Hi Shawn, Dave and I work together. He's on vacation for a couple days.
> Can you export that corresponding user entry into ldif and post it here? Below is the dave user's entry exported to ldif (I omitted the jpegPhoto, userPassword, and the 5 pwdHistory attributes). I don't see the policy attribute even though fotress-commander seems to successfully commit the password policy assignment. For example, I just tried to change another user's password policy and tomcat recorded an HTTP 200 in it's access log. I don't see any obvious errors in the tomcat stdout/stderr/catalina logs. 10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.UserPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commit&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apache.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634 dn: uid=dave,ou=People,dc=example,dc=com objectClass: extensibleObject objectClass: ftMods objectClass: ftProperties objectClass: ftUserAttrs objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: dave ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874 sn: dave displayName: dave ftCstr: dave$0$$$$$$$ ftModCode: AdminMgrImpl.resetPassword ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda ftProps: initAttrArrays: ftRA: fortress-rest-super-user ftRC: fortress-rest-super-user$0$$$$$$$ ftSystem: FALSE ou: dev0 uid: dave createTimestamp: 20170531211627.651Z creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system entryCSN: 20170601195338.392000Z#000000#001#000000 entryDN: uid=dave,ou=People,dc=example,dc=com entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42 entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system modifyTimestamp: 20170601195338.057Z nbChildren: 0 nbSubordinates: 0 pwdAccountLockedTime: 000001010000Z pwdReset: TRUE subschemaSubentry: cn=schema Brian Brooks Sr Software Engineer [email protected] Office: +1 678 252 4498 2205 Northmont Pkwy, STE 100 Duluth, GA 30096 -----Original Message----- From: Shawn McKinney [mailto:[email protected]] Sent: Thursday, June 01, 2017 6:12 PM To: [email protected] Subject: Re: Using REST API to get user's locked and reset states Welcome Dave, Can you export that corresponding user entry into ldif and post it here? We’ll need to see the operational attributes before trying to figure out where the problem is. For example, here’s an export I did of test user ‘foo1’. You can see that I’ve put that user’s account into both a locked and reset state (in openldap). You can also see this user’s password policy is ‘test1’. dn: uid=foo1,ou=People,dc=example,dc=com objectClass: extensibleObject objectClass: ftMods objectClass: ftProperties objectClass: ftUserAttrs objectClass: inetOrgPerson objectClass: top cn: foo1 ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551 sn: fighter description: foo fighter displayName: foo1 ftCstr: foo1$0$$$$$$$ ftProps: initAttrArrays: ou: dev1 uid: foo1 userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E= createTimestamp: 20170601212713Z creatorsName: cn=Manager,dc=example,dc=com entryCSN: 20170601213012.870902Z#000000#000#000000 entryDN: uid=foo1,ou=People,dc=example,dc=com entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4 hasSubordinates: FALSE modifiersName: cn=Manager,dc=example,dc=com modifyTimestamp: 20170601213012Z pwdAccountLockedTime: 000001010000Z pwdChangedTime: 20170601212844Z pwdHistory:: MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM 4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com pwdReset: TRUE structuralObjectClass: inetOrgPerson subschemaSubentry: cn=Subschema thanks Shawn > On Jun 1, 2017, at 10:57 AM, David Erie (US) <[email protected]> wrote: > > Hello, > We're evaluating Fortress with ApacheDS, and I'm trying to get a user's > account status (locked and reset, specifically) via the REST API for a user > whose account is locked and whose password has been reset. > > What I get back is this: > > <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="user"> .. > <userId>dave</userId> > <locked>false</locked> > <reset>false</reset> > .. > </entity> > > How can I tell that a user's account has been locked or reset when these > Boolean properties don't seem to contain the correct information? > > Thank you, > Dave
