Hi Everyone. We're still stuck on this one. Does anyone have a suggestion of how to handle this? We've tried coding around this but we keep coming back to it.
In summary, when we're changing a user's password and it's in the history, an InvalidAttributeValueException is thrown but the response controls in the LdapContext Are null. When we make the request with our PasswordRequestControl class OID = "1.3.6.1.4.1.42.2.27.8.5.1" . Are we going about this the wrong way? I was hoping to catch the InvalidAttributeValueException but then determine from the response control that the Password was in the history and raise the appropriate error in our user interface. Thanks -----Original Message----- From: Accorsi, Carlo Sent: Wednesday, November 30, 2011 2:45 PM To: '[email protected]' Subject: FW: ApacheDS differentiating Authentication Exceptions <message removed> -----Original Message----- From: Accorsi, Carlo Sent: Friday, November 18, 2011 11:09 AM To: [email protected] Subject: RE: ApacheDS differentiating Authentication Exceptions Say for example "123" is in your password history. Create and admin LdapContext with a PasswordRequestControl. (ctx) ModificationItem[] mods = new ModificationItem[1]; mods[0] = new ModificationItem(ctx.REPLACE_ATTRIBUTE, new BasicAttribute("userPassword","123")); // try to set the password to entry in history try { //response controls set in ctx here ctx.modifyAttributes(strDn, mods); } catch (InvalidAttributeValueException e){ // response control will be null here. e.printStackTrace(); // below } Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST Message ID : 4 Modify Request Object : 'uid=1320878789594,ou=users,ou=ext,o=cpro' Modification[0] Operation : replace Modification userPassword: '0x32 0x32 0x32 0x32 0x32 0x32 ' org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@f757cf46 ManageDsaITImpl Control Type OID : '2.16.840.1.113730.3.4.2' Criticality : 'false' ' : invalid reuse of password present in password history]; remaining name 'uid=1320878789594,ou=users,ou=ext,o=cpro' Regards, Carlo Accorsi -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kiran Ayyagari Sent: Friday, November 18, 2011 9:59 AM To: [email protected] Subject: Re: ApacheDS differentiating Authentication Exceptions have checked the code but didn't find any obvious issue, do you have a test case that I can use to reproduce? On Fri, Nov 18, 2011 at 9:02 AM, Kiran Ayyagari <[email protected]> wrote: > most likely it could be a bug, will check that > > On Fri, Nov 18, 2011 at 6:09 AM, <[email protected]> wrote: >> Hi again. I'm getting and handling the ASN.1 messages for when a password is >> about to expire, and grace logins left and cases where there's no exception. >> However, if there's an exception, the response controls are null. In >> the debugger, I see my response control present in the LdapContext >> but the moment, I step over ctx.modifyAttributes(strDn, mods); >> >> and for example an javax.naming.directory.InvalidAttributeValueException is >> thrown for: >> >> : Password should have a minmum of 6 characters Or >> : invalid reuse of password present in password history] >> >> The LdapContext is still valid but the response controls are set null? I've >> observed this by stepping through the code. >> I was hoping to catch the reason in the ASN message and handle the failure >> appropriately from there. >> >> >> Thank you, >> Carlo Accorsi >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Kiran Ayyagari >> Sent: Tuesday, November 15, 2011 1:57 PM >> To: [email protected] >> Subject: Re: ApacheDS differentiating Authentication Exceptions >> >> On Tue, Nov 15, 2011 at 1:47 PM, Emmanuel Lecharny <[email protected]> >> wrote: >>> On 11/15/11 7:11 PM, [email protected] wrote: >>>> >>>> Ok, when I try and bind with an expired password and all grace >>>> logins are spent, this exception is thrown: >>>> >>>> Caused by: javax.naming.AuthenticationException: [LDAP: error code >>>> 49 >>>> - >>>> INVALID_CREDENTIALS: Bind failed: paasword expired and max grace >>>> logins were used] >>>> >>>> >>>> And in the LdapContext. getResponseControls() encodedValue there >>>> is >>>> this small byte array: >>>> >>>> [48, 3, -127, 1, 0] >>>> >>>> Does anyone know how to interpret or decode this? >>> >>> This stands for >>> 0x30 0x03 >>> 0x81 0x01 0x00 >>> >>> which means, when correlated with the ASN.1 grammar : >>> >>> PasswordPolicyResponseValue ::= SEQUENCE { >>> warning [0] CHOICE { >>> timeBeforeExpiration [0] INTEGER (0 .. maxInt), >>> graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } >>> OPTIONAL, >>> error [1] ENUMERATED { >>> passwordExpired (0), >>> accountLocked (1), >>> changeAfterReset (2), >>> passwordModNotAllowed (3), >>> mustSupplyOldPassword (4), >>> insufficientPasswordQuality (5), >>> passwordTooShort (6), >>> passwordTooYoung (7), >>> passwordInHistory (8) } OPTIONAL } >>> >>> 0x30 0x03 : SEQUENCE, 3 bytes length >>> 0x81 : error [1] (would have been 0x80 for a warning) >>> 0x01 : one byte length >>> 0x00 : passwordExpired. >>> >>> ASN1 can be fun, but only for people who like this part of Pulp Fiction : >>> http://www.youtube.com/watch?v=wN2-I31Imis&feature=player_detailpage >>> >> there goes the Christopher Nolan of ASN1 :) thanks for putting many details >> than the one I was about to send. >> >> OTOH, Carlo - >> take a look at the control's source present here [1], you need >> not(and might not) use all of it, but some parts can be reused >> >> [1] >> http://svn.apache.org/repos/asf/directory/shared/trunk/ldap/extras/co >> dec-api/src/main/java/org/apache/directory/shared/ldap/extras/control >> s/ppolicy >>> >>> -- >>> Regards, >>> Cordialement, >>> Emmanuel Lécharny >>> www.iktek.com >>> >>> >> >> >> >> -- >> Kiran Ayyagari >> > > > > -- > Kiran Ayyagari > -- Kiran Ayyagari
