directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Re: Using REST API to get user's locked and reset states
Date Thu, 08 Jun 2017 16:25:36 GMT
I finally got around to trying this myself.  Changing the ldap.server.type prop as described
means fortress will process the pw policy ops.  I was able to verify on a test against apacheds,
new response pasted below.  I noticed before that you don’t have the pwpolicy attribute
set on your user which means the default policy for the server will be enforced.  

Let me know if you have any more questions.


<FortResponse>
  <errorCode>0</errorCode>
  <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
    <modId>18e5955f-90cf-420a-8580-fc47be245f0a</modId>
    <sequenceId>0</sequenceId>
    <userId>foo1</userId>
    <description>foo fighters 1</description>
    <name>foo1 fighters</name>
    <internalId>d301b72a-916f-4419-94a4-df24fc8ac7ad</internalId>
    <ou>dev1</ou>
    <pwPolicy>cn=test1</pwPolicy>
    <sn>fighters</sn>
    <cn>foo1 fighters</cn>
    <dn>uid=foo1,ou=People,dc=example,dc=com</dn>
    <address/>
    <props>
      <modId>8e4f30a3-d452-4fc0-9ac6-fd73b298990f</modId>
      <sequenceId>0</sequenceId>
      <entry>
        <key>initAttrArrays</key>
        <value/>
      </entry>
    </props>
    <locked>true</locked>
    <reset>true</reset>
    <timeout>0</timeout>
  </entity>
</FortResponse>

Shawn

> On Jun 5, 2017, at 9:56 PM, Shawn McKinney <smckinney@apache.org> wrote:
> 
> Hey Brian,
> 
> can you add/replace with this fortress.properties:
> 
> ldap.server.type=openldap
> 
> and tell me what happens.  Normally I'd try it myself first but am sort of busy right
now.  Will have more time in a couple of days.
> 
> Thanks,
> Shawn
> 
>> On Jun 5, 2017, at 8:41 AM, Brian Brooks (US) <Brian.Brooks@datapath.com> wrote:
>> 
>> Good Morning Shawn,
>> 
>>> How did you enable pw policies in apacheds, can you point me to the setup instructions
you used?
>> 
>> We just setup a vanilla install of ApacheDS on a Windows 10 virtual machine using
apacheds-2.0.0-M23.exe downloaded from
>> 
>> http://directory.apache.org/apacheds/download/download-windows.html
>> 
>> The ApacheDS instances is configured with default settings which includes enabling
a default password policy.
>> 
>> http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html
>> 
>> Dave setup the ApacheDS, when he gets back in the office I can confirm whether he
customized anything.
>> 
>> Here's an LDIF export of 
>> 
>> * ou=config
>>   * ads-directoryServiceId=<default>
>>       * ou=interceptors
>>           * ads-interceptorId=authenticationInterceptor
>>               * ou=passwordPolicies
>> 
>> from our ApacheDS installation of
>> 
>> 
>> dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
>> terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> objectclass: ads-passwordPolicy
>> objectclass: ads-base
>> objectclass: top
>> ads-pwdattribute: userPassword
>> ads-pwdid: default
>> ads-enabled: TRUE
>> ads-pwdallowuserchange: TRUE
>> ads-pwdcheckquality: 1
>> ads-pwdexpirewarning: 600
>> ads-pwdfailurecountinterval: 30
>> ads-pwdgraceauthnlimit: 5
>> ads-pwdgraceexpire: 0
>> ads-pwdinhistory: 5
>> ads-pwdlockout: TRUE
>> ads-pwdlockoutduration: 0
>> ads-pwdmaxage: 0
>> ads-pwdmaxdelay: 0
>> ads-pwdmaxfailure: 5
>> ads-pwdmaxidle: 0
>> ads-pwdmaxlength: 0
>> ads-pwdminage: 0
>> ads-pwdmindelay: 0
>> ads-pwdminlength: 5
>> ads-pwdmustchange: FALSE
>> ads-pwdsafemodify: FALSE
>> ads-pwdvalidator: org.apache.directory.server.core.api.authn.ppolicy.Default
>> PasswordValidator
>> createtimestamp: 20170523201006.896Z
>> creatorsname: uid=admin,ou=system
>> entrycsn: 20170523201006.896000Z#000000#000#000000
>> entryDN: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticat
>> ionInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> entryParentId: 81135817-120c-4b89-81be-33f759cd5319
>> entryuuid:: ZGYyYjI2OTctNzQ4OC00NzUzLWFiOGEtZWJhMmRhOTE1NmQ1
>> nbChildren: 0
>> nbSubordinates: 0
>> subschemaSubentry: cn=schema
>> 
>> Brian Brooks
>> Sr Software Engineer
>> brian.brooks@datapath.com
>> Office: +1 678 252 4498
>> 2205 Northmont Pkwy, STE 100
>> Duluth, GA 30096
>> 
>> -----Original Message-----
>> From: Shawn McKinney [mailto:smckinney@apache.org] 
>> Sent: Monday, June 05, 2017 8:23 AM
>> To: fortress@directory.apache.org
>> Subject: Re: Using REST API to get user's locked and reset states
>> 
>> Hi Brian,
>> 
>> I’ll need to setup an apacheds instance locally that matches your config.    
>> 
>> How did you enable pw policies in apacheds, can you point me to the setup instructions
you used?
>> 
>> In the meantime, here is a response via enmasse of user who’s account is both locked
and reset.  
>> 
>> The policy attributes are being populated.  But again I’m using openldap, and need
to run the exact same test with ads.
>> 
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FortResponse>
 <errorCode>0</errorCode>  <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="user">
>>  <modId>cb792bd1-c8fe-424f-a629-aad6c5572aa9</modId>
>>  <sequenceId>0</sequenceId>
>>  <userId>foo1</userId>
>>  <description>foo fighter</description>
>>  <name>foo1</name>
>>  <internalId>fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551</internalId>
>>  <ou>dev1</ou>
>>  <pwPolicy>cn=test1</pwPolicy>
>>  <sn>fighter</sn>
>>  <cn>foo1</cn>
>>  <dn>uid=foo1,ou=People,dc=example,dc=com</dn>
>>  <address/>
>>  <props>
>>    <modId>fc416338-69bd-46df-8b00-e1fd6be7ed9c</modId>
>>    <sequenceId>0</sequenceId>
>>    <entry>
>>      <key>initAttrArrays</key>
>>      <value/>
>>    </entry>
>>  </props>
>>  <locked>true</locked>
>>  <reset>true</reset>
>>  <timeout>0</timeout>
>> </entity>
>> </FortResponse>
>> 
>> 
>> Shawn
>> 
>> 
>> 
>> 
>> 
>>> On Jun 2, 2017, at 3:39 PM, Brian Brooks (US) <Brian.Brooks@datapath.com>
wrote:
>>> 
>>> Hi Shawn,
>>> 
>>> Dave and I work together.  He's on vacation for a couple days.
>>> 
>>>> Can you export that corresponding user entry into ldif and post it here?
>>> 
>>> Below is the dave user's entry exported to ldif (I omitted the jpegPhoto, userPassword,
and the 5 pwdHistory attributes). 
>>> 
>>> I don't see the policy attribute even though fotress-commander seems to successfully
commit the password policy assignment.  For example, I just tried to change another user's
password policy and tomcat recorded an HTTP 200 in it's access log.  I don't see any obvious
errors in the tomcat stdout/stderr/catalina logs.
>>> 
>>> 10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST 
>>> /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.Us
>>> erPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commi
>>> t&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apa
>>> che.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634
>>> 
>>> dn: uid=dave,ou=People,dc=example,dc=com
>>> objectClass: extensibleObject
>>> objectClass: ftMods
>>> objectClass: ftProperties
>>> objectClass: ftUserAttrs
>>> objectClass: organizationalPerson
>>> objectClass: person
>>> objectClass: inetOrgPerson
>>> objectClass: top
>>> cn: dave
>>> ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874
>>> sn: dave
>>> displayName: dave
>>> ftCstr: dave$0$$$$$$$
>>> ftModCode: AdminMgrImpl.resetPassword
>>> ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b
>>> ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda
>>> ftProps: initAttrArrays:
>>> ftRA: fortress-rest-super-user
>>> ftRC: fortress-rest-super-user$0$$$$$$$
>>> ftSystem: FALSE
>>> ou: dev0
>>> uid: dave
>>> createTimestamp: 20170531211627.651Z
>>> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>>> entryCSN: 20170601195338.392000Z#000000#001#000000
>>> entryDN: uid=dave,ou=People,dc=example,dc=com
>>> entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42
>>> entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz
>>> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>>> modifyTimestamp: 20170601195338.057Z
>>> nbChildren: 0
>>> nbSubordinates: 0
>>> pwdAccountLockedTime: 000001010000Z
>>> pwdReset: TRUE
>>> subschemaSubentry: cn=schema
>>> 
>>> 
>>> Brian Brooks
>>> Sr Software Engineer
>>> brian.brooks@datapath.com
>>> Office: +1 678 252 4498
>>> 2205 Northmont Pkwy, STE 100
>>> Duluth, GA 30096
>>> 
>>> -----Original Message-----
>>> From: Shawn McKinney [mailto:smckinney@apache.org]
>>> Sent: Thursday, June 01, 2017 6:12 PM
>>> To: fortress@directory.apache.org
>>> Subject: Re: Using REST API to get user's locked and reset states
>>> 
>>> Welcome Dave,
>>> 
>>> Can you export that corresponding user entry into ldif and post it here?   We’ll
need to see the operational attributes before trying to figure out where the problem is. 

>>> 
>>> For example, here’s an export I did of test user ‘foo1’.  You can see that
I’ve put that user’s account into both a locked and reset state (in openldap).
>>> 
>>> You can also see this user’s password policy is ‘test1’.
>>> 
>>> dn: uid=foo1,ou=People,dc=example,dc=com
>>> objectClass: extensibleObject
>>> objectClass: ftMods
>>> objectClass: ftProperties
>>> objectClass: ftUserAttrs
>>> objectClass: inetOrgPerson
>>> objectClass: top
>>> cn: foo1
>>> ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551
>>> sn: fighter
>>> description: foo fighter
>>> displayName: foo1
>>> ftCstr: foo1$0$$$$$$$
>>> ftProps: initAttrArrays:
>>> ou: dev1
>>> uid: foo1
>>> userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E=
>>> createTimestamp: 20170601212713Z
>>> creatorsName: cn=Manager,dc=example,dc=com
>>> entryCSN: 20170601213012.870902Z#000000#000#000000
>>> entryDN: uid=foo1,ou=People,dc=example,dc=com
>>> entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4
>>> hasSubordinates: FALSE
>>> modifiersName: cn=Manager,dc=example,dc=com
>>> modifyTimestamp: 20170601213012Z
>>> pwdAccountLockedTime: 000001010000Z
>>> pwdChangedTime: 20170601212844Z
>>> pwdHistory:: 
>>> MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM
>>> 4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR
>>> pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com
>>> pwdReset: TRUE
>>> structuralObjectClass: inetOrgPerson
>>> subschemaSubentry: cn=Subschema
>>> 
>>> 
>>> 
>>> thanks
>>> Shawn
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Jun 1, 2017, at 10:57 AM, David Erie (US) <David.Erie@datapath.com>
wrote:
>>>> 
>>>> Hello,
>>>> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's account
status (locked and reset, specifically) via the REST API for a user whose account is locked
and whose password has been reset.
>>>> 
>>>> What I get back is this:
>>>> 
>>>> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
>>>> xsi:type="user"> ..
>>>>            <userId>dave</userId>
>>>>            <locked>false</locked>
>>>>            <reset>false</reset>
>>>> ..
>>>> </entity>
>>>> 
>>>> How can I tell that a user's account has been locked or reset when these
Boolean properties don't seem to contain the correct information?
>>>> 
>>>> Thank you,
>>>> Dave
>>> 
>> 
> 


Mime
View raw message