am currently looking at this issue, will let you know as soon as I find On Tue, Oct 4, 2011 at 9:39 AM, <[email protected]> wrote: > Hi, > 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK > 2.) Import LDIF of my own JDBM partition. - OK > 3.) Import LDIF root DSE for my new partition - OK > 4.) Import LDIF for my own password policy - OK > 5.) Import LDIF user in my new partition with pwdPolicySubEntry set for > policy in step 4. - OK > 6.) Try and modify any attribute of user imported in step 5 and the exception > below is thrown. > > Any ideas? > > // step 5 result > #!RESULT OK > #!CONNECTION ldap://localhost:10389 > #!DATE 2011-10-04T09:30:33.945 > dn: uid=1286309809117,ou=users,ou=int,o=cpro > changetype: add > employeeNumber: jsmith > initials: w > sn: Smith > objectClass: inetOrgPerson > objectClass: organizationalPerson > objectClass: person > objectClass: top > mail: null@locahost > givenName: John > uid: 1286309809117 > pwdPolicySubEntry: > ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config > cn: Smith, John > displayName: Smith, John > userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9 > > // step 6, change givenName > #!RESULT ERROR > #!CONNECTION ldap://localhost:10389 > #!DATE 2011-10-04T09:30:47.177 > #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : > MODIFY_REQUEST Message ID : 14 Modify Request Object : > 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] > Operation : replace Modification givenName: > John2 > org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2: > ERR_333 Unexpected exception.] > dn: uid=1286309809117,ou=users,ou=int,o=cpro > changetype: modify > replace: givenName > givenName: John2 > > > // ldif of my password policy > dn: > ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config > objectclass: top > objectclass: ads-base > objectclass: ads-passwordPolicy > ads-pwdattribute: userPassword > ads-pwdid: cproext > ads-enabled: TRUE > ads-pwdallowuserchange: TRUE > ads-pwdcheckquality: 1 > ads-pwdexpirewarning: 600 > ads-pwdfailurecountinterval: 30 > ads-pwdgraceauthnlimit: 5 > ads-pwdgraceexpire: 0 > ads-pwdinhistory: 5 > ads-pwdlockout: TRUE > ads-pwdlockoutduration: 0 > ads-pwdmaxage: 0 > ads-pwdmaxdelay: 0 > ads-pwdmaxfailure: 5 > ads-pwdmaxidle: 0 > ads-pwdmaxlength: 0 > ads-pwdminage: 0 > ads-pwdmindelay: 0 > ads-pwdminlength: 5 > ads-pwdmustchange: FALSE > ads-pwdsafemodify: FALSE > > Thank you!! > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Friday, September 30, 2011 5:05 PM > To: [email protected] > Subject: RE: [ApacheDS] looking for simple config for password policy > enforcement. > > Hi, and thank you for your response. > > I've been able to create a second policy all along, however I kept running > into the same problem when trying to add the 'pwdPolicySubentry' to an > existing user. > Is it possible to modify the pwdPolicySubentry attribute on an existing > user? > The schema browser shows that the attribute has a read-only flag, ( > NO-USER-MODIFICATION ) > > #!RESULT ERROR > #!CONNECTION ldap://localhost:10389 > #!DATE 2011-09-30T16:16:01.784 > #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for > MessageType : MODIFY_REQUEST Message ID : 31 Modify Request > Object : 'uid=1286309809116,ou=users,ou=int,o=cpro' > Modification[0] Operation : add Modification > pwdPolicySubentry: > ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config > org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b131069: > ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( > 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy > subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE > directoryOperation ) ] > dn: uid=1286309809116,ou=users,ou=int,o=cpro > changetype: modify > add: pwdPolicySubentry > pwdPolicySubentry: > ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf > ig > > > Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, > however, > > #!RESULT OK > #!CONNECTION ldap://localhost:10389 > #!DATE 2011-09-30T16:31:17.973 > dn: uid=1286309809117,ou=users,ou=int,o=cpro > changetype: add > sn: Accorsi > objectClass: organizationalPerson > objectClass: person > objectClass: inetOrgPerson > objectClass: top > mail: null > givenName: Carlo > uid: 1286309809117 > cn: Accorsi, Carlo > displayName: Accorsi, Carlo > pwdPolicySubentry: > ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf > ig > userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09 > > Now when any type of modification is made to the entry a LOOP_DETECT > exception is thrown. > > #!RESULT ERROR > #!CONNECTION ldap://localhost:10389 > #!DATE 2011-09-30T16:45:33.245 > #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : > MODIFY_REQUEST Message ID : 21 Modify Request Object : > 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] > Operation : replace Modification givenName: > Carlo2 > org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad: > ERR_333 Unexpected exception.] > dn: uid=1286309809117,ou=users,ou=int,o=cpro > changetype: modify > replace: givenName > givenName: Carlo2 > > Thinking this was because there were two policies, I decided to delete the > default password policy. Not smart, now the uid=admin,ou=system user can no > longer bind.. > > I'm starting over but can you see anything I'm missing? > > I know my ads-pwdcheckquality = 2 in my new policy. > > Thanks, > Carlo Accorsi > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Kiran Ayyagari > Sent: Friday, September 30, 2011 3:39 PM > To: [email protected] > Subject: Re: [ApacheDS] looking for simple config for password policy > enforcement. > > On Fri, Sep 30, 2011 at 12:23 PM, <[email protected]> wrote: >> I would like to apply and enforce two different password policies to two >> different sub trees (that share the same root). >> >> I see where the policies (I think ) are supposed to go. >> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int >> erceptors,ads-directoryServiceId=default,ou=config >> > correct place >> The question is how does this policy then get linked or applied to a user? >> >> In other directory servers, the pwdPolicy schema defines the policy object >> and all the supporting attributes (min/max pw length, etc). >> Then the pwdPolicySubentry attribute (on the user object) refers to the DN >> of the policy object and this is how it's enforced. >> >> I can't seem to make the connection in ApacheDS how this occurs? >> I've tried creating ads-passwordPolicy object at the subtree level of my >> users. Doesn't work. >> I've tried creating a simple pwdPolicy object but it cannot be saved because >> there's no structural objectclass associate with it. >> > no, this won't work, just create another policy under the above mentioned DN > with a name like ads-pwdId=custom and for enforcing this for a specific user: > add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpolicy > entry's DN > > Note that the default password policy(ads-pwdId=default) is applicable for > all other user entries which doesn't have a 'pwdPolicySubEntry' > attribute specified. > >> Even if the functionality isn't fully implemented, I'd like to structure the >> directory correctly. Your help is most appreciated. >> > please let us know if you have any other questions > > HTH > > -- > Kiran Ayyagari >
-- Kiran Ayyagari
