Have fixed this, please verify with the latest trunk source and let us know. Thanks for reporting
On Tue, Oct 4, 2011 at 11:13 AM, Kiran Ayyagari <[email protected]> wrote: > I have found the issue and filed a report[1] > Will let you know after committing the fix(approx. 2 hours). > Appreciate your patience > > [1] https://issues.apache.org/jira/browse/DIRSERVER-1665 > > On Tue, Oct 4, 2011 at 10:00 AM, Kiran Ayyagari <[email protected]> wrote: >> am currently looking at this issue, will let you know as soon as I find >> >> On Tue, Oct 4, 2011 at 9:39 AM, <[email protected]> wrote: >>> Hi, >>> 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK >>> 2.) Import LDIF of my own JDBM partition. - OK >>> 3.) Import LDIF root DSE for my new partition - OK >>> 4.) Import LDIF for my own password policy - OK >>> 5.) Import LDIF user in my new partition with pwdPolicySubEntry set for >>> policy in step 4. - OK >>> 6.) Try and modify any attribute of user imported in step 5 and the >>> exception below is thrown. >>> >>> Any ideas? >>> >>> // step 5 result >>> #!RESULT OK >>> #!CONNECTION ldap://localhost:10389 >>> #!DATE 2011-10-04T09:30:33.945 >>> dn: uid=1286309809117,ou=users,ou=int,o=cpro >>> changetype: add >>> employeeNumber: jsmith >>> initials: w >>> sn: Smith >>> objectClass: inetOrgPerson >>> objectClass: organizationalPerson >>> objectClass: person >>> objectClass: top >>> mail: null@locahost >>> givenName: John >>> uid: 1286309809117 >>> pwdPolicySubEntry: >>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config >>> cn: Smith, John >>> displayName: Smith, John >>> userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9 >>> >>> // step 6, change givenName >>> #!RESULT ERROR >>> #!CONNECTION ldap://localhost:10389 >>> #!DATE 2011-10-04T09:30:47.177 >>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : >>> MODIFY_REQUEST Message ID : 14 Modify Request Object : >>> 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] >>> Operation : replace Modification givenName: >>> John2 >>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2: >>> ERR_333 Unexpected exception.] >>> dn: uid=1286309809117,ou=users,ou=int,o=cpro >>> changetype: modify >>> replace: givenName >>> givenName: John2 >>> >>> >>> // ldif of my password policy >>> dn: >>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config >>> objectclass: top >>> objectclass: ads-base >>> objectclass: ads-passwordPolicy >>> ads-pwdattribute: userPassword >>> ads-pwdid: cproext >>> ads-enabled: TRUE >>> ads-pwdallowuserchange: TRUE >>> ads-pwdcheckquality: 1 >>> ads-pwdexpirewarning: 600 >>> ads-pwdfailurecountinterval: 30 >>> ads-pwdgraceauthnlimit: 5 >>> ads-pwdgraceexpire: 0 >>> ads-pwdinhistory: 5 >>> ads-pwdlockout: TRUE >>> ads-pwdlockoutduration: 0 >>> ads-pwdmaxage: 0 >>> ads-pwdmaxdelay: 0 >>> ads-pwdmaxfailure: 5 >>> ads-pwdmaxidle: 0 >>> ads-pwdmaxlength: 0 >>> ads-pwdminage: 0 >>> ads-pwdmindelay: 0 >>> ads-pwdminlength: 5 >>> ads-pwdmustchange: FALSE >>> ads-pwdsafemodify: FALSE >>> >>> Thank you!! >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] >>> Sent: Friday, September 30, 2011 5:05 PM >>> To: [email protected] >>> Subject: RE: [ApacheDS] looking for simple config for password policy >>> enforcement. >>> >>> Hi, and thank you for your response. >>> >>> I've been able to create a second policy all along, however I kept running >>> into the same problem when trying to add the 'pwdPolicySubentry' to an >>> existing user. >>> Is it possible to modify the pwdPolicySubentry attribute on an existing >>> user? >>> The schema browser shows that the attribute has a read-only flag, ( >>> NO-USER-MODIFICATION ) >>> >>> #!RESULT ERROR >>> #!CONNECTION ldap://localhost:10389 >>> #!DATE 2011-09-30T16:16:01.784 >>> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for >>> MessageType : MODIFY_REQUEST Message ID : 31 Modify Request >>> Object : 'uid=1286309809116,ou=users,ou=int,o=cpro' >>> Modification[0] Operation : add >>> Modification pwdPolicySubentry: >>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config >>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b131069: >>> ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( >>> 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy >>> subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX >>> 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE >>> directoryOperation ) ] >>> dn: uid=1286309809116,ou=users,ou=int,o=cpro >>> changetype: modify >>> add: pwdPolicySubentry >>> pwdPolicySubentry: >>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf >>> ig >>> >>> >>> Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, >>> however, >>> >>> #!RESULT OK >>> #!CONNECTION ldap://localhost:10389 >>> #!DATE 2011-09-30T16:31:17.973 >>> dn: uid=1286309809117,ou=users,ou=int,o=cpro >>> changetype: add >>> sn: Accorsi >>> objectClass: organizationalPerson >>> objectClass: person >>> objectClass: inetOrgPerson >>> objectClass: top >>> mail: null >>> givenName: Carlo >>> uid: 1286309809117 >>> cn: Accorsi, Carlo >>> displayName: Accorsi, Carlo >>> pwdPolicySubentry: >>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf >>> ig >>> userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09 >>> >>> Now when any type of modification is made to the entry a LOOP_DETECT >>> exception is thrown. >>> >>> #!RESULT ERROR >>> #!CONNECTION ldap://localhost:10389 >>> #!DATE 2011-09-30T16:45:33.245 >>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : >>> MODIFY_REQUEST Message ID : 21 Modify Request Object : >>> 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] >>> Operation : replace Modification givenName: >>> Carlo2 >>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad: >>> ERR_333 Unexpected exception.] >>> dn: uid=1286309809117,ou=users,ou=int,o=cpro >>> changetype: modify >>> replace: givenName >>> givenName: Carlo2 >>> >>> Thinking this was because there were two policies, I decided to delete the >>> default password policy. Not smart, now the uid=admin,ou=system user can no >>> longer bind.. >>> >>> I'm starting over but can you see anything I'm missing? >>> >>> I know my ads-pwdcheckquality = 2 in my new policy. >>> >>> Thanks, >>> Carlo Accorsi >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On Behalf Of >>> Kiran Ayyagari >>> Sent: Friday, September 30, 2011 3:39 PM >>> To: [email protected] >>> Subject: Re: [ApacheDS] looking for simple config for password policy >>> enforcement. >>> >>> On Fri, Sep 30, 2011 at 12:23 PM, <[email protected]> wrote: >>>> I would like to apply and enforce two different password policies to two >>>> different sub trees (that share the same root). >>>> >>>> I see where the policies (I think ) are supposed to go. >>>> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int >>>> erceptors,ads-directoryServiceId=default,ou=config >>>> >>> correct place >>>> The question is how does this policy then get linked or applied to a user? >>>> >>>> In other directory servers, the pwdPolicy schema defines the policy object >>>> and all the supporting attributes (min/max pw length, etc). >>>> Then the pwdPolicySubentry attribute (on the user object) refers to the >>>> DN of the policy object and this is how it's enforced. >>>> >>>> I can't seem to make the connection in ApacheDS how this occurs? >>>> I've tried creating ads-passwordPolicy object at the subtree level of my >>>> users. Doesn't work. >>>> I've tried creating a simple pwdPolicy object but it cannot be saved >>>> because there's no structural objectclass associate with it. >>>> >>> no, this won't work, just create another policy under the above mentioned >>> DN with a name like ads-pwdId=custom and for enforcing this for a specific >>> user: >>> add 'pwdPolicySubEntry' attribute with the value set to the custom >>> pwdpolicy entry's DN >>> >>> Note that the default password policy(ads-pwdId=default) is applicable for >>> all other user entries which doesn't have a 'pwdPolicySubEntry' >>> attribute specified. >>> >>>> Even if the functionality isn't fully implemented, I'd like to structure >>>> the directory correctly. Your help is most appreciated. >>>> >>> please let us know if you have any other questions >>> >>> HTH >>> >>> -- >>> Kiran Ayyagari >>> >> >> >> >> -- >> Kiran Ayyagari >> > > > > -- > Kiran Ayyagari > -- Kiran Ayyagari
