Thank you Carlo and Kiran. Setting the system property solves the problem. But Kiran- I *am* using the ApacheDS directory client and still seem to need to use the system setting.
I am using the api-all-1.0.0-M22.jar version package. My imports- import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicy; import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyImpl; import org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator; import org.apache.directory.api.ldap.model.message.BindRequest; import org.apache.directory.api.ldap.model.message.BindRequestImpl; import org.apache.directory.api.ldap.model.message.BindResponse; import org.apache.directory.api.ldap.model.message.Control; import org.apache.directory.api.ldap.model.message.Response; import org.apache.directory.api.ldap.model.message.ResultCodeEnum; import org.apache.directory.api.ldap.model.name.Dn; import org.apache.directory.ldap.client.api.LdapConnection; import org.apache.directory.ldap.client.api.LdapNetworkConnection; On Tue, May 20, 2014 at 6:56 AM, Kiran Ayyagari <[email protected]>wrote: > On Tue, May 20, 2014 at 3:11 AM, <[email protected]> wrote: > > > Hi, > > I had the same issue last year and Kiran suggested adding this line > > somewhere in your code. > > > > System.setProperty("extra.controls", > > > "org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyFactory"); > > > > yes, and this is not needed if you are using client API version >= > 1.0.0-M21 > > > I put it in the static initializer of the class that handles the pw > policy > > responses. Worked for me. > > > > > > > > -----Original Message----- > > From: Sathya S [mailto:[email protected]] > > Sent: Monday, May 19, 2014 5:17 PM > > To: [email protected] > > Subject: Re: Password expiry enforcement > > > > Thanks, > > > > I am trying out code from : > > > > > svn.apache.org/repos/asf/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/ppolicy/PasswordPolicyIT.java > > > > I am facing an issue when trying to access the PasswordPolicy - > > PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl(); > > > > BindRequest bindReq = new BindRequestImpl(); > > bindReq.setDn(new > > Dn("uid=SathyaSkr,ou=people,dc=example,dc=com")); > > bindReq.setCredentials("helloworld"); > > bindReq.addControl(PP_REQ_CTRL); > > > > LdapConnection userCon = new > LdapNetworkConnection("localhost", > > 10389); > > BindResponse bindResp = userCon.bind(bindReq); > > > > Control control = bindResp > > .getControls().get("1.3.6.1.4.1.42.2.27.8.5.1"); > > PasswordPolicy policy = ((PasswordPolicyDecorator) > > control).getDecorated(); > > > > The last line throws me this exception: > > java.lang.ClassCastException: > > org.apache.directory.api.ldap.codec.BasicControlDecorator cannot be cast > > to > > > org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator > > > > This is the config on my server: > > > > dn: > > > > > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc > > eptor,ou=interceptors,ads-directoryServiceId=default,ou=config > > ads-pwdminlength: 7 > > ads-pwdinhistory: 5 > > ads-pwdid: default > > ads-pwdcheckquality: 1 > > ads-pwdlockout: TRUE > > ads-pwdlockoutduration: 0 > > ads-pwdMaxAge: 120 > > ads-pwdvalidator: com.sathya.MyPasswordPolicy > > ads-pwdmaxfailure: 5 > > ads-pwdattribute: userPassword > > ads-pwdfailurecountinterval: 30 > > entryParentId: 9d1262c2-6583-4dca-9abb-7b470cfd6b25 > > ads-enabled: TRUE > > objectclass: top > > objectclass: ads-base > > objectclass: ads-passwordPolicy > > entryuuid: 7706635b-3da4-4c9b-aefd-bf059d38868d > > ads-pwdgraceauthnlimit: 1 > > entryCSN: 20140519205014.514000Z#000000#001#000000 > > modifyTimestamp: 20140519205014.514Z > > ads-pwdExpireWarning: 60 > > > > Any input? > > > > > > > > On Mon, May 19, 2014 at 8:31 PM, Kiran Ayyagari <[email protected] > > >wrote: > > > > > On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75 > > > <[email protected] > > > >wrote: > > > > > > > Brilliant!! Thanks so much Kiran. That worked. > > > > > > > > But still don't get a warning before expiry. Some of my friends said > > > > that this is something that needs to be built into the calling code > > > > and not something that apacheds provides out of the box. Is that > right? > > > > > > > you need to send password policy request control (OID is > > > 1.3.6.1.4.1.42.2.27.8.5.1) to get the warning back, note that the > > > error/warning will be present in the password policy response control > > > present in the bind response > > > > > > > > > > > — > > > > Sent from Mailbox > > > > > > > > On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari > > > > <[email protected]> > > > > wrote: > > > > > > > > > On Sat, May 17, 2014 at 7:18 PM, Sathya S > > > > > <[email protected]> > > > > wrote: > > > > >> I am continuing on my experiments with getting password policies > > > > >> functioning on ApacheDS and I am trying to enable password expiry > > > > >> and > > > a > > > > >> warning before the expiry. > > > > >> > > > > >> This is what I have configured on the server: > > > > >> > > > > >> dn: > > > > >> > > > > >> > > > > > > > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authentication > > > Interc > > > > >> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config > > > > >> ads-pwdminlength: 7 > > > > >> ads-pwdinhistory: 5 > > > > >> ads-pwdid: default > > > > >> ads-pwdcheckquality: 1 > > > > >> ads-pwdlockout: TRUE > > > > >> ads-pwdlockoutduration: 0 > > > > >> > > > > >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180* ... > > > > >> > > > > >> My understanding of this is that a user's password is valid for 5 > > > > minutes > > > > >> after which authentication would fail. After 3 minutes up to 5 > > > minutes, > > > > he > > > > >> would be able to login, but would receive a warning about > > > > >> impending > > > > expiry. > > > > >> Is that correct? > > > > >> > > > > >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as > > > > >> well, > > > > > otherwise bind operation > > > > > always accepts the expired password > > > > >> I restarted the server after making the above change. > > > > >> > > > > >> I have the below Java code to authenticate the user: > > > > >> > > > > >> Hashtable<String, String> env = new Hashtable<String, > > > > >> String>(); > > > > >> env.put(Context.INITIAL_CONTEXT_FACTORY, > > > > >> "com.sun.jndi.ldap.LdapCtxFactory"); > > > > >> env.put(Context.PROVIDER_URL, > "ldap://localhost:10389";); > > > > >> // > > > > >> env.put(Context.SECURITY_AUTHENTICATION, "simple"); > > > > >> env.put(Context.SECURITY_PRINCIPAL, > > > > >> "uid=Sathya,ou=people,dc=example,dc=com"); > > > > >> env.put(Context.SECURITY_CREDENTIALS, "helloworld"); > > > > >> > > > > >> // Create the initial context > > > > >> > > > > >> DirContext ctx = new InitialDirContext(env); > > > > >> > > > > >> I created this user account almost an hour ago but the > > > > >> authentication > > > > still > > > > >> goes through successfully. Anything I am missing here? > > > > >> > > > > >> Thanks. > > > > >> > > > > > -- > > > > > Kiran Ayyagari > > > > > http://keydap.com > > > > > > > > > > > > > > > > -- > > > Kiran Ayyagari > > > http://keydap.com > > > > > > > > > -- > Kiran Ayyagari > http://keydap.com >
