Re: Getting Password Expired Instead of Invalid Credentials
https://issues.apache.org/jira/browse/DIRSERVER-2051 Many thanks ! No problem. Any chance of this getting in 2.0.0-M20?
Re: Generating new certificate
Le 09/03/15 15:24, Kevin Hamilton a écrit : Hello, When you configure ApacheDS to be ldaps enabled, it automatically generates a certificate that will work in the meantime. Is there a strategy for regenerating the certificate if it has expired? The idea was just to make it easy to setup, but the key here is that you set your own certificate instead.
Generating new certificate
Hello, When you configure ApacheDS to be ldaps enabled, it automatically generates a certificate that will work in the meantime. Is there a strategy for regenerating the certificate if it has expired? Thanks, Kevin
Re: pwdMustChange not working
On Tue, Mar 10, 2015 at 5:11 AM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 08/03/15 05:33, brock samson a écrit : Carlo, you are correct. pwdSafeModify value was TRUE. so after resetting it back to FALSE and restarting, everything is working as you described in your last post, thank you! however, the question remains to everyone else about pwdSafeModify attribute's value being TRUE and an admin changing some user's password via apache studio. as i stated in previous post, such action results in an error where apache studio asks for user's original password. my question is how to disclose this original password in apache studio? I strongly suspect that the implemented logic is that it's seen as a Modify, thus it expect to have the old value - to delete it - and the new one ) to replace it. The thing is that a user may have more than one password, and on a modify operation, changing only one of the passwords will require to know whci of the passwords have to be removed (the old one). Now, considering the passwordPolicy implementation, this makes no sense : we should only have one single password for a user for the PP to be able to manage correctly the password, thus requiring the old password is nonsensical. This is something that need to be fixed. There is also one other thing that I don't like in the way the PP is handled : one should never have to enter the pwdPolicySubEntry attribute this attribute is not needed at all unless there is a custom policy to be applied on a user entry. in an entry. But this is another problem that requires a full redesign off the PP implementation. Something we must discuss, it's not a simple task... -- Kiran Ayyagari http://keydap.com
RE: pwdMustChange not working
Great, and it sounds like you found a bug. Thanks. -Original Message- From: brock samson [mailto:brock.sams...@hotmail.com] Sent: Saturday, March 07, 2015 11:33 PM To: users@directory.apache.org Subject: RE: pwdMustChange not working Carlo, you are correct. pwdSafeModify value was TRUE. so after resetting it back to FALSE and restarting, everything is working as you described in your last post, thank you! however, the question remains to everyone else about pwdSafeModify attribute's value being TRUE and an admin changing some user's password via apache studio. as i stated in previous post, such action results in an error where apache studio asks for user's original password. my question is how to disclose this original password in apache studio? From: carlo.acco...@ibs-ag.com To: users@directory.apache.org Subject: RE: pwdMustChange not working Date: Fri, 6 Mar 2015 13:29:51 + Brock, Not sure about that. The only thing I can think of is you may have the ads-pwdsafemodify set TRUE. We looked at this feature a couple years ago and I don't think it was implemented then but it may be now in M19. If that's the case, you could try setting it FALSE (and restarting). The studio's UI might not have the ability to provide the existing password while changing. I don't know. If you post the full stack trace of the exception it may offer better clues. Thanks -Original Message- From: brock samson [mailto:brock.sams...@hotmail.com] Sent: Friday, March 06, 2015 12:19 AM To: users@directory.apache.org Subject: RE: pwdMustChange not working Carlo, thank you for such detailed description. i never mentioned in my initial post that i already had pwdPolicySubentry placed as a user's attribute, though its value is pointing to ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=config, which is the ootb password policy. the part that i did not perform was having the admin change that user's password which results in pwdReset attribute being set. yet when i signed in as an admin (uid=admin,ou=system) to apache studio and then proceeded to change a user's (uid=bob,ou=users,o=mycompany) passwod, i got the following error: LdapNoPermissionException: trying to update password attribute without the supplying the old password. do you know what i am doing wrong? should an admin be forced to enter an old password? if that is the case, how do i make apache studio do that? thanks. From: carlo.acco...@ibs-ag.com To: users@directory.apache.org Subject: RE: pwdMustChange not working Date: Thu, 5 Mar 2015 19:04:58 + Hi, we've been that feature for quite some time to force a user to change their password after it's been reset by an admin. Make sure the user(s) you want this to affect have the pwdPolicySubEntry attribute set on their entry with the DN of the password policy entry. For example dn: uid=jsmith,ou=users,ou=int,o=company uid: jsmith cn: jsmith ... pwdPolicySubEntry: ads-pwdId=internalUsers,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou= config Then on the policy entry itself, the attribute ads-pwdmustchange must be set TRUE. And he policy must be enabled, ads-enabled=TRUE If you've made changes to the policy, restart the server. Then if an admin, using the bind credentials (uid=admin,ou=system) sets the password for jsmith, the pwdReset attribute is added to their user entry. The next time jsmith binds with their credentials, you get a signal that the password must change in the bind response. Here's some pseudo code: BindRequest bindRequest = new BindRequestImpl(); bindRequest.setDn(dn); bindRequest.setCredentials(strPassword); LdapApiService codec = LdapApiServiceFactory.getSingleton(); PasswordPolicyDecorator pwCtrl = new PasswordPolicyDecorator(codec,new PasswordPolicyImpl()); bindRequest.addControl(pwCtrl); BindResponse bindResponse = connection.bind(bindRequest); PasswordPolicyResponse pw = null; PasswordPolicy pwPolicy = ((PasswordPolicyDecorator)ctrl).getDecorated(); if (pwPolicy.hasResponse()) { pw = pwPolicy.getResponse(); // process password response. if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == ctrl.getPasswordPolicyError()) { // this will be true when the pwdRest attr is present on the user. // call your change password code here
RE: pwdMustChange not working
Thanks for your responses. Our logic assigns the pwdPolicySubEntry attribute value for a user from one of many policies. Please don't take away the ability to write to it :) -Original Message- From: Kiran Ayyagari [mailto:kayyag...@apache.org] Sent: Monday, March 09, 2015 6:06 PM To: users@directory.apache.org Subject: Re: pwdMustChange not working On Tue, Mar 10, 2015 at 5:11 AM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 08/03/15 05:33, brock samson a écrit : Carlo, you are correct. pwdSafeModify value was TRUE. so after resetting it back to FALSE and restarting, everything is working as you described in your last post, thank you! however, the question remains to everyone else about pwdSafeModify attribute's value being TRUE and an admin changing some user's password via apache studio. as i stated in previous post, such action results in an error where apache studio asks for user's original password. my question is how to disclose this original password in apache studio? I strongly suspect that the implemented logic is that it's seen as a Modify, thus it expect to have the old value - to delete it - and the new one ) to replace it. The thing is that a user may have more than one password, and on a modify operation, changing only one of the passwords will require to know whci of the passwords have to be removed (the old one). Now, considering the passwordPolicy implementation, this makes no sense : we should only have one single password for a user for the PP to be able to manage correctly the password, thus requiring the old password is nonsensical. This is something that need to be fixed. There is also one other thing that I don't like in the way the PP is handled : one should never have to enter the pwdPolicySubEntry attribute this attribute is not needed at all unless there is a custom policy to be applied on a user entry. in an entry. But this is another problem that requires a full redesign off the PP implementation. Something we must discuss, it's not a simple task... -- Kiran Ayyagari http://keydap.com
Re: Kerberos issue - reg
Zheng, Kai kai.zheng@... writes: Did you run kinit on Linux with MIT Kerberos client package installed ? Or you’re running any Java provided kinit command ? The issue might be related to the issue, http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7067974 This is possible because ApacheDS currently relies on JRE in the encryption support. Similar issues like this had been complained quite much if you’d like google about it. Unfortunately no plain solution is clear to me. One stupid way to work around this would suggest you disable preauth if ApacheDS server allows that via configuration. By the way, we will check compatibility between Kerby with MIT Kerberos/MS AD and keep such issue in mind. With such aspects resolved we would enhance ApacheDS by leveraging Kerby library if the server still desire to embed a KDC server. But this won’t happen so soon so it may not help for you at this time. Regards, Kai From: kumar r [mailto:rajkumar9880 at gmail.com] Sent: Friday, March 06, 2015 7:02 PM To: dev at directory.apache.org; users at directory.apache.org Subject: Kerberos issue - reg Hi, I have installed ApacheDS 2.0.0-M19, i could successfully create users, groups using ldap. When i enable kerberos, it couldn't authenticate from apache studio or kinit command. When trying to get ticket using kinit command, i am getting Integrity check on decrypted field failed exception. When i use invalid principal, it shows client not found. It seems that it could contact KDC server in apacheds but it might be encryption problem. Checked these in windows 8 OS. Referred many links but unable to find the solution. Found two jira task link related to this problem https://issues.apache.org/jira/browse/DIRSERVER-1821 https://issues.apache.org/jira/browse/DIRSTUDIO-992 I have created krbtgt and ldap service referred in https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html. Can you please tell me how to solve this problem? Thanks, R.Kumar Thanks kai. I run kinit command provided by java in windows 8 machine. But i could successfully get ticket and authenticate with kerberos when using windows server Active Directory. Is there any way to use ApacheDS as KDC in windows successfully instead of active directory. Thanks, R.Kumar