I have found the issue and filed a report[1] Will let you know after committing the fix(approx. 2 hours). Appreciate your patience
[1] https://issues.apache.org/jira/browse/DIRSERVER-1665 On Tue, Oct 4, 2011 at 10:00 AM, Kiran Ayyagari <[email protected]> wrote: > am currently looking at this issue, will let you know as soon as I find > > On Tue, Oct 4, 2011 at 9:39 AM, <[email protected]> wrote: >> Hi, >> 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK >> 2.) Import LDIF of my own JDBM partition. - OK >> 3.) Import LDIF root DSE for my new partition - OK >> 4.) Import LDIF for my own password policy - OK >> 5.) Import LDIF user in my new partition with pwdPolicySubEntry set for >> policy in step 4. - OK >> 6.) Try and modify any attribute of user imported in step 5 and the >> exception below is thrown. >> >> Any ideas? >> >> // step 5 result >> #!RESULT OK >> #!CONNECTION ldap://localhost:10389 >> #!DATE 2011-10-04T09:30:33.945 >> dn: uid=1286309809117,ou=users,ou=int,o=cpro >> changetype: add >> employeeNumber: jsmith >> initials: w >> sn: Smith >> objectClass: inetOrgPerson >> objectClass: organizationalPerson >> objectClass: person >> objectClass: top >> mail: null@locahost >> givenName: John >> uid: 1286309809117 >> pwdPolicySubEntry: >> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config >> cn: Smith, John >> displayName: Smith, John >> userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9 >> >> // step 6, change givenName >> #!RESULT ERROR >> #!CONNECTION ldap://localhost:10389 >> #!DATE 2011-10-04T09:30:47.177 >> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : >> MODIFY_REQUEST Message ID : 14 Modify Request Object : >> 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] >> Operation : replace Modification givenName: >> John2 >> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2: >> ERR_333 Unexpected exception.] >> dn: uid=1286309809117,ou=users,ou=int,o=cpro >> changetype: modify >> replace: givenName >> givenName: John2 >> >> >> // ldif of my password policy >> dn: >> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config >> objectclass: top >> objectclass: ads-base >> objectclass: ads-passwordPolicy >> ads-pwdattribute: userPassword >> ads-pwdid: cproext >> ads-enabled: TRUE >> ads-pwdallowuserchange: TRUE >> ads-pwdcheckquality: 1 >> ads-pwdexpirewarning: 600 >> ads-pwdfailurecountinterval: 30 >> ads-pwdgraceauthnlimit: 5 >> ads-pwdgraceexpire: 0 >> ads-pwdinhistory: 5 >> ads-pwdlockout: TRUE >> ads-pwdlockoutduration: 0 >> ads-pwdmaxage: 0 >> ads-pwdmaxdelay: 0 >> ads-pwdmaxfailure: 5 >> ads-pwdmaxidle: 0 >> ads-pwdmaxlength: 0 >> ads-pwdminage: 0 >> ads-pwdmindelay: 0 >> ads-pwdminlength: 5 >> ads-pwdmustchange: FALSE >> ads-pwdsafemodify: FALSE >> >> Thank you!! >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> Sent: Friday, September 30, 2011 5:05 PM >> To: [email protected] >> Subject: RE: [ApacheDS] looking for simple config for password policy >> enforcement. >> >> Hi, and thank you for your response. >> >> I've been able to create a second policy all along, however I kept running >> into the same problem when trying to add the 'pwdPolicySubentry' to an >> existing user. >> Is it possible to modify the pwdPolicySubentry attribute on an existing >> user? >> The schema browser shows that the attribute has a read-only flag, ( >> NO-USER-MODIFICATION ) >> >> #!RESULT ERROR >> #!CONNECTION ldap://localhost:10389 >> #!DATE 2011-09-30T16:16:01.784 >> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for >> MessageType : MODIFY_REQUEST Message ID : 31 Modify Request >> Object : 'uid=1286309809116,ou=users,ou=int,o=cpro' >> Modification[0] Operation : add >> Modification pwdPolicySubentry: >> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config >> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b131069: >> ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( >> 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy >> subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE >> directoryOperation ) ] >> dn: uid=1286309809116,ou=users,ou=int,o=cpro >> changetype: modify >> add: pwdPolicySubentry >> pwdPolicySubentry: >> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf >> ig >> >> >> Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, >> however, >> >> #!RESULT OK >> #!CONNECTION ldap://localhost:10389 >> #!DATE 2011-09-30T16:31:17.973 >> dn: uid=1286309809117,ou=users,ou=int,o=cpro >> changetype: add >> sn: Accorsi >> objectClass: organizationalPerson >> objectClass: person >> objectClass: inetOrgPerson >> objectClass: top >> mail: null >> givenName: Carlo >> uid: 1286309809117 >> cn: Accorsi, Carlo >> displayName: Accorsi, Carlo >> pwdPolicySubentry: >> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf >> ig >> userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09 >> >> Now when any type of modification is made to the entry a LOOP_DETECT >> exception is thrown. >> >> #!RESULT ERROR >> #!CONNECTION ldap://localhost:10389 >> #!DATE 2011-09-30T16:45:33.245 >> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : >> MODIFY_REQUEST Message ID : 21 Modify Request Object : >> 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] >> Operation : replace Modification givenName: >> Carlo2 >> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad: >> ERR_333 Unexpected exception.] >> dn: uid=1286309809117,ou=users,ou=int,o=cpro >> changetype: modify >> replace: givenName >> givenName: Carlo2 >> >> Thinking this was because there were two policies, I decided to delete the >> default password policy. Not smart, now the uid=admin,ou=system user can no >> longer bind.. >> >> I'm starting over but can you see anything I'm missing? >> >> I know my ads-pwdcheckquality = 2 in my new policy. >> >> Thanks, >> Carlo Accorsi >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf Of >> Kiran Ayyagari >> Sent: Friday, September 30, 2011 3:39 PM >> To: [email protected] >> Subject: Re: [ApacheDS] looking for simple config for password policy >> enforcement. >> >> On Fri, Sep 30, 2011 at 12:23 PM, <[email protected]> wrote: >>> I would like to apply and enforce two different password policies to two >>> different sub trees (that share the same root). >>> >>> I see where the policies (I think ) are supposed to go. >>> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int >>> erceptors,ads-directoryServiceId=default,ou=config >>> >> correct place >>> The question is how does this policy then get linked or applied to a user? >>> >>> In other directory servers, the pwdPolicy schema defines the policy object >>> and all the supporting attributes (min/max pw length, etc). >>> Then the pwdPolicySubentry attribute (on the user object) refers to the DN >>> of the policy object and this is how it's enforced. >>> >>> I can't seem to make the connection in ApacheDS how this occurs? >>> I've tried creating ads-passwordPolicy object at the subtree level of my >>> users. Doesn't work. >>> I've tried creating a simple pwdPolicy object but it cannot be saved >>> because there's no structural objectclass associate with it. >>> >> no, this won't work, just create another policy under the above mentioned DN >> with a name like ads-pwdId=custom and for enforcing this for a specific user: >> add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpolicy >> entry's DN >> >> Note that the default password policy(ads-pwdId=default) is applicable for >> all other user entries which doesn't have a 'pwdPolicySubEntry' >> attribute specified. >> >>> Even if the functionality isn't fully implemented, I'd like to structure >>> the directory correctly. Your help is most appreciated. >>> >> please let us know if you have any other questions >> >> HTH >> >> -- >> Kiran Ayyagari >> > > > > -- > Kiran Ayyagari > -- Kiran Ayyagari
