Re: Admin authorization for modifying passwords, did it change ? how to apply admin role to a user ?
On Tue, Jun 2, 2015 at 10:17 AM, Mark-nospam wrote: > The last version I was using M17, I believe my scripts were able to bind > with a private apps admin user and then create new users with passwords. > I updated to M20, this operation now fails with : "Non-admin user cannot > access another user's password to modify it" > I thought there was recent discussion on this but I failed to find it in > the mail > archives and I don't see anything in changes between M17-M20 related to > this. > > Regardless, I would like to resolve in correct manner going forward. > > Is it possible to create user A in partition A that can acquire Admin role > for changing passwords > for other users in partition A or partition B etc. > > Can this group be used to associate other users as admins? DN: > cn=Administrators,ou=groups,ou=system > > Or, is DN: uid=admin,ou=system the only user going forward which can make > passwords changes > when the requesting user doesn't match user-password. > currently this is the only way, (we have been discussing on how to grant other users admin privilege, but this is not there in the server yet) > > Thanks, Mark. > > > > > > > > > > > > -- Kiran Ayyagari http://keydap.com
Admin authorization for modifying passwords, did it change ? how to apply admin role to a user ?
The last version I was using M17, I believe my scripts were able to bind with a private apps admin user and then create new users with passwords. I updated to M20, this operation now fails with : "Non-admin user cannot access another user's password to modify it" I thought there was recent discussion on this but I failed to find it in the mail archives and I don't see anything in changes between M17-M20 related to this. Regardless, I would like to resolve in correct manner going forward. Is it possible to create user A in partition A that can acquire Admin role for changing passwords for other users in partition A or partition B etc. Can this group be used to associate other users as admins? DN: cn=Administrators,ou=groups,ou=system Or, is DN: uid=admin,ou=system the only user going forward which can make passwords changes when the requesting user doesn't match user-password. Thanks, Mark.
Re: Password Policy Enforced for admin user
> can you file a bug, I will take a look. > > thank you > Bug created: https://issues.apache.org/jira/browse/DIRSERVER-2067
Re: Unable to start ApacheDS 2.0.0-M20
Hi, I ran into a similar issue last weekend and it turned out that it was requiring me to upgrade my JRE to at least 1.7.* . Please try upgrading your JRE to 1.7.* , it might resolve it. Thanks, Ike From: Sunil Kalahasti To: "users@directory.apache.org" Date: 06/01/2015 12:45 AM Subject:Unable to start ApacheDS 2.0.0-M20 We are unable to start ApacheDS 2.0.0-M20. Following is the error log: STATUS | wrapper | 2015/06/01 00:39:16 | --> Wrapper Started as Daemon STATUS | wrapper | 2015/06/01 00:39:16 | Launching a JVM... INFO | jvm 1| 2015/06/01 00:39:16 | Exception in thread "main" java.lang.UnsupportedClassVersionError: org/apache/directory/server/wrapper/ApacheDsTanukiWrapper : Unsupported major.minor version 51.0 INFO | jvm 1| 2015/06/01 00:39:16 | at java.lang.ClassLoader.defineClass1(Native Method) INFO | jvm 1| 2015/06/01 00:39:16 | at java.lang.ClassLoader.defineClass(ClassLoader.java:643) INFO | jvm 1| 2015/06/01 00:39:16 | at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) INFO | jvm 1| 2015/06/01 00:39:16 | at java.net.URLClassLoader.defineClass(URLClassLoader.java:277) INFO | jvm 1| 2015/06/01 00:39:16 | at java.net.URLClassLoader.access$000(URLClassLoader.java:73) INFO | jvm 1| 2015/06/01 00:39:16 | at java.net.URLClassLoader$1.run(URLClassLoader.java:212) INFO | jvm 1| 2015/06/01 00:39:16 | at java.security.AccessController.doPrivileged(Native Method) INFO | jvm 1| 2015/06/01 00:39:16 | at java.net.URLClassLoader.findClass(URLClassLoader.java:205) INFO | jvm 1| 2015/06/01 00:39:16 | at java.lang.ClassLoader.loadClass(ClassLoader.java:323) INFO | jvm 1| 2015/06/01 00:39:16 | at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294) INFO | jvm 1| 2015/06/01 00:39:16 | at java.lang.ClassLoader.loadClass(ClassLoader.java:268) ERROR | wrapper | 2015/06/01 00:39:17 | JVM exited while loading the application. INFO | jvm 1| 2015/06/01 00:39:17 | Could not find the main class: org.apache.directory.server.wrapper.ApacheDsTanukiWrapper. Program will exit. FATAL | wrapper | 2015/06/01 00:39:17 | There were 1 failed launches in a row, each lasting less than 300 seconds. Giving up. FATAL | wrapper | 2015/06/01 00:39:17 | There may be a configuration problem: please check the logs. STATUS | wrapper | 2015/06/01 00:39:17 | <-- Wrapper Stopped It seems it is due the JDK version. We have JDK 1.6.x. As per http://directory.apache.org/apacheds/basic-ug/1.3-installing-and-starting.html , it should work with JDK 6 as well. I request you to please confirm which JDK version we require for ApacheDS 2.0.0-M20. Thanks, Sunil.
Re: Password Policy Enforced for admin user
David, On Sat, May 30, 2015 at 3:12 AM, David Paulsen wrote: > David Paulsen writes: > > > > > Kiran Ayyagari ...> writes: > > > > > > > > On Fri, May 29, 2015 at 2:13 AM, David Paulsen > ...> > > > wrote: > > > > > > > I'm running in to a strange issue. I have two separate servers > > running the > > > > official 2.0.0-M20 release. In one instance I can change the > > password to > > > > anything I want (including the same password) when I bind to the > > > > connection using the built in admin user (dn=uid=admin,ou=system). > > In > > > > another instance running the same version of the 2.0.0-M20 > release, > > that > > > > exact same operation (again bound as admin user) results in the > > following > > > > error: invalid reuse of password present in password history > > > > > > > you sure that this is happening during bind? this check is performed > > only > > > while updating the password of a user (excluding admin user) > > > > > > > > > > > It should never enforce the password policy for the admin user, > > correct? > > > > Any idea what could be causing it to enforce the policy in one M20 > > > > instance and not the other? > > > > > > > > > > > Thanks! > > > > > > > > > > > > > > > Hi Kiran... > > > > Right. It didn't happen during bind, it happened when I tried to > update > > the password to the same value after binding as the > > dn=uid=admin,ou=system user. > > > > > I found a way to recreate this problem. I believe the issue is that when > bound to a connection using the "uid=admin,ou=system" user, it enforces > the ads-pwdInHistory in the password policy of the uid I'm changing the > password for. For example, if I'm changing the password for > uid=147547,ou=8300,ou=DVHead,dc=kewilltransport,dc=com, and that uid has > a pwdPolicySubentry=ads-pwdId=DVHead8300,ou=passwordPolicies,ads- > interceptorId=authenticationInterceptor,ou=interceptors,ads- > directoryServiceId=default,ou=config, it enforces the ads- > pwdId=DVHead8300 policy's ads-pwdInHistory setting even with the admin > user. > > My understanding is that since it's the admin user, it should not be > enforcing any password policy rules. > > Steps: > (1) Create a password policy where the ads-pwdInHistory is greater than > 0 so it enforces not reusing passwords. > (2) Create a uid and set it's pwdPolicySubentry to the above password > policy. > (3) Create a connection and bind to it using the "uid=admin,ou=system" > user, and then modify password for the above uid. You will get this > error: > error: invalid reuse of password present in password history > can you file a bug, I will take a look. thank you -- Kiran Ayyagari http://keydap.com
Re: Unable to start ApacheDS 2.0.0-M20
Le 01/06/15 07:44, Sunil Kalahasti a écrit : > We are unable to start ApacheDS 2.0.0-M20. > > Following is the error log: > > STATUS | wrapper | 2015/06/01 00:39:16 | --> Wrapper Started as Daemon > STATUS | wrapper | 2015/06/01 00:39:16 | Launching a JVM... > INFO | jvm 1| 2015/06/01 00:39:16 | Exception in thread "main" > java.lang.UnsupportedClassVersionError: > org/apache/directory/server/wrapper/ApacheDsTanukiWrapper : Unsupported > major.minor version 51.0 > INFO | jvm 1| 2015/06/01 00:39:16 | at > java.lang.ClassLoader.defineClass1(Native Method) > INFO | jvm 1| 2015/06/01 00:39:16 | at > java.lang.ClassLoader.defineClass(ClassLoader.java:643) > INFO | jvm 1| 2015/06/01 00:39:16 | at > java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) > INFO | jvm 1| 2015/06/01 00:39:16 | at > java.net.URLClassLoader.defineClass(URLClassLoader.java:277) > INFO | jvm 1| 2015/06/01 00:39:16 | at > java.net.URLClassLoader.access$000(URLClassLoader.java:73) > INFO | jvm 1| 2015/06/01 00:39:16 | at > java.net.URLClassLoader$1.run(URLClassLoader.java:212) > INFO | jvm 1| 2015/06/01 00:39:16 | at > java.security.AccessController.doPrivileged(Native Method) > INFO | jvm 1| 2015/06/01 00:39:16 | at > java.net.URLClassLoader.findClass(URLClassLoader.java:205) > INFO | jvm 1| 2015/06/01 00:39:16 | at > java.lang.ClassLoader.loadClass(ClassLoader.java:323) > INFO | jvm 1| 2015/06/01 00:39:16 | at > sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294) > INFO | jvm 1| 2015/06/01 00:39:16 | at > java.lang.ClassLoader.loadClass(ClassLoader.java:268) > ERROR | wrapper | 2015/06/01 00:39:17 | JVM exited while loading the > application. > INFO | jvm 1| 2015/06/01 00:39:17 | Could not find the main class: > org.apache.directory.server.wrapper.ApacheDsTanukiWrapper. Program will exit. > FATAL | wrapper | 2015/06/01 00:39:17 | There were 1 failed launches in a > row, each lasting less than 300 seconds. Giving up. > FATAL | wrapper | 2015/06/01 00:39:17 | There may be a configuration > problem: please check the logs. > STATUS | wrapper | 2015/06/01 00:39:17 | <-- Wrapper Stopped > > It seems it is due the JDK version. We have JDK 1.6.x. Most certainly the pb. Switch to Java 8. Anyway, Java 6 is EOL for more than 2 years and Java 7 is EOL since last month. > > As per > http://directory.apache.org/apacheds/basic-ug/1.3-installing-and-starting.html > , it should work with JDK 6 as well. I have updated the page. Thanks for pointing that out !