directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hal Deadman (JIRA)" <>
Subject [jira] [Commented] (DIRSERVER-2202) pwdHistory not getting maintained when doing modify password with ldaptive client
Date Thu, 20 Jul 2017 14:14:02 GMT


Hal Deadman commented on DIRSERVER-2202:

Using the ApacheDS api the way I am below, it seems to be respecting the policy (and not resetting
the pwdHistory), although I don't think it is using the RFC 3062 method where the old and
new password are used to remove old password and add new (vs replace existing password). I
am connecting as the user changing the password so that accomplishes the same thing (and server
password policy seems to get enforced, although I have to inspect the response object to find
out that the password change failed due to constraint violation). I am probably done with
this for the time being b/c I have other things to do so I probably won't be trying out the
PasswordPolicyControl, but thanks. 

		Dn userDn = new Dn(userDnStr);
		byte[] newPassword = newPasswordStr.getBytes( Charset.forName( "UTF-8" ));
		LdapConnection userConnection = null;
		try {"Changing password for {} at {}:{}",userDnStr,ldapHost,ldapPort);
			userConnection = new LdapNetworkConnection( ldapHost, ldapPort);

	        userConnection.bind( userDn.toString(), oldPassword );
	        ModifyRequest modifyRequest = new ModifyRequestImpl();
			modifyRequest.setName( userDn );
			modifyRequest.replace( "userPassword", newPassword );
			ModifyResponse response =  userConnection.modify( modifyRequest );
			return response;
		finally {

> pwdHistory not getting maintained when doing modify password with ldaptive client
> ---------------------------------------------------------------------------------
>                 Key: DIRSERVER-2202
>                 URL:
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M23
>         Environment: windows, ldaptive latest, java 8
>            Reporter: Hal Deadman
> If I connect as a non admin user and modify my own password with directory studio, a
new pwdHistory is added. 
> If I modify the password programatically, using the old/new password modifyPassword extended
operation that should respect history, it is deleting all my history (and leaving a single
pwdHistory entry). The code looks like this:
> {noformat}
> // connecting as user that is trying to change their password
> 		org.ldaptive.Credential cred = new org.ldaptive.Credential(oldPassword);
> 		org.ldaptive.BindConnectionInitializer bindConnectionInit = new org.ldaptive.BindConnectionInitializer(userDn,cred);
> 		org.ldaptive.ConnectionConfig connectionConfig = new org.ldaptive.ConnectionConfig(ldapUrl);
> 		connectionConfig.setUseStartTLS(false);
> 		connectionConfig.setConnectionInitializer(bindConnectionInit);
> 		DefaultConnectionFactory userLdapConnectionFactory = new DefaultConnectionFactory(connectionConfig);
> 		try (Connection conn = userLdapConnectionFactory.getConnection()) {
> 		  PasswordModifyOperation modify = new PasswordModifyOperation(conn);
> 		  Response<Credential> response = modify.execute(new PasswordModifyRequest(userDn,
new Credential(oldPassword), new Credential(plaintextPassword)));
> 		} 
> {noformat}
> Isn't the pwdHistory being maintained by the server? Why does a different client determine
whether pwdHistory entries are added or not? (In this case they are not only not added but
multiple entries are replaced by a single one).
> Ldaptive doesn't implement ldap protocol, in this case it is using JNDI as the provider
of ldap protocol. 

This message was sent by Atlassian JIRA

View raw message