Hi, thank you for your effort :), I will have a look if the new version fixes my problem.
Okay, I will create a Jira for this: DIRAPI-348 For the specification, I will contact the vendor and try to get a statement to this matter. It sounds awful to add functionality which is over a decade outdated. I think there is a confusion regarding the control: 2.16.840.1.113730.3.4.4 states that a password is expired. There is a different control for telling the user that its password expires during the expiry warning intervall: 2.16.840.1.113730.3.4.5. This will return an octet string to indicate the time in seconds until the password expires. https://docs.ldap.com/specs/draft-vchu-ldap-pwd-policy-00.txt 12.2 Bind Operations It could be, that I will run into this problem eventually. Kind Regards, Jan > Gesendet: Dienstag, 25. Juni 2019 um 18:25 Uhr > Von: "Emmanuel Lécharny" <[email protected]> > An: [email protected] > Betreff: Re: Password Expired Response Control > >I'll review your code (If you could create a JIRA with the classes >attached, that would help everyone tracking this addition). > >Side note : the RFC draft you are pointing out has expired for more than >2 decades... I'm not sure anyone but OpenDJ is implementing it. I think >it has been overseeded by >https://tools.ietf.org/html/draft-behera-ldap-password-policy-10. > > Also I would need the PDU sent back by the server that includes the > control. The fact is that the RFC draft is not necessarily well > implemented by Forgerock, as the value you expect to get is "0" while > the draft mentions it's an OCTET STRING containing the number of seconds > before expiration, which would be something like 0x04 0x01 0x00 (and > even that is wrong, because the RFC draft is frankly broken, and it > should be something like 0x02 0x01 0x00). > > > ATM, I will assume it contains a value with just 0x30 ("0"). > > > On 25/06/2019 16:49, Jan Zelmer wrote: > > Hi, > > > > I work for a bank in germany, and we are using ForgeRock Directory Service > > (aka OpenDJ). We use it for storing authentication, authorisation and > > personal information. > > We have several Java applications in our pipeline and decided to use your > > API because it is actively maintained and allows far more control than the > > sun JNDI libs. > > > > We now got the problem, that people should be able to reset their > > passwords, without knowing their old ones. (We authenticate and authorise > > via other means) > > So, at first we use an application bind with password-reset capabilites to > > reset and generate a temporary password, with that we bind the user and > > immediately change the password to the user desired one. > > There is one problem: your api will crash during the bind request with a > > Null Pointer Exception. > > > > I found that the api is not able to decode the control: > > 2.16.840.1.113730.3.4.4 (taken from here > > https://docs.ldap.com/specs/draft-vchu-ldap-pwd-policy-00.txt); can not > > find the according factory and stop processing the message. > > The control is just about the expired password. > > > > After digging your code, I implemented missing factory and control. (and > > manually registered that factory). Now my code works :) > > > > For the first time sending on this mail list, I don't want to attach a zip. > > So heres the code in plain text. (I can't access git, because of proxy, ssl > > interception and stuff) > > Feel free to tell me your definition of Done and any comments, so I can > > satisfy those. > > > > Kind Regards, > > Jan Zelmer > > Magdeburg, > > Germany > > > > Interface: > > import org.apache.directory.api.ldap.model.message.Control; > > > > public interface PasswordExpiredResponse extends Control { > > > > /** This control OID */ > > String OID = "2.16.840.1.113730.3.4.4"; > > > > } > > > > Implementation: > > import org.apache.directory.api.ldap.model.message.controls.AbstractControl; > > > > public class PasswordExpiredResponseImpl extends AbstractControl implements > > PasswordExpiredResponse { > > > > > > public PasswordExpiredResponseImpl() { > > super(OID); > > } > > > > > > /** > > * Return a String representing this PasswordExpiredControl. > > */ > > @Override > > public String toString() { > > StringBuilder sb = new StringBuilder(); > > sb.append( " Password Expired Response Control\n" ); > > sb.append( " oid : " ).append( getOid() ).append( '\n' ); > > sb.append( " critical : " ).append( isCritical() ).append( > > '\n' ); > > return sb.toString(); > > } > > > > } > > > > Factory: > > import org.apache.directory.api.asn1.DecoderException; > > import org.apache.directory.api.ldap.codec.api.AbstractControlFactory; > > import org.apache.directory.api.ldap.codec.api.LdapApiService; > > import org.apache.directory.api.ldap.model.message.Control; > > import org.apache.directory.api.util.Strings; > > > > public class PasswordExpiredResponseFactory extends > > AbstractControlFactory<PasswordExpiredResponse> { > > > > /** > > * Creates a new instance of PasswordExpiredResponseFactory. > > * > > * @param codec The LDAP codec. > > */ > > public PasswordExpiredResponseFactory( LdapApiService codec ) > > { > > super( codec, PasswordExpiredResponse.OID ); > > } > > > > /** > > * {@inheritDoc} > > */ > > @Override > > public Control newControl() { > > return new PasswordExpiredResponseImpl(); > > } > > > > /** > > * {@inheritDoc} > > */ > > @Override > > public void decodeValue( Control control, byte[] controlBytes ) throws > > DecoderException { > > try { > > if (!Strings.utf8ToString( controlBytes ).equals("0")){ > > throw new DecoderException("An error occurred during > > decoding the response message: found a non zero value" + > > "for the password expired control value. > > According to the ldap reference guide, only values of zero are valid."); > > } > > } > > catch ( RuntimeException re ) { > > throw new DecoderException( re.getMessage() ); > > } > > } > > } > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
