I know this is going back a few months, but was this issue ever addressed? We've got some planned changes that involve a 3rd party tool that is going to make this issue very difficult for us to address in code.
Last I heard from Emmanuel on this is likely a bug, and should be fixed urgently. I'm not finding anything obvious in issues.apache.org that relates to this. -----Original Message----- From: Mike Davis [mailto:[email protected]] Sent: Wednesday, November 02, 2016 9:51 AM To: [email protected] Subject: RE: [ApacheDS | LDAP API] changing expired passwords Thanks. I was considering grace logins as a work around. Not my ideal scenario, but should work. Ideally, this work around should not be needed. Get Outlook for Android On Wed, Nov 2, 2016 at 9:46 AM -0400, "Accorsi, Carlo" <[email protected]> wrote: Hi - We're using API M32 and a server version a few releases back. We use the grace logins to raise errors (to change the password) before it's actually expired & locked. In the password policy we set the attribute ads-pwdgraceauthnlimit=4. The user then gets 4 more attempts to login after the password is expired but before it's locked out. You'll need to raise an error or warning so that they do it but a valid password gives them a few more logins. The PasswordPolicyResponse getGraceAuthNRemaining() method indicates how many grace logins are left for the user. We were not able to get the safe password function working, we just bind with the creds one last time before resetting the password using an admin bind. (This isn't ideal however because it uses one of the user's grace logins. So with the grace value set to 4, we only allow 3 grace logins, saving the last one for the password reset). Here are some code snips and hope it helps. /**Determine if user password is expired and all grace logins are used from PasswordPolicyResponse code. * @param ctrl The PasswordPolicyResponse object containing the response code * @return true when the password and grace logins are expired and the user cannot login, false otherwise. */ public static boolean isPasswordExpiredLocked(PasswordPolicyResponse ctrl) { if (ctrl != null){ // two grace logins are needed. One to login, one to change the password. // Account must lock if only one grace login remains because there are no binds left to change it. // Password is forced to change, but there are no expire warnings, ok. if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == ctrl.getPasswordPolicyError() && ctrl.getGraceAuthNRemaining() == -1 ) { return false; } // Password is expired and there are no grace logins to clear it, fail. if ((ctrl.getTimeBeforeExpiration() == -1 && ctrl.getGraceAuthNRemaining() <= 1) || PasswordPolicyErrorEnum.PASSWORD_EXPIRED == ctrl.getPasswordPolicyError()) // need to set expired flag. { return true; } } return false; } /**Determine if user password must change from PasswordPolicyResponse code. * @param ctrl The PasswordPolicyResponse object containing the response code * @return true when the password must change, false otherwise. */ public static boolean isPasswordMustChange(PasswordPolicyResponse ctrl) { if (ctrl != null){ if (ctrl.getTimeBeforeExpiration() == -1 || (ctrl.getGraceAuthNRemaining() <= 2 && ctrl.getGraceAuthNRemaining() > -1)) // need to reset before LAST 2 logins { //System.out.println("Password must change. Expired in " + ctrl.getTimeBeforeExpiration()+ " seconds, " + ctrl.getGraceLoginsRemaining() + " logins remain . "); return true; } if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == ctrl.getPasswordPolicyError()) { //System.out.println("Password was changed by admin and must change. "); return true; } if (PasswordPolicyErrorEnum.PASSWORD_EXPIRED == ctrl.getPasswordPolicyError()) { //System.out.println("Password has expired and must change. "); return true; } } return false; } //here's our relevant config dn: ads-pwdId=internal,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config objectClass: top objectClass: ads-base objectClass: ads-passwordPolicy ads-pwdId: internal ads-pwdSafeModify: FALSE // never got this to work. Password reset using admin bind. ads-pwdMaxAge: 5184000 // 60 days ads-pwdFailureCountInterval: 30 ads-pwdAttribute: userPassword ads-pwdMaxFailure: 5 ads-pwdLockout: TRUE ads-pwdMustChange: FALSE ads-pwdLockoutDuration: 0 // lock indefinitely. ads-pwdMinLength: 6 ads-pwdInHistory: 5 ads-pwdExpireWarning: 345600 // 4 days ads-pwdMinAge: 0 ads-pwdAllowUserChange: TRUE ads-pwdGraceAuthNLimit: 4 // allow 4 logins after expired (raising an error each time) ads-pwdCheckQuality: 1 ads-pwdMaxLength: 0 ads-pwdGraceExpire: 0 ads-pwdMinDelay: 0 ads-pwdMaxDelay: 0 ads-pwdMaxIdle: 0 ads-enabled: FALSE -----Original Message----- From: Mike Davis [mailto:[email protected]] Sent: Wednesday, November 02, 2016 7:36 AM To: [email protected] Subject: Re: [ApacheDS | LDAP API] changing expired passwords Thanks for the quick response. I have not set any of the grace login parameters at this time. Get Outlook for Android From: Emmanuel Lécharny Sent: Wednesday, November 2, 4:00 AM Subject: Re: [ApacheDS | LDAP API] changing expired passwords To: [email protected] Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue with either Apache DS or the Apache LDAP API, or > both. > > > > Here's the scenario. > > > > I have a user whose password is expired. I want to force the user to > change their password. However, I can't distinguish between a case where > the user knows the password and where the user doesn't. I always get a > PasswordException with > passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and > resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that, the LdapConnectionTemplate.modifyPassword() method that > takes old and new password doesn't work, because the library is attempting > to bind with the users old password, and we just get the same > PasswordException as above. If I use the 'asAdmin' flag, then the old > password is never checked. > > > > I don't want to change the password as admin, because I have no way to > validate the user knows his old password. You should not be forced to use the admin flag to change an expired password. There is a paramter (pwdGraceUseTime) that let the user tries up a given delay to change an expired password. What is the value you have set for this parameter ? However, teh default should be infinite. I suspect there is a bug that should be fixed urgently... Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue with either Apache DS or the Apache LDAP API, > or both. > > > > Here's the scenario. > > > > I have a user whose password is expired. I want to force the user to > change their password. However, I can't distinguish between a case > where the user knows the password and where the user doesn't. I always > get a PasswordException with > passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and > resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that, the LdapConnectionTemplate.modifyPassword() method > that takes old and new password doesn't work, because the library is > attempting to bind with the users old password, and we just get the > same PasswordException as above. If I use the 'asAdmin' flag, then the > old password is never checked. > > > > I don't want to change the password as admin, because I have no way to > validate the user knows his old password. You should not be forced to use the admin flag to change an expired password. There is a paramter (pwdGraceUseTime) that let the user tries up a given delay to change an expired password. What is the value you have set for this parameter ? However, teh default should be infinite. I suspect there is a bug that should be fixed urgently...
