Good Morning Shawn, > How did you enable pw policies in apacheds, can you point me to the setup > instructions you used?
We just setup a vanilla install of ApacheDS on a Windows 10 virtual machine using apacheds-2.0.0-M23.exe downloaded from http://directory.apache.org/apacheds/download/download-windows.html The ApacheDS instances is configured with default settings which includes enabling a default password policy. http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html Dave setup the ApacheDS, when he gets back in the office I can confirm whether he customized anything. Here's an LDIF export of * ou=config * ads-directoryServiceId=<default> * ou=interceptors * ads-interceptorId=authenticationInterceptor * ou=passwordPolicies from our ApacheDS installation of dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config objectclass: ads-passwordPolicy objectclass: ads-base objectclass: top ads-pwdattribute: userPassword ads-pwdid: default ads-enabled: TRUE ads-pwdallowuserchange: TRUE ads-pwdcheckquality: 1 ads-pwdexpirewarning: 600 ads-pwdfailurecountinterval: 30 ads-pwdgraceauthnlimit: 5 ads-pwdgraceexpire: 0 ads-pwdinhistory: 5 ads-pwdlockout: TRUE ads-pwdlockoutduration: 0 ads-pwdmaxage: 0 ads-pwdmaxdelay: 0 ads-pwdmaxfailure: 5 ads-pwdmaxidle: 0 ads-pwdmaxlength: 0 ads-pwdminage: 0 ads-pwdmindelay: 0 ads-pwdminlength: 5 ads-pwdmustchange: FALSE ads-pwdsafemodify: FALSE ads-pwdvalidator: org.apache.directory.server.core.api.authn.ppolicy.Default PasswordValidator createtimestamp: 20170523201006.896Z creatorsname: uid=admin,ou=system entrycsn: 20170523201006.896000Z#000000#000#000000 entryDN: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticat ionInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config entryParentId: 81135817-120c-4b89-81be-33f759cd5319 entryuuid:: ZGYyYjI2OTctNzQ4OC00NzUzLWFiOGEtZWJhMmRhOTE1NmQ1 nbChildren: 0 nbSubordinates: 0 subschemaSubentry: cn=schema Brian Brooks Sr Software Engineer [email protected] Office: +1 678 252 4498 2205 Northmont Pkwy, STE 100 Duluth, GA 30096 -----Original Message----- From: Shawn McKinney [mailto:[email protected]] Sent: Monday, June 05, 2017 8:23 AM To: [email protected] Subject: Re: Using REST API to get user's locked and reset states Hi Brian, I’ll need to setup an apacheds instance locally that matches your config. How did you enable pw policies in apacheds, can you point me to the setup instructions you used? In the meantime, here is a response via enmasse of user who’s account is both locked and reset. The policy attributes are being populated. But again I’m using openldap, and need to run the exact same test with ads. <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FortResponse> <errorCode>0</errorCode> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="user"> <modId>cb792bd1-c8fe-424f-a629-aad6c5572aa9</modId> <sequenceId>0</sequenceId> <userId>foo1</userId> <description>foo fighter</description> <name>foo1</name> <internalId>fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551</internalId> <ou>dev1</ou> <pwPolicy>cn=test1</pwPolicy> <sn>fighter</sn> <cn>foo1</cn> <dn>uid=foo1,ou=People,dc=example,dc=com</dn> <address/> <props> <modId>fc416338-69bd-46df-8b00-e1fd6be7ed9c</modId> <sequenceId>0</sequenceId> <entry> <key>initAttrArrays</key> <value/> </entry> </props> <locked>true</locked> <reset>true</reset> <timeout>0</timeout> </entity> </FortResponse> Shawn > On Jun 2, 2017, at 3:39 PM, Brian Brooks (US) <[email protected]> > wrote: > > Hi Shawn, > > Dave and I work together. He's on vacation for a couple days. > >> Can you export that corresponding user entry into ldif and post it here? > > Below is the dave user's entry exported to ldif (I omitted the jpegPhoto, > userPassword, and the 5 pwdHistory attributes). > > I don't see the policy attribute even though fotress-commander seems to > successfully commit the password policy assignment. For example, I just > tried to change another user's password policy and tomcat recorded an HTTP > 200 in it's access log. I don't see any obvious errors in the tomcat > stdout/stderr/catalina logs. > > 10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST > /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.Us > erPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commi > t&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apa > che.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634 > > dn: uid=dave,ou=People,dc=example,dc=com > objectClass: extensibleObject > objectClass: ftMods > objectClass: ftProperties > objectClass: ftUserAttrs > objectClass: organizationalPerson > objectClass: person > objectClass: inetOrgPerson > objectClass: top > cn: dave > ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874 > sn: dave > displayName: dave > ftCstr: dave$0$$$$$$$ > ftModCode: AdminMgrImpl.resetPassword > ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b > ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda > ftProps: initAttrArrays: > ftRA: fortress-rest-super-user > ftRC: fortress-rest-super-user$0$$$$$$$ > ftSystem: FALSE > ou: dev0 > uid: dave > createTimestamp: 20170531211627.651Z > creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system > entryCSN: 20170601195338.392000Z#000000#001#000000 > entryDN: uid=dave,ou=People,dc=example,dc=com > entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42 > entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system > modifyTimestamp: 20170601195338.057Z > nbChildren: 0 > nbSubordinates: 0 > pwdAccountLockedTime: 000001010000Z > pwdReset: TRUE > subschemaSubentry: cn=schema > > > Brian Brooks > Sr Software Engineer > [email protected] > Office: +1 678 252 4498 > 2205 Northmont Pkwy, STE 100 > Duluth, GA 30096 > > -----Original Message----- > From: Shawn McKinney [mailto:[email protected]] > Sent: Thursday, June 01, 2017 6:12 PM > To: [email protected] > Subject: Re: Using REST API to get user's locked and reset states > > Welcome Dave, > > Can you export that corresponding user entry into ldif and post it here? > We’ll need to see the operational attributes before trying to figure out > where the problem is. > > For example, here’s an export I did of test user ‘foo1’. You can see that > I’ve put that user’s account into both a locked and reset state (in openldap). > > You can also see this user’s password policy is ‘test1’. > > dn: uid=foo1,ou=People,dc=example,dc=com > objectClass: extensibleObject > objectClass: ftMods > objectClass: ftProperties > objectClass: ftUserAttrs > objectClass: inetOrgPerson > objectClass: top > cn: foo1 > ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551 > sn: fighter > description: foo fighter > displayName: foo1 > ftCstr: foo1$0$$$$$$$ > ftProps: initAttrArrays: > ou: dev1 > uid: foo1 > userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E= > createTimestamp: 20170601212713Z > creatorsName: cn=Manager,dc=example,dc=com > entryCSN: 20170601213012.870902Z#000000#000#000000 > entryDN: uid=foo1,ou=People,dc=example,dc=com > entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4 > hasSubordinates: FALSE > modifiersName: cn=Manager,dc=example,dc=com > modifyTimestamp: 20170601213012Z > pwdAccountLockedTime: 000001010000Z > pwdChangedTime: 20170601212844Z > pwdHistory:: > MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM > 4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR > pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com > pwdReset: TRUE > structuralObjectClass: inetOrgPerson > subschemaSubentry: cn=Subschema > > > > thanks > Shawn > > > > > >> On Jun 1, 2017, at 10:57 AM, David Erie (US) <[email protected]> wrote: >> >> Hello, >> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's >> account status (locked and reset, specifically) via the REST API for a user >> whose account is locked and whose password has been reset. >> >> What I get back is this: >> >> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xsi:type="user"> .. >> <userId>dave</userId> >> <locked>false</locked> >> <reset>false</reset> >> .. >> </entity> >> >> How can I tell that a user's account has been locked or reset when these >> Boolean properties don't seem to contain the correct information? >> >> Thank you, >> Dave >
