RE: 2 issues with Password policy response warnings / types
OK, Thank you very much for the clarification. I really thought I had it right.
Last question on this. In the case where the length after the 0x80 is 1. As
below, where the length is 2.
30, 9, a0, 4, 80, 2, 0, d0, 81, 1, 2,
Do you know how to decode the int value? I'm looking for 208, which is 0xd0
but not sure what to do with the other 0x00 byte?
We're trying to untwist these messages on our own. If there's a class in the
project that's already doing this please lead us to it.
Thank you.
Regards,
Carlo Accorsi
-Original Message-
From: Emmanuel Lécharny [mailto:elecha...@gmail.com]
Sent: Thursday, June 21, 2012 6:40 PM
To: users@directory.apache.org
Subject: Re: 2 issues with Password policy response warnings / types
Le 6/21/12 8:24 PM, carlo.acco...@ibs-ag.com a écrit :
Hi, we're deep into testing the password policy and we came across
this situation. Using DS built from the trunk version 1349996
Short description. In the ASN.1 response:
When the password is expiring in 60 seconds , the three bytes should
be -128, 0, 60 instead they are -128, 1, 60
No. The second byte is the length of the next field. Controls are encoded using
BER encoding, which means every PDU is encoded to containg a type, a length and
a value (TLV). Here, the type is 0x80 for timeBeforeExpiration and 0x81 for
graceLoginsRemaining. As soon as you have an integer type, then the L byte is
something between 1 and 4,
*never* 0.
So 0x80 0x01 0x3C is correct.
When 4 grace logins remain, the three bytes should be -128, 1, 4
instead they are -127, 1, 4
Again, graceLogin is encoded 0x81 (-127) per the specification :
SEQUENCE {
warning [0] CHOICE OPTIONAL {
timeBeforeExpiration [0] INTEGER (0 .. MaxInt), // 0x80- -128
graceLoginsRemaining [1] INTEGER (0 .. maxInt) } // 0x81- -127
so -127, 1, 4 is correct
We have a user that has the pwdReset = true Attribute AND their password
is about to expire.
This is the byte[] value returned after 3 consecutive logins, you can
see the password expiration working
[48, 8, -96, 3, -128, 1, 122, -127, 1, 2] // pw expires in 122
seconds [48, 8, -96, 3, -128, 1, 83, -127, 1, 2] // pw expires in 83
seconds [48, 8, -96, 3, -128, 1, 48, -127, 1, 2] // pw expires in 48
seconds
// here's the last case decoded.
48 (30) Skip
8 (8) Length = 8
-96 (160) Continue
This is 0xA0, the T for Warning[0] in the ASN/1 grammar
3 (3) Length = 3
-128 (128) Warning OK
this is 0x80, the T for timeBeforeExpiration [0] in the ASN/1 grammar
1 (1) Type 1-- ?? This should be error Type 0? Type 1 defines Grace
Logins
This is not a type, it's the integer length for the timeBeforeExpiration field
48 (48) 48 seconds remaining on password-- expected value but is
getting set in grace logins
Do you mean that the control is fed incorrectly ?
// loop again
-127 (129) Error OK
1 (1) length =1
2 (2) Error CHANGE_AFTER_RESET-- this is what we expect.
correct
Here's the same case, after the password expires. The Grace Login also
has an Error instead of a warning [48, 8, -96, 3, -127, 1, 4, -127, 1,
2]
-127 (129) Error-- This should be a Warning -128
1 (1) Type 1 = Grace Logins remaining-- this is the correct warning
type
4 (4) 4 logins remaining-- correct # of logins remaining
Not sure I get your point on this last sample.
If I decode the bytes, here is what I get :
0x30 0x08 // a SEQUENCE, 8 bytes long
0xA0 0x03 // Warning, 3 bytes
0x81 0x01 0x04 // graceLoginsRemaining, one byte, value = 4
0x81 0x01 0x02 // error, changeAfterReset
We may have some issues in the way we generate the response, but as far as I
can tell, the encoding is correct.
Do you mean that the resulting PasswordPolicy instance is not correctly set ?
This is not what I see in the decoder...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: 2 issues with Password policy response warnings / types
take a look at the class
org.apache.directory.shared.asn1.ber.tlv.IntegerDecoder
On Sat, Jun 23, 2012 at 12:39 AM, carlo.acco...@ibs-ag.com wrote:
OK, Thank you very much for the clarification. I really thought I had it
right.
Last question on this. In the case where the length after the 0x80 is 1.
As below, where the length is 2.
30, 9, a0, 4, 80, 2, 0, d0, 81, 1, 2,
Do you know how to decode the int value? I'm looking for 208, which is
0xd0 but not sure what to do with the other 0x00 byte?
We're trying to untwist these messages on our own. If there's a class in the
project that's already doing this please lead us to it.
Thank you.
Regards,
Carlo Accorsi
-Original Message-
From: Emmanuel Lécharny [mailto:elecha...@gmail.com]
Sent: Thursday, June 21, 2012 6:40 PM
To: users@directory.apache.org
Subject: Re: 2 issues with Password policy response warnings / types
Le 6/21/12 8:24 PM, carlo.acco...@ibs-ag.com a écrit :
Hi, we're deep into testing the password policy and we came across
this situation. Using DS built from the trunk version 1349996
Short description. In the ASN.1 response:
When the password is expiring in 60 seconds , the three bytes should
be -128, 0, 60 instead they are -128, 1, 60
No. The second byte is the length of the next field. Controls are encoded
using BER encoding, which means every PDU is encoded to containg a type, a
length and a value (TLV). Here, the type is 0x80 for timeBeforeExpiration and
0x81 for graceLoginsRemaining. As soon as you have an integer type, then the
L byte is something between 1 and 4,
*never* 0.
So 0x80 0x01 0x3C is correct.
When 4 grace logins remain, the three bytes should be -128, 1, 4
instead they are -127, 1, 4
Again, graceLogin is encoded 0x81 (-127) per the specification :
SEQUENCE {
warning [0] CHOICE OPTIONAL {
timeBeforeExpiration [0] INTEGER (0 .. MaxInt), // 0x80- -128
graceLoginsRemaining [1] INTEGER (0 .. maxInt) } // 0x81- -127
so -127, 1, 4 is correct
We have a user that has the pwdReset = true Attribute AND their password
is about to expire.
This is the byte[] value returned after 3 consecutive logins, you can
see the password expiration working
[48, 8, -96, 3, -128, 1, 122, -127, 1, 2] // pw expires in 122
seconds [48, 8, -96, 3, -128, 1, 83, -127, 1, 2] // pw expires in 83
seconds [48, 8, -96, 3, -128, 1, 48, -127, 1, 2] // pw expires in 48
seconds
// here's the last case decoded.
48 (30) Skip
8 (8) Length = 8
-96 (160) Continue
This is 0xA0, the T for Warning[0] in the ASN/1 grammar
3 (3) Length = 3
-128 (128) Warning OK
this is 0x80, the T for timeBeforeExpiration [0] in the ASN/1 grammar
1 (1) Type 1-- ?? This should be error Type 0? Type 1 defines Grace
Logins
This is not a type, it's the integer length for the timeBeforeExpiration field
48 (48) 48 seconds remaining on password-- expected value but is
getting set in grace logins
Do you mean that the control is fed incorrectly ?
// loop again
-127 (129) Error OK
1 (1) length =1
2 (2) Error CHANGE_AFTER_RESET-- this is what we expect.
correct
Here's the same case, after the password expires. The Grace Login also
has an Error instead of a warning [48, 8, -96, 3, -127, 1, 4, -127, 1,
2]
-127 (129) Error-- This should be a Warning -128
1 (1) Type 1 = Grace Logins remaining-- this is the correct warning
type
4 (4) 4 logins remaining-- correct # of logins remaining
Not sure I get your point on this last sample.
If I decode the bytes, here is what I get :
0x30 0x08 // a SEQUENCE, 8 bytes long
0xA0 0x03 // Warning, 3 bytes
0x81 0x01 0x04 // graceLoginsRemaining, one byte, value = 4
0x81 0x01 0x02 // error, changeAfterReset
We may have some issues in the way we generate the response, but as far as I
can tell, the encoding is correct.
Do you mean that the resulting PasswordPolicy instance is not correctly set ?
This is not what I see in the decoder...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
--
Kiran Ayyagari
RE: 2 issues with Password policy response warnings / types
Thanks that's great!
Carlo Accorsi
-Original Message-
From: ayyagariki...@gmail.com [mailto:ayyagariki...@gmail.com] On Behalf Of
Kiran Ayyagari
Sent: Friday, June 22, 2012 3:15 PM
To: users@directory.apache.org
Subject: Re: 2 issues with Password policy response warnings / types
take a look at the class
org.apache.directory.shared.asn1.ber.tlv.IntegerDecoder
On Sat, Jun 23, 2012 at 12:39 AM, carlo.acco...@ibs-ag.com wrote:
OK, Thank you very much for the clarification. I really thought I had it
right.
Last question on this. In the case where the length after the 0x80 is 1.
As below, where the length is 2.
30, 9, a0, 4, 80, 2, 0, d0, 81, 1, 2,
Do you know how to decode the int value? I'm looking for 208, which is
0xd0 but not sure what to do with the other 0x00 byte?
We're trying to untwist these messages on our own. If there's a class in the
project that's already doing this please lead us to it.
Thank you.
Regards,
Carlo Accorsi
-Original Message-
From: Emmanuel Lécharny [mailto:elecha...@gmail.com]
Sent: Thursday, June 21, 2012 6:40 PM
To: users@directory.apache.org
Subject: Re: 2 issues with Password policy response warnings / types
Le 6/21/12 8:24 PM, carlo.acco...@ibs-ag.com a écrit :
Hi, we're deep into testing the password policy and we came across
this situation. Using DS built from the trunk version 1349996
Short description. In the ASN.1 response:
When the password is expiring in 60 seconds , the three bytes should
be -128, 0, 60 instead they are -128, 1, 60
No. The second byte is the length of the next field. Controls are
encoded using BER encoding, which means every PDU is encoded to
containg a type, a length and a value (TLV). Here, the type is 0x80
for timeBeforeExpiration and 0x81 for graceLoginsRemaining. As soon as
you have an integer type, then the L byte is something between 1 and
4,
*never* 0.
So 0x80 0x01 0x3C is correct.
When 4 grace logins remain, the three bytes should be -128, 1, 4
instead they are -127, 1, 4
Again, graceLogin is encoded 0x81 (-127) per the specification :
SEQUENCE {
warning [0] CHOICE OPTIONAL {
timeBeforeExpiration [0] INTEGER (0 .. MaxInt), // 0x80-
-128
graceLoginsRemaining [1] INTEGER (0 .. maxInt) } // 0x81-
-127
so -127, 1, 4 is correct
We have a user that has the pwdReset = true Attribute AND their password
is about to expire.
This is the byte[] value returned after 3 consecutive logins, you can
see the password expiration working
[48, 8, -96, 3, -128, 1, 122, -127, 1, 2] // pw expires in 122
seconds [48, 8, -96, 3, -128, 1, 83, -127, 1, 2] // pw expires in 83
seconds [48, 8, -96, 3, -128, 1, 48, -127, 1, 2] // pw expires in 48
seconds
// here's the last case decoded.
48 (30) Skip
8 (8) Length = 8
-96 (160) Continue
This is 0xA0, the T for Warning[0] in the ASN/1 grammar
3 (3) Length = 3
-128 (128) Warning OK
this is 0x80, the T for timeBeforeExpiration [0] in the ASN/1 grammar
1 (1) Type 1-- ?? This should be error Type 0? Type 1 defines Grace
Logins
This is not a type, it's the integer length for the
timeBeforeExpiration field
48 (48) 48 seconds remaining on password-- expected value but is
getting set in grace logins
Do you mean that the control is fed incorrectly ?
// loop again
-127 (129) Error OK
1 (1) length =1
2 (2) Error CHANGE_AFTER_RESET-- this is what we expect.
correct
Here's the same case, after the password expires. The Grace Login
also has an Error instead of a warning [48, 8, -96, 3, -127, 1, 4,
-127, 1, 2]
-127 (129) Error-- This should be a Warning -128
1 (1) Type 1 = Grace Logins remaining-- this is the correct warning
type
4 (4) 4 logins remaining-- correct # of logins remaining
Not sure I get your point on this last sample.
If I decode the bytes, here is what I get :
0x30 0x08 // a SEQUENCE, 8 bytes long
0xA0 0x03 // Warning, 3 bytes
0x81 0x01 0x04 // graceLoginsRemaining, one byte, value = 4
0x81 0x01 0x02 // error, changeAfterReset
We may have some issues in the way we generate the response, but as far as I
can tell, the encoding is correct.
Do you mean that the resulting PasswordPolicy instance is not correctly set ?
This is not what I see in the decoder...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
--
Kiran Ayyagari
Re: 2 issues with Password policy response warnings / types
Le 6/22/12 10:54 PM, carlo.acco...@ibs-ag.com a écrit :
Thanks that's great!
There is also a class that handle all the decoding and creates a plain
Java object with all the expected data :
DefaultLdapCodecService codec = new DefaultLdapCodecService();
PasswordPolicyDecorator control = new PasswordPolicyDecorator(
codec, true );
// bb contains the received bytes :
ByteBuffer bb = ByteBuffer.allocate( 0xA );
bb.put( new byte[]
{
0x30, 0x08,
( byte ) 0xA0, 0x03, // timeBeforeExpiration
( byte ) 0x80, 0x01, 0x01,
( byte ) 0x81, 0x01, 0x01 // ppolicyError
} );
bb.flip();
PasswordPolicy passwordPolicy = ( PasswordPolicy )
control.decode( bb.array() );
Here, you can no do :
if ( passwordPolicy.hasResponse() )
{
int expiration =
passwordPolicy.getResponse().getTimeBeforeExpiration();
int error =
passwordPolicy.getResponse().getPasswordPolicyError().getValue();
}
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: 2 issues with Password policy response warnings / types
Le 6/22/12 9:09 PM, carlo.acco...@ibs-ag.com a écrit : OK, Thank you very much for the clarification. I really thought I had it right. Last question on this. In the case where the length after the 0x80 is 1. As below, where the length is 2. 30, 9, a0, 4, 80, 2, 0, d0, 81, 1, 2, Do you know how to decode the int value? Just for the record, an integer above 0x7F and below7FFF will be encoded on 2 bytes. If the higher bit is 0, then the value is positive. I'm looking for 208, which is 0xd0 but not sure what to do with the other 0x00 byte? It's just there because you want a positive integer above 0x7F. Would you have 0x01 0xD0, it would be a negative value (-47). -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
