directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jan Zelmer" <Jan.Zel...@gmx.net>
Subject Aw: Re: Password Expired Response Control
Date Wed, 26 Jun 2019 13:11:30 GMT
Hi,

thank you for your effort :), I will have a look if the new version fixes my problem.

Okay, I will create a Jira for this: DIRAPI-348

For the specification, I will contact the vendor and try to get a statement to this matter.
It sounds awful to add functionality which is over a decade outdated.

I think there is a confusion regarding the control: 2.16.840.1.113730.3.4.4 states that a
password is expired. There is a different control for telling the user that its password expires
during the expiry warning intervall: 2.16.840.1.113730.3.4.5. This will return an octet string
to indicate the time in seconds until the password expires. https://docs.ldap.com/specs/draft-vchu-ldap-pwd-policy-00.txt
12.2 Bind Operations
It could be, that I will run into this problem eventually.

Kind Regards,
Jan

> Gesendet: Dienstag, 25. Juni 2019 um 18:25 Uhr
> Von: "Emmanuel L├ęcharny" <elecharny@gmail.com>
> An: dev@directory.apache.org
> Betreff: Re: Password Expired Response Control
>
>I'll review your code (If you could create a JIRA with the classes
>attached, that would help everyone tracking this addition).
>
>Side note : the RFC draft you are pointing out has expired for more than
>2 decades... I'm not sure anyone but OpenDJ is implementing it. I think
>it has been overseeded by
>https://tools.ietf.org/html/draft-behera-ldap-password-policy-10.
>
> Also I would need the PDU sent back by the server that includes the 
> control. The fact is that the RFC draft is not necessarily well 
> implemented by Forgerock, as the value you expect to get is "0" while 
> the draft mentions it's an OCTET STRING containing the number of seconds 
> before expiration, which would be something like 0x04 0x01 0x00 (and 
> even that is wrong, because the RFC draft is frankly broken, and it 
> should be something like 0x02 0x01 0x00).
> 
> 
> ATM, I will assume it contains a value with just 0x30 ("0").
> 
> 
> On 25/06/2019 16:49, Jan Zelmer wrote:
> > Hi,
> >
> > I work for a bank in germany, and we are using ForgeRock Directory Service (aka
OpenDJ). We use it for storing authentication, authorisation and personal information.
> > We have several Java applications in our pipeline and decided to use your API because
it is actively maintained and allows far more control than the sun JNDI libs.
> >
> > We now got the problem, that people should be able to reset their passwords, without
knowing their old ones. (We authenticate and authorise via other means)
> > So, at first we use an application bind with password-reset capabilites to reset
and generate a temporary password, with that we bind the user and immediately change the password
to the user desired one.
> > There is one problem: your api will crash during the bind request with a Null Pointer
Exception.
> >
> > I found that the api is not able to decode the control: 2.16.840.1.113730.3.4.4
(taken from here https://docs.ldap.com/specs/draft-vchu-ldap-pwd-policy-00.txt); can not find
the according factory and stop processing the message.
> > The control is just about the expired password.
> >
> > After digging your code, I implemented missing factory and control. (and manually
registered that factory). Now my code works :)
> >
> > For the first time sending on this mail list, I don't want to attach a zip. So heres
the code in plain text. (I can't access git, because of proxy, ssl interception and stuff)
> > Feel free to tell me your definition of Done and any comments, so I can satisfy
those.
> >
> > Kind Regards,
> > Jan Zelmer
> > Magdeburg,
> > Germany
> >
> > Interface:
> > import org.apache.directory.api.ldap.model.message.Control;
> >
> > public interface PasswordExpiredResponse extends Control {
> >
> >      /** This control OID */
> >      String OID = "2.16.840.1.113730.3.4.4";
> >
> > }
> >
> > Implementation:
> > import org.apache.directory.api.ldap.model.message.controls.AbstractControl;
> >
> > public class PasswordExpiredResponseImpl extends AbstractControl implements PasswordExpiredResponse
{
> >
> >
> >      public PasswordExpiredResponseImpl() {
> >          super(OID);
> >      }
> >
> >
> >      /**
> >       * Return a String representing this PasswordExpiredControl.
> >       */
> >      @Override
> >      public String toString() {
> >          StringBuilder sb = new StringBuilder();
> >          sb.append( "    Password Expired Response Control\n" );
> >          sb.append( "        oid : " ).append( getOid() ).append( '\n' );
> >          sb.append( "        critical : " ).append( isCritical() ).append( '\n'
);
> >          return sb.toString();
> >      }
> >
> > }
> >
> > Factory:
> > import org.apache.directory.api.asn1.DecoderException;
> > import org.apache.directory.api.ldap.codec.api.AbstractControlFactory;
> > import org.apache.directory.api.ldap.codec.api.LdapApiService;
> > import org.apache.directory.api.ldap.model.message.Control;
> > import org.apache.directory.api.util.Strings;
> >
> > public class PasswordExpiredResponseFactory extends AbstractControlFactory<PasswordExpiredResponse>
{
> >
> >      /**
> >       * Creates a new instance of PasswordExpiredResponseFactory.
> >       *
> >       * @param codec The LDAP codec.
> >       */
> >      public PasswordExpiredResponseFactory( LdapApiService codec )
> >      {
> >          super( codec, PasswordExpiredResponse.OID );
> >      }
> >
> >      /**
> >       * {@inheritDoc}
> >       */
> >      @Override
> >      public Control newControl() {
> >          return new PasswordExpiredResponseImpl();
> >      }
> >
> >      /**
> >       * {@inheritDoc}
> >       */
> >      @Override
> >      public void decodeValue( Control control, byte[] controlBytes ) throws DecoderException
{
> >          try {
> >               if (!Strings.utf8ToString( controlBytes ).equals("0")){
> >                   throw new DecoderException("An error occurred during decoding
the response message: found a non zero value" +
> >                           "for the password expired control value. According to
the ldap reference guide, only values of zero are valid.");
> >              }
> >          }
> >          catch ( RuntimeException re ) {
> >              throw new DecoderException( re.getMessage() );
> >          }
> >      }
> > }
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
> > For additional commands, e-mail: dev-help@directory.apache.org
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
> For additional commands, e-mail: dev-help@directory.apache.org
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org


Mime
View raw message