directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ludovic Poitou <ludovic.poi...@gmail.com>
Subject Re: Aw: Re: Password Expired Response Control
Date Wed, 26 Jun 2019 13:26:40 GMT
That Internet draft (draft-vchu-ldap-pwd-policy-00.txt) is a piece of
memory of how Netscape Directory Server 4.x was doing password policy.
The controls are the only piece that are still implemented in ForgeRock DS,
and it’s siblings (OUD, Ping Directory…), but they are also still
implemented in Oracle DSEE and Red-Hat Directory, mostly because they were
unsolicited and many clients are still able to deal with them.
I would be surprised if the control returned value with ForgeRock DS
actually differs from Sun/Oracle DSEE, as we used the same test suite to
validate the returned controls. But it’s very possible that it’s not really
compliant with the ASN.1 description of the control.

My 2 cents,

Ludo

—
Ludovic Poitou
http://ludopoitou.com

From: Jan Zelmer <jan.zelmer@gmx.net> <jan.zelmer@gmx.net>
Reply: Jan Zelmer <jan.zelmer@gmx.net> <jan.zelmer@gmx.net>
Date: 26 June 2019 at 15:11:42
To: dev@directory.apache.org <dev@directory.apache.org>
<dev@directory.apache.org>
Subject:  Aw: Re: Password Expired Response Control

Hi,

thank you for your effort :), I will have a look if the new version fixes
my problem.

Okay, I will create a Jira for this: DIRAPI-348

For the specification, I will contact the vendor and try to get a statement
to this matter.
It sounds awful to add functionality which is over a decade outdated.

I think there is a confusion regarding the control: 2.16.840.1.113730.3.4.4
states that a password is expired. There is a different control for telling
the user that its password expires during the expiry warning intervall:
2.16.840.1.113730.3.4.5. This will return an octet string to indicate the
time in seconds until the password expires.
https://docs.ldap.com/specs/draft-vchu-ldap-pwd-policy-00.txt 12.2 Bind
Operations
It could be, that I will run into this problem eventually.

Kind Regards,
Jan

> Gesendet: Dienstag, 25. Juni 2019 um 18:25 Uhr
> Von: "Emmanuel Lécharny" <elecharny@gmail.com>
> An: dev@directory.apache.org
> Betreff: Re: Password Expired Response Control
>
>I'll review your code (If you could create a JIRA with the classes
>attached, that would help everyone tracking this addition).
>
>Side note : the RFC draft you are pointing out has expired for more than
>2 decades... I'm not sure anyone but OpenDJ is implementing it. I think
>it has been overseeded by
>https://tools.ietf.org/html/draft-behera-ldap-password-policy-10.
>
> Also I would need the PDU sent back by the server that includes the
> control. The fact is that the RFC draft is not necessarily well
> implemented by Forgerock, as the value you expect to get is "0" while
> the draft mentions it's an OCTET STRING containing the number of seconds
> before expiration, which would be something like 0x04 0x01 0x00 (and
> even that is wrong, because the RFC draft is frankly broken, and it
> should be something like 0x02 0x01 0x00).
>
>
> ATM, I will assume it contains a value with just 0x30 ("0").
>
>
> On 25/06/2019 16:49, Jan Zelmer wrote:
> > Hi,
> >
> > I work for a bank in germany, and we are using ForgeRock Directory
Service (aka OpenDJ). We use it for storing authentication, authorisation
and personal information.
> > We have several Java applications in our pipeline and decided to use
your API because it is actively maintained and allows far more control than
the sun JNDI libs.
> >
> > We now got the problem, that people should be able to reset their
passwords, without knowing their old ones. (We authenticate and authorise
via other means)
> > So, at first we use an application bind with password-reset capabilites
to reset and generate a temporary password, with that we bind the user and
immediately change the password to the user desired one.
> > There is one problem: your api will crash during the bind request with
a Null Pointer Exception.
> >
> > I found that the api is not able to decode the control:
2.16.840.1.113730.3.4.4 (taken from here
https://docs.ldap.com/specs/draft-vchu-ldap-pwd-policy-00.txt); can not
find the according factory and stop processing the message.
> > The control is just about the expired password.
> >
> > After digging your code, I implemented missing factory and control.
(and manually registered that factory). Now my code works :)
> >
> > For the first time sending on this mail list, I don't want to attach a
zip. So heres the code in plain text. (I can't access git, because of
proxy, ssl interception and stuff)
> > Feel free to tell me your definition of Done and any comments, so I can
satisfy those.
> >
> > Kind Regards,
> > Jan Zelmer
> > Magdeburg,
> > Germany
> >
> > Interface:
> > import org.apache.directory.api.ldap.model.message.Control;
> >
> > public interface PasswordExpiredResponse extends Control {
> >
> > /** This control OID */
> > String OID = "2.16.840.1.113730.3.4.4";
> >
> > }
> >
> > Implementation:
> > import
org.apache.directory.api.ldap.model.message.controls.AbstractControl;
> >
> > public class PasswordExpiredResponseImpl extends AbstractControl
implements PasswordExpiredResponse {
> >
> >
> > public PasswordExpiredResponseImpl() {
> > super(OID);
> > }
> >
> >
> > /**
> > * Return a String representing this PasswordExpiredControl.
> > */
> > @Override
> > public String toString() {
> > StringBuilder sb = new StringBuilder();
> > sb.append( " Password Expired Response Control\n" );
> > sb.append( " oid : " ).append( getOid() ).append( '\n' );
> > sb.append( " critical : " ).append( isCritical() ).append( '\n' );
> > return sb.toString();
> > }
> >
> > }
> >
> > Factory:
> > import org.apache.directory.api.asn1.DecoderException;
> > import org.apache.directory.api.ldap.codec.api.AbstractControlFactory;
> > import org.apache.directory.api.ldap.codec.api.LdapApiService;
> > import org.apache.directory.api.ldap.model.message.Control;
> > import org.apache.directory.api.util.Strings;
> >
> > public class PasswordExpiredResponseFactory extends
AbstractControlFactory<PasswordExpiredResponse> {
> >
> > /**
> > * Creates a new instance of PasswordExpiredResponseFactory.
> > *
> > * @param codec The LDAP codec.
> > */
> > public PasswordExpiredResponseFactory( LdapApiService codec )
> > {
> > super( codec, PasswordExpiredResponse.OID );
> > }
> >
> > /**
> > * {@inheritDoc}
> > */
> > @Override
> > public Control newControl() {
> > return new PasswordExpiredResponseImpl();
> > }
> >
> > /**
> > * {@inheritDoc}
> > */
> > @Override
> > public void decodeValue( Control control, byte[] controlBytes ) throws
DecoderException {
> > try {
> > if (!Strings.utf8ToString( controlBytes ).equals("0")){
> > throw new DecoderException("An error occurred during decoding the
response message: found a non zero value" +
> > "for the password expired control value. According to the ldap
reference guide, only values of zero are valid.");
> > }
> > }
> > catch ( RuntimeException re ) {
> > throw new DecoderException( re.getMessage() );
> > }
> > }
> > }
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
> > For additional commands, e-mail: dev-help@directory.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
> For additional commands, e-mail: dev-help@directory.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

Mime
View raw message