Ah, right. Congratulations! I created DIRAPI-299.
Thanks for all your help with this. -----Original Message----- From: Emmanuel Lécharny [mailto:elecha...@gmail.com] Sent: Monday, August 07, 2017 5:48 PM To: users@directory.apache.org Subject: Re: [ApacheDS | LDAP API] changing expired passwords Hi Mike, sorry for having left this pb aside (was working on a more important release : a baby ;-) You should xreate a JIRA with a description of the problem (copy/paste the contet of your mail should be good enough). I can't guarantee a quick fix, being pretty busy atm, but I'll have a look. Please ping me if you don't see a response after a few days. Thanks ! Le 08/06/2017 à 20:32, Mike Davis a écrit : > I know this is going back a few months, but was this issue ever addressed? > We've got some planned changes that involve a 3rd party tool that is > going to make this issue very difficult for us to address in code. > > Last I heard from Emmanuel on this is likely a bug, and should be > fixed urgently. I'm not finding anything obvious in issues.apache.org > that relates to this. > > -----Original Message----- > From: Mike Davis [mailto:mda...@rez1.com] > Sent: Wednesday, November 02, 2016 9:51 AM > To: users@directory.apache.org > Subject: RE: [ApacheDS | LDAP API] changing expired passwords > > > > Thanks. I was considering grace logins as a work around. Not my ideal > scenario, but should work. > > > Ideally, this work around should not be needed. > > > > > Get Outlook for Android > > > > > > > On Wed, Nov 2, 2016 at 9:46 AM -0400, "Accorsi, Carlo" > <carlo.acco...@siemens.com> wrote: > > > > > > > Hi - We're using API M32 and a server version a few releases back. > > We use the grace logins to raise errors (to change the password) > before it's actually expired & locked. > > In the password policy we set the attribute ads-pwdgraceauthnlimit=4. > The user then gets 4 more attempts to login after the password is > expired but before it's locked out. You'll need to raise an error or > warning so that they do it but a valid password gives them a few more > logins. The PasswordPolicyResponse getGraceAuthNRemaining() method > indicates how many grace logins are left for the user. We were not > able to get the safe password function working, we just bind with the > creds one last time before resetting the password using an admin bind. > (This isn't ideal however because it uses one of the user's grace > logins. So with the grace value set to 4, we only allow 3 grace > logins, saving the last one for the password reset). > > Here are some code snips and hope it helps. > > /**Determine if user password is expired and all grace logins are used > from PasswordPolicyResponse code. > * @param ctrl The PasswordPolicyResponse object containing the > response code > * @return true when the password and grace logins are expired and > the user cannot login, false otherwise. > */ > public static boolean isPasswordExpiredLocked(PasswordPolicyResponse > ctrl) > { > if (ctrl != null){ > // two grace logins are needed. One to login, one to > change the > password. > // Account must lock if only one grace login remains > because there > are no binds left to change it. > > // Password is forced to change, but there are no > expire warnings, ok. > if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == > ctrl.getPasswordPolicyError() && > ctrl.getGraceAuthNRemaining() == -1 ) > { > return false; > } > > // Password is expired and there are no grace logins to > clear it, fail. > if ((ctrl.getTimeBeforeExpiration() == -1 && > ctrl.getGraceAuthNRemaining() <= 1) > || > PasswordPolicyErrorEnum.PASSWORD_EXPIRED == > ctrl.getPasswordPolicyError()) // need to set expired flag. > { > return true; > } > } > return false; > } > > > /**Determine if user password must change from PasswordPolicyResponse > code. > * @param ctrl The PasswordPolicyResponse object containing the response > code > * @return true when the password must change, false otherwise. > */ > public static boolean isPasswordMustChange(PasswordPolicyResponse ctrl) > { > if (ctrl != null){ > if (ctrl.getTimeBeforeExpiration() == -1 || > (ctrl.getGraceAuthNRemaining() <= 2 && > ctrl.getGraceAuthNRemaining() > > -1)) // need to reset before LAST 2 logins > { > //System.out.println("Password must change. > Expired in " + > ctrl.getTimeBeforeExpiration()+ " seconds, " + > ctrl.getGraceLoginsRemaining() + " logins remain . "); > return true; > } > if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == > ctrl.getPasswordPolicyError()) > { > //System.out.println("Password was changed by > admin and must change. > "); > return true; > } > if (PasswordPolicyErrorEnum.PASSWORD_EXPIRED == > ctrl.getPasswordPolicyError()) > { > //System.out.println("Password has expired and > must change. "); > return true; > } > } > return false; > } > > //here's our relevant config > > dn: > ads-pwdId=internal,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config > objectClass: top > objectClass: ads-base > objectClass: ads-passwordPolicy > ads-pwdId: internal > ads-pwdSafeModify: FALSE // never got this to work. Password reset using > admin bind. > ads-pwdMaxAge: 5184000 // 60 days > ads-pwdFailureCountInterval: 30 > ads-pwdAttribute: userPassword > ads-pwdMaxFailure: 5 > ads-pwdLockout: TRUE > ads-pwdMustChange: FALSE > ads-pwdLockoutDuration: 0 // lock indefinitely. > ads-pwdMinLength: 6 > ads-pwdInHistory: 5 > ads-pwdExpireWarning: 345600 // 4 days > ads-pwdMinAge: 0 > ads-pwdAllowUserChange: TRUE > ads-pwdGraceAuthNLimit: 4 // allow 4 logins after expired (raising an > error > each time) > ads-pwdCheckQuality: 1 > ads-pwdMaxLength: 0 > ads-pwdGraceExpire: 0 > ads-pwdMinDelay: 0 > ads-pwdMaxDelay: 0 > ads-pwdMaxIdle: 0 > ads-enabled: FALSE > > > > -----Original Message----- > From: Mike Davis [mailto:mda...@rez1.com] > Sent: Wednesday, November 02, 2016 7:36 AM > To: users@directory.apache.org > Subject: Re: [ApacheDS | LDAP API] changing expired passwords > > > > Thanks for the quick response. > > > I have not set any of the grace login parameters at this time. > > > > > Get Outlook for Android > > > > From: Emmanuel Lécharny > > Sent: Wednesday, November 2, 4:00 AM > > Subject: Re: [ApacheDS | LDAP API] changing expired passwords > > To: users@directory.apache.org > > > > Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue > with > either Apache DS or the Apache LDAP API, or > both. > > > > Here's the > scenario. > > > > I have a user whose password is expired. I want to force > the user to > change their password. However, I can't distinguish between > a > case where > the user knows the password and where the user doesn't. I > always get a > PasswordException with > > passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and > > resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that, > the > LdapConnectionTemplate.modifyPassword() method that > takes old and new > password doesn't work, because the library is attempting > to bind with > the > users old password, and we just get the same > PasswordException as above. > If I use the 'asAdmin' flag, then the old > password is never checked. > > > > > > I don't want to change the password as admin, because I have no way to > > > validate the user knows his old password. You should not be forced to use > the admin flag to change an expired password. There is a paramter > (pwdGraceUseTime) that let the user tries up a given delay to change an > expired password. What is the value you have set for this parameter ? > However, teh default should be infinite. I suspect there is a bug that > should be fixed urgently... > Hi ! > > > Le 01/11/16 à 22:03, Mike Davis a écrit : >> I've run into an issue with either Apache DS or the Apache LDAP API, >> or both. >> >> >> >> Here's the scenario. >> >> >> >> I have a user whose password is expired. I want to force the user to >> change their password. However, I can't distinguish between a case >> where the user knows the password and where the user doesn't. I always >> get a PasswordException with >> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and >> resultCode = ResultCodeEnum.INVALID_CREDENTIALS. >> >> >> >> On top of that, the LdapConnectionTemplate.modifyPassword() method >> that takes old and new password doesn't work, because the library is >> attempting to bind with the users old password, and we just get the >> same PasswordException as above. If I use the 'asAdmin' flag, then the >> old password is never checked. >> >> >> >> I don't want to change the password as admin, because I have no way to >> validate the user knows his old password. > You should not be forced to use the admin flag to change an expired > password. There is a paramter (pwdGraceUseTime) that let the user tries up > a > given delay to change an expired password. What is the value you have set > for this parameter ? > > However, teh default should be infinite. I suspect there is a bug that > should be fixed urgently... > -- Emmanuel Lecharny Symas.com directory.apache.org