Need to change core to support pw policies in apacheds formally. Ticket open: https://issues.apache.org/jira/browse/FC-211
Shawn > On Jun 8, 2017, at 11:25 AM, Shawn McKinney <[email protected]> wrote: > > I finally got around to trying this myself. Changing the ldap.server.type > prop as described means fortress will process the pw policy ops. I was able > to verify on a test against apacheds, new response pasted below. I noticed > before that you don’t have the pwpolicy attribute set on your user which > means the default policy for the server will be enforced. > > Let me know if you have any more questions. > > > <FortResponse> > <errorCode>0</errorCode> > <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="user"> > <modId>18e5955f-90cf-420a-8580-fc47be245f0a</modId> > <sequenceId>0</sequenceId> > <userId>foo1</userId> > <description>foo fighters 1</description> > <name>foo1 fighters</name> > <internalId>d301b72a-916f-4419-94a4-df24fc8ac7ad</internalId> > <ou>dev1</ou> > <pwPolicy>cn=test1</pwPolicy> > <sn>fighters</sn> > <cn>foo1 fighters</cn> > <dn>uid=foo1,ou=People,dc=example,dc=com</dn> > <address/> > <props> > <modId>8e4f30a3-d452-4fc0-9ac6-fd73b298990f</modId> > <sequenceId>0</sequenceId> > <entry> > <key>initAttrArrays</key> > <value/> > </entry> > </props> > <locked>true</locked> > <reset>true</reset> > <timeout>0</timeout> > </entity> > </FortResponse> > > Shawn > >> On Jun 5, 2017, at 9:56 PM, Shawn McKinney <[email protected]> wrote: >> >> Hey Brian, >> >> can you add/replace with this fortress.properties: >> >> ldap.server.type=openldap >> >> and tell me what happens. Normally I'd try it myself first but am sort of >> busy right now. Will have more time in a couple of days. >> >> Thanks, >> Shawn >> >>> On Jun 5, 2017, at 8:41 AM, Brian Brooks (US) <[email protected]> >>> wrote: >>> >>> Good Morning Shawn, >>> >>>> How did you enable pw policies in apacheds, can you point me to the setup >>>> instructions you used? >>> >>> We just setup a vanilla install of ApacheDS on a Windows 10 virtual machine >>> using apacheds-2.0.0-M23.exe downloaded from >>> >>> http://directory.apache.org/apacheds/download/download-windows.html >>> >>> The ApacheDS instances is configured with default settings which includes >>> enabling a default password policy. >>> >>> http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html >>> >>> Dave setup the ApacheDS, when he gets back in the office I can confirm >>> whether he customized anything. >>> >>> Here's an LDIF export of >>> >>> * ou=config >>> * ads-directoryServiceId=<default> >>> * ou=interceptors >>> * ads-interceptorId=authenticationInterceptor >>> * ou=passwordPolicies >>> >>> from our ApacheDS installation of >>> >>> >>> dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn >>> terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config >>> objectclass: ads-passwordPolicy >>> objectclass: ads-base >>> objectclass: top >>> ads-pwdattribute: userPassword >>> ads-pwdid: default >>> ads-enabled: TRUE >>> ads-pwdallowuserchange: TRUE >>> ads-pwdcheckquality: 1 >>> ads-pwdexpirewarning: 600 >>> ads-pwdfailurecountinterval: 30 >>> ads-pwdgraceauthnlimit: 5 >>> ads-pwdgraceexpire: 0 >>> ads-pwdinhistory: 5 >>> ads-pwdlockout: TRUE >>> ads-pwdlockoutduration: 0 >>> ads-pwdmaxage: 0 >>> ads-pwdmaxdelay: 0 >>> ads-pwdmaxfailure: 5 >>> ads-pwdmaxidle: 0 >>> ads-pwdmaxlength: 0 >>> ads-pwdminage: 0 >>> ads-pwdmindelay: 0 >>> ads-pwdminlength: 5 >>> ads-pwdmustchange: FALSE >>> ads-pwdsafemodify: FALSE >>> ads-pwdvalidator: org.apache.directory.server.core.api.authn.ppolicy.Default >>> PasswordValidator >>> createtimestamp: 20170523201006.896Z >>> creatorsname: uid=admin,ou=system >>> entrycsn: 20170523201006.896000Z#000000#000#000000 >>> entryDN: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticat >>> ionInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config >>> entryParentId: 81135817-120c-4b89-81be-33f759cd5319 >>> entryuuid:: ZGYyYjI2OTctNzQ4OC00NzUzLWFiOGEtZWJhMmRhOTE1NmQ1 >>> nbChildren: 0 >>> nbSubordinates: 0 >>> subschemaSubentry: cn=schema >>> >>> Brian Brooks >>> Sr Software Engineer >>> [email protected] >>> Office: +1 678 252 4498 >>> 2205 Northmont Pkwy, STE 100 >>> Duluth, GA 30096 >>> >>> -----Original Message----- >>> From: Shawn McKinney [mailto:[email protected]] >>> Sent: Monday, June 05, 2017 8:23 AM >>> To: [email protected] >>> Subject: Re: Using REST API to get user's locked and reset states >>> >>> Hi Brian, >>> >>> I’ll need to setup an apacheds instance locally that matches your config. >>> >>> >>> How did you enable pw policies in apacheds, can you point me to the setup >>> instructions you used? >>> >>> In the meantime, here is a response via enmasse of user who’s account is >>> both locked and reset. >>> >>> The policy attributes are being populated. But again I’m using openldap, >>> and need to run the exact same test with ads. >>> >>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FortResponse> >>> <errorCode>0</errorCode> <entity >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="user"> >>> <modId>cb792bd1-c8fe-424f-a629-aad6c5572aa9</modId> >>> <sequenceId>0</sequenceId> >>> <userId>foo1</userId> >>> <description>foo fighter</description> >>> <name>foo1</name> >>> <internalId>fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551</internalId> >>> <ou>dev1</ou> >>> <pwPolicy>cn=test1</pwPolicy> >>> <sn>fighter</sn> >>> <cn>foo1</cn> >>> <dn>uid=foo1,ou=People,dc=example,dc=com</dn> >>> <address/> >>> <props> >>> <modId>fc416338-69bd-46df-8b00-e1fd6be7ed9c</modId> >>> <sequenceId>0</sequenceId> >>> <entry> >>> <key>initAttrArrays</key> >>> <value/> >>> </entry> >>> </props> >>> <locked>true</locked> >>> <reset>true</reset> >>> <timeout>0</timeout> >>> </entity> >>> </FortResponse> >>> >>> >>> Shawn >>> >>> >>> >>> >>> >>>> On Jun 2, 2017, at 3:39 PM, Brian Brooks (US) <[email protected]> >>>> wrote: >>>> >>>> Hi Shawn, >>>> >>>> Dave and I work together. He's on vacation for a couple days. >>>> >>>>> Can you export that corresponding user entry into ldif and post it here? >>>> >>>> Below is the dave user's entry exported to ldif (I omitted the jpegPhoto, >>>> userPassword, and the 5 pwdHistory attributes). >>>> >>>> I don't see the policy attribute even though fotress-commander seems to >>>> successfully commit the password policy assignment. For example, I just >>>> tried to change another user's password policy and tomcat recorded an HTTP >>>> 200 in it's access log. I don't see any obvious errors in the tomcat >>>> stdout/stderr/catalina logs. >>>> >>>> 10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST >>>> /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.Us >>>> erPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commi >>>> t&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apa >>>> che.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634 >>>> >>>> dn: uid=dave,ou=People,dc=example,dc=com >>>> objectClass: extensibleObject >>>> objectClass: ftMods >>>> objectClass: ftProperties >>>> objectClass: ftUserAttrs >>>> objectClass: organizationalPerson >>>> objectClass: person >>>> objectClass: inetOrgPerson >>>> objectClass: top >>>> cn: dave >>>> ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874 >>>> sn: dave >>>> displayName: dave >>>> ftCstr: dave$0$$$$$$$ >>>> ftModCode: AdminMgrImpl.resetPassword >>>> ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b >>>> ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda >>>> ftProps: initAttrArrays: >>>> ftRA: fortress-rest-super-user >>>> ftRC: fortress-rest-super-user$0$$$$$$$ >>>> ftSystem: FALSE >>>> ou: dev0 >>>> uid: dave >>>> createTimestamp: 20170531211627.651Z >>>> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system >>>> entryCSN: 20170601195338.392000Z#000000#001#000000 >>>> entryDN: uid=dave,ou=People,dc=example,dc=com >>>> entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42 >>>> entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz >>>> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system >>>> modifyTimestamp: 20170601195338.057Z >>>> nbChildren: 0 >>>> nbSubordinates: 0 >>>> pwdAccountLockedTime: 000001010000Z >>>> pwdReset: TRUE >>>> subschemaSubentry: cn=schema >>>> >>>> >>>> Brian Brooks >>>> Sr Software Engineer >>>> [email protected] >>>> Office: +1 678 252 4498 >>>> 2205 Northmont Pkwy, STE 100 >>>> Duluth, GA 30096 >>>> >>>> -----Original Message----- >>>> From: Shawn McKinney [mailto:[email protected]] >>>> Sent: Thursday, June 01, 2017 6:12 PM >>>> To: [email protected] >>>> Subject: Re: Using REST API to get user's locked and reset states >>>> >>>> Welcome Dave, >>>> >>>> Can you export that corresponding user entry into ldif and post it here? >>>> We’ll need to see the operational attributes before trying to figure out >>>> where the problem is. >>>> >>>> For example, here’s an export I did of test user ‘foo1’. You can see that >>>> I’ve put that user’s account into both a locked and reset state (in >>>> openldap). >>>> >>>> You can also see this user’s password policy is ‘test1’. >>>> >>>> dn: uid=foo1,ou=People,dc=example,dc=com >>>> objectClass: extensibleObject >>>> objectClass: ftMods >>>> objectClass: ftProperties >>>> objectClass: ftUserAttrs >>>> objectClass: inetOrgPerson >>>> objectClass: top >>>> cn: foo1 >>>> ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551 >>>> sn: fighter >>>> description: foo fighter >>>> displayName: foo1 >>>> ftCstr: foo1$0$$$$$$$ >>>> ftProps: initAttrArrays: >>>> ou: dev1 >>>> uid: foo1 >>>> userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E= >>>> createTimestamp: 20170601212713Z >>>> creatorsName: cn=Manager,dc=example,dc=com >>>> entryCSN: 20170601213012.870902Z#000000#000#000000 >>>> entryDN: uid=foo1,ou=People,dc=example,dc=com >>>> entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4 >>>> hasSubordinates: FALSE >>>> modifiersName: cn=Manager,dc=example,dc=com >>>> modifyTimestamp: 20170601213012Z >>>> pwdAccountLockedTime: 000001010000Z >>>> pwdChangedTime: 20170601212844Z >>>> pwdHistory:: >>>> MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM >>>> 4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR >>>> pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com >>>> pwdReset: TRUE >>>> structuralObjectClass: inetOrgPerson >>>> subschemaSubentry: cn=Subschema >>>> >>>> >>>> >>>> thanks >>>> Shawn >>>> >>>> >>>> >>>> >>>> >>>>> On Jun 1, 2017, at 10:57 AM, David Erie (US) <[email protected]> >>>>> wrote: >>>>> >>>>> Hello, >>>>> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's >>>>> account status (locked and reset, specifically) via the REST API for a >>>>> user whose account is locked and whose password has been reset. >>>>> >>>>> What I get back is this: >>>>> >>>>> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>>>> xsi:type="user"> .. >>>>> <userId>dave</userId> >>>>> <locked>false</locked> >>>>> <reset>false</reset> >>>>> .. >>>>> </entity> >>>>> >>>>> How can I tell that a user's account has been locked or reset when these >>>>> Boolean properties don't seem to contain the correct information? >>>>> >>>>> Thank you, >>>>> Dave >>>> >>> >> >
