On Tue, May 20, 2014 at 3:11 AM, <[email protected]> wrote: > Hi, > I had the same issue last year and Kiran suggested adding this line > somewhere in your code. > > System.setProperty("extra.controls", > "org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyFactory"); > > yes, and this is not needed if you are using client API version >= 1.0.0-M21
> I put it in the static initializer of the class that handles the pw policy > responses. Worked for me. > > > > -----Original Message----- > From: Sathya S [mailto:[email protected]] > Sent: Monday, May 19, 2014 5:17 PM > To: [email protected] > Subject: Re: Password expiry enforcement > > Thanks, > > I am trying out code from : > > svn.apache.org/repos/asf/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java > > I am facing an issue when trying to access the PasswordPolicy - > PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl(); > > BindRequest bindReq = new BindRequestImpl(); > bindReq.setDn(new > Dn("uid=SathyaSkr,ou=people,dc=example,dc=com")); > bindReq.setCredentials("helloworld"); > bindReq.addControl(PP_REQ_CTRL); > > LdapConnection userCon = new LdapNetworkConnection("localhost", > 10389); > BindResponse bindResp = userCon.bind(bindReq); > > Control control = bindResp > .getControls().get("1.3.6.1.4.1.42.2.27.8.5.1"); > PasswordPolicy policy = ((PasswordPolicyDecorator) > control).getDecorated(); > > The last line throws me this exception: > java.lang.ClassCastException: > org.apache.directory.api.ldap.codec.BasicControlDecorator cannot be cast > to > org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator > > This is the config on my server: > > dn: > > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc > eptor,ou=interceptors,ads-directoryServiceId=default,ou=config > ads-pwdminlength: 7 > ads-pwdinhistory: 5 > ads-pwdid: default > ads-pwdcheckquality: 1 > ads-pwdlockout: TRUE > ads-pwdlockoutduration: 0 > ads-pwdMaxAge: 120 > ads-pwdvalidator: com.sathya.MyPasswordPolicy > ads-pwdmaxfailure: 5 > ads-pwdattribute: userPassword > ads-pwdfailurecountinterval: 30 > entryParentId: 9d1262c2-6583-4dca-9abb-7b470cfd6b25 > ads-enabled: TRUE > objectclass: top > objectclass: ads-base > objectclass: ads-passwordPolicy > entryuuid: 7706635b-3da4-4c9b-aefd-bf059d38868d > ads-pwdgraceauthnlimit: 1 > entryCSN: 20140519205014.514000Z#000000#001#000000 > modifyTimestamp: 20140519205014.514Z > ads-pwdExpireWarning: 60 > > Any input? > > > > On Mon, May 19, 2014 at 8:31 PM, Kiran Ayyagari <[email protected] > >wrote: > > > On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75 > > <[email protected] > > >wrote: > > > > > Brilliant!! Thanks so much Kiran. That worked. > > > > > > But still don't get a warning before expiry. Some of my friends said > > > that this is something that needs to be built into the calling code > > > and not something that apacheds provides out of the box. Is that right? > > > > > you need to send password policy request control (OID is > > 1.3.6.1.4.1.42.2.27.8.5.1) to get the warning back, note that the > > error/warning will be present in the password policy response control > > present in the bind response > > > > > > > > — > > > Sent from Mailbox > > > > > > On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari > > > <[email protected]> > > > wrote: > > > > > > > On Sat, May 17, 2014 at 7:18 PM, Sathya S > > > > <[email protected]> > > > wrote: > > > >> I am continuing on my experiments with getting password policies > > > >> functioning on ApacheDS and I am trying to enable password expiry > > > >> and > > a > > > >> warning before the expiry. > > > >> > > > >> This is what I have configured on the server: > > > >> > > > >> dn: > > > >> > > > >> > > > > > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authentication > > Interc > > > >> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config > > > >> ads-pwdminlength: 7 > > > >> ads-pwdinhistory: 5 > > > >> ads-pwdid: default > > > >> ads-pwdcheckquality: 1 > > > >> ads-pwdlockout: TRUE > > > >> ads-pwdlockoutduration: 0 > > > >> > > > >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180* ... > > > >> > > > >> My understanding of this is that a user's password is valid for 5 > > > minutes > > > >> after which authentication would fail. After 3 minutes up to 5 > > minutes, > > > he > > > >> would be able to login, but would receive a warning about > > > >> impending > > > expiry. > > > >> Is that correct? > > > >> > > > >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as > > > >> well, > > > > otherwise bind operation > > > > always accepts the expired password > > > >> I restarted the server after making the above change. > > > >> > > > >> I have the below Java code to authenticate the user: > > > >> > > > >> Hashtable<String, String> env = new Hashtable<String, > > > >> String>(); > > > >> env.put(Context.INITIAL_CONTEXT_FACTORY, > > > >> "com.sun.jndi.ldap.LdapCtxFactory"); > > > >> env.put(Context.PROVIDER_URL, "ldap://localhost:10389";); > > > >> // > > > >> env.put(Context.SECURITY_AUTHENTICATION, "simple"); > > > >> env.put(Context.SECURITY_PRINCIPAL, > > > >> "uid=Sathya,ou=people,dc=example,dc=com"); > > > >> env.put(Context.SECURITY_CREDENTIALS, "helloworld"); > > > >> > > > >> // Create the initial context > > > >> > > > >> DirContext ctx = new InitialDirContext(env); > > > >> > > > >> I created this user account almost an hour ago but the > > > >> authentication > > > still > > > >> goes through successfully. Anything I am missing here? > > > >> > > > >> Thanks. > > > >> > > > > -- > > > > Kiran Ayyagari > > > > http://keydap.com > > > > > > > > > > > -- > > Kiran Ayyagari > > http://keydap.com > > > -- Kiran Ayyagari http://keydap.com
