYTUxNzBiODFiNjZi
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifyTimestamp: 20130130121851Z
pwdHistory:: MjAxMzAxMjkxMzQ3NDNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
yI2NHRnpjM2R2Y21RPQ==
pwdHistory:: MjAxMzAxMzAxMTE4MjJaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
yI2NHRnpjM2R2Y21ReA==
pwdHistory:: MjAxMzAxMzAxMTI2MjNaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
yI2NHRnpjM2R2Y21Reg==
pwdHistory:: MjAxMzAxMzAxMTI5MzdaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
yI2NHRnpjM2R2Y21RMA==
pwdHistory:: MjAxMzAxMzAxMjE4NTFaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzE
yI2NHRnpjM2R2Y21RMQ==
pwdReset: true
----------
the user password is: password5.
I'm trying to change it to: password6 (not used before)
If I disable the pwdReset flag, the user logs properly to the system, so
the password is the correct one.
Thanks
On Thu, Jan 31, 2013 at 10:44 AM, Emmanuel Lécharny <el...@gmail.com>wrote:
> Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> > Hi Emanuel, thanks for your answer.
> >
> > I'm using apacheds-2.0.0-M9.
> >
> > The modify request comes from openam 10.0.1, a sso server that gives you
> > the option to reset the user password when pwdReset in pwdPolicy is true.
> >
> > Is there some specific clue that I can give you here?
>
> AFAICT, the only reason to get this reason is that the value you are
> trying to remove is not present in the atribute. Like, say, you want to
> remove 'secret' when the password is 'magic' or anything but 'secret'.
>
> What would help is to provide the entry with all its attributes, so that
> we can compare with the modification you want to apply (of course, be
> careful to 'anonymize' the passwords :)
>
> Another possibility - but unlikely - is that we have a bug in teh way we
> check for the presence of a value in a binary AttributeType.
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
Re: [ApacheDS] Error 56
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 1/31/13 10:27 AM, Patricio Demitrio a écrit :
> Hi Emanuel, thanks for your answer.
>
> I'm using apacheds-2.0.0-M9.
>
> The modify request comes from openam 10.0.1, a sso server that gives you
> the option to reset the user password when pwdReset in pwdPolicy is true.
>
> Is there some specific clue that I can give you here?
AFAICT, the only reason to get this reason is that the value you are
trying to remove is not present in the atribute. Like, say, you want to
remove 'secret' when the password is 'magic' or anything but 'secret'.
What would help is to provide the entry with all its attributes, so that
we can compare with the modification you want to apply (of course, be
careful to 'anonymize' the passwords :)
Another possibility - but unlikely - is that we have a bug in teh way we
check for the presence of a value in a binary AttributeType.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: [ApacheDS] Error 56
Posted by Patricio Demitrio <pd...@scoop-gmbh.de>.
Hi Emanuel, thanks for your answer.
I'm using apacheds-2.0.0-M9.
The modify request comes from openam 10.0.1, a sso server that gives you
the option to reset the user password when pwdReset in pwdPolicy is true.
Is there some specific clue that I can give you here?
Thanks
Patricio
On Wed, Jan 30, 2013 at 12:19 PM, Patricio Demitrio <pdemitrio@scoop-gmbh.de
> wrote:
> Hi, while trying to change the password of a user from openam (sso server)
> I'm getting this error.
>
> Message ID : 3
> Modify Request
> Object : 'uid=user1,ou=people,dc=example,dc=com'
> Modification[0]
> Operation : delete
> Modification
> userpassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 '
> Modification[1]
> Operation : add
> Modification
> userpassword: '0x61 0x63 0x63 0x65 0x73 0x73 0x43 0x6F 0x6E 0x74 0x72
> 0x6F 0x6C 0x53 0x70 0x65 ...'
>
> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@99795eb8org.apache.directory.shared.ldap.extras.controls.ppolicy.PasswordPolicyImpl@2cd5276a:
> ERR_56 Cannot remove an absent value from attribute : ATTRIBUTE_TYPE (
> 2.5.4.35
> NAME 'userPassword'
> DESC RFC2256/2307: password of user
> EQUALITY octetStringMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
> USAGE userApplications
> )
> -----
> Strange, since attribute "userPassword" is there.
> does the difference between "userpassword" and "userPassword" have
> anything to do with it?
>
> Thanks in advance
> PAtricio
>