Hi, 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK 2.) Import LDIF of my own JDBM partition. - OK 3.) Import LDIF root DSE for my new partition - OK 4.) Import LDIF for my own password policy - OK 5.) Import LDIF user in my new partition with pwdPolicySubEntry set for policy in step 4. - OK 6.) Try and modify any attribute of user imported in step 5 and the exception below is thrown.
Any ideas? // step 5 result #!RESULT OK #!CONNECTION ldap://localhost:10389 #!DATE 2011-10-04T09:30:33.945 dn: uid=1286309809117,ou=users,ou=int,o=cpro changetype: add employeeNumber: jsmith initials: w sn: Smith objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top mail: null@locahost givenName: John uid: 1286309809117 pwdPolicySubEntry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config cn: Smith, John displayName: Smith, John userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9 // step 6, change givenName #!RESULT ERROR #!CONNECTION ldap://localhost:10389 #!DATE 2011-10-04T09:30:47.177 #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message ID : 14 Modify Request Object : 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] Operation : replace Modification givenName: John2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2: ERR_333 Unexpected exception.] dn: uid=1286309809117,ou=users,ou=int,o=cpro changetype: modify replace: givenName givenName: John2 // ldif of my password policy dn: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config objectclass: top objectclass: ads-base objectclass: ads-passwordPolicy ads-pwdattribute: userPassword ads-pwdid: cproext ads-enabled: TRUE ads-pwdallowuserchange: TRUE ads-pwdcheckquality: 1 ads-pwdexpirewarning: 600 ads-pwdfailurecountinterval: 30 ads-pwdgraceauthnlimit: 5 ads-pwdgraceexpire: 0 ads-pwdinhistory: 5 ads-pwdlockout: TRUE ads-pwdlockoutduration: 0 ads-pwdmaxage: 0 ads-pwdmaxdelay: 0 ads-pwdmaxfailure: 5 ads-pwdmaxidle: 0 ads-pwdmaxlength: 0 ads-pwdminage: 0 ads-pwdmindelay: 0 ads-pwdminlength: 5 ads-pwdmustchange: FALSE ads-pwdsafemodify: FALSE Thank you!! -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Friday, September 30, 2011 5:05 PM To: [email protected] Subject: RE: [ApacheDS] looking for simple config for password policy enforcement. Hi, and thank you for your response. I've been able to create a second policy all along, however I kept running into the same problem when trying to add the 'pwdPolicySubentry' to an existing user. Is it possible to modify the pwdPolicySubentry attribute on an existing user? The schema browser shows that the attribute has a read-only flag, ( NO-USER-MODIFICATION ) #!RESULT ERROR #!CONNECTION ldap://localhost:10389 #!DATE 2011-09-30T16:16:01.784 #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 31 Modify Request Object : 'uid=1286309809116,ou=users,ou=int,o=cpro' Modification[0] Operation : add Modification pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b131069: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ] dn: uid=1286309809116,ou=users,ou=int,o=cpro changetype: modify add: pwdPolicySubentry pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf ig Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, however, #!RESULT OK #!CONNECTION ldap://localhost:10389 #!DATE 2011-09-30T16:31:17.973 dn: uid=1286309809117,ou=users,ou=int,o=cpro changetype: add sn: Accorsi objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top mail: null givenName: Carlo uid: 1286309809117 cn: Accorsi, Carlo displayName: Accorsi, Carlo pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf ig userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09 Now when any type of modification is made to the entry a LOOP_DETECT exception is thrown. #!RESULT ERROR #!CONNECTION ldap://localhost:10389 #!DATE 2011-09-30T16:45:33.245 #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message ID : 21 Modify Request Object : 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] Operation : replace Modification givenName: Carlo2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad: ERR_333 Unexpected exception.] dn: uid=1286309809117,ou=users,ou=int,o=cpro changetype: modify replace: givenName givenName: Carlo2 Thinking this was because there were two policies, I decided to delete the default password policy. Not smart, now the uid=admin,ou=system user can no longer bind.. I'm starting over but can you see anything I'm missing? I know my ads-pwdcheckquality = 2 in my new policy. Thanks, Carlo Accorsi -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kiran Ayyagari Sent: Friday, September 30, 2011 3:39 PM To: [email protected] Subject: Re: [ApacheDS] looking for simple config for password policy enforcement. On Fri, Sep 30, 2011 at 12:23 PM, <[email protected]> wrote: > I would like to apply and enforce two different password policies to two > different sub trees (that share the same root). > > I see where the policies (I think ) are supposed to go. > ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int > erceptors,ads-directoryServiceId=default,ou=config > correct place > The question is how does this policy then get linked or applied to a user? > > In other directory servers, the pwdPolicy schema defines the policy object > and all the supporting attributes (min/max pw length, etc). > Then the pwdPolicySubentry attribute (on the user object) refers to the DN > of the policy object and this is how it's enforced. > > I can't seem to make the connection in ApacheDS how this occurs? > I've tried creating ads-passwordPolicy object at the subtree level of my > users. Doesn't work. > I've tried creating a simple pwdPolicy object but it cannot be saved because > there's no structural objectclass associate with it. > no, this won't work, just create another policy under the above mentioned DN with a name like ads-pwdId=custom and for enforcing this for a specific user: add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpolicy entry's DN Note that the default password policy(ads-pwdId=default) is applicable for all other user entries which doesn't have a 'pwdPolicySubEntry' attribute specified. > Even if the functionality isn't fully implemented, I'd like to structure the > directory correctly. Your help is most appreciated. > please let us know if you have any other questions HTH -- Kiran Ayyagari
