directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Re: Using REST API to get user's locked and reset states
Date Tue, 06 Jun 2017 02:56:28 GMT
Hey Brian,

can you add/replace with this fortress.properties:

ldap.server.type=openldap

and tell me what happens.  Normally I'd try it myself first but am sort of busy right now.
 Will have more time in a couple of days.

Thanks,
Shawn

> On Jun 5, 2017, at 8:41 AM, Brian Brooks (US) <Brian.Brooks@datapath.com> wrote:
> 
> Good Morning Shawn,
> 
>> How did you enable pw policies in apacheds, can you point me to the setup instructions
you used?
> 
> We just setup a vanilla install of ApacheDS on a Windows 10 virtual machine using apacheds-2.0.0-M23.exe
downloaded from
> 
> http://directory.apache.org/apacheds/download/download-windows.html
> 
> The ApacheDS instances is configured with default settings which includes enabling a
default password policy.
> 
> http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html
> 
> Dave setup the ApacheDS, when he gets back in the office I can confirm whether he customized
anything.
> 
> Here's an LDIF export of 
> 
> * ou=config
>    * ads-directoryServiceId=<default>
>        * ou=interceptors
>            * ads-interceptorId=authenticationInterceptor
>                * ou=passwordPolicies
> 
> from our ApacheDS installation of
> 
> 
> dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
> terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectclass: ads-passwordPolicy
> objectclass: ads-base
> objectclass: top
> ads-pwdattribute: userPassword
> ads-pwdid: default
> ads-enabled: TRUE
> ads-pwdallowuserchange: TRUE
> ads-pwdcheckquality: 1
> ads-pwdexpirewarning: 600
> ads-pwdfailurecountinterval: 30
> ads-pwdgraceauthnlimit: 5
> ads-pwdgraceexpire: 0
> ads-pwdinhistory: 5
> ads-pwdlockout: TRUE
> ads-pwdlockoutduration: 0
> ads-pwdmaxage: 0
> ads-pwdmaxdelay: 0
> ads-pwdmaxfailure: 5
> ads-pwdmaxidle: 0
> ads-pwdmaxlength: 0
> ads-pwdminage: 0
> ads-pwdmindelay: 0
> ads-pwdminlength: 5
> ads-pwdmustchange: FALSE
> ads-pwdsafemodify: FALSE
> ads-pwdvalidator: org.apache.directory.server.core.api.authn.ppolicy.Default
> PasswordValidator
> createtimestamp: 20170523201006.896Z
> creatorsname: uid=admin,ou=system
> entrycsn: 20170523201006.896000Z#000000#000#000000
> entryDN: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticat
> ionInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> entryParentId: 81135817-120c-4b89-81be-33f759cd5319
> entryuuid:: ZGYyYjI2OTctNzQ4OC00NzUzLWFiOGEtZWJhMmRhOTE1NmQ1
> nbChildren: 0
> nbSubordinates: 0
> subschemaSubentry: cn=schema
> 
> Brian Brooks
> Sr Software Engineer
> brian.brooks@datapath.com
> Office: +1 678 252 4498
> 2205 Northmont Pkwy, STE 100
> Duluth, GA 30096
> 
> -----Original Message-----
> From: Shawn McKinney [mailto:smckinney@apache.org] 
> Sent: Monday, June 05, 2017 8:23 AM
> To: fortress@directory.apache.org
> Subject: Re: Using REST API to get user's locked and reset states
> 
> Hi Brian,
> 
> I’ll need to setup an apacheds instance locally that matches your config.    
> 
> How did you enable pw policies in apacheds, can you point me to the setup instructions
you used?
> 
> In the meantime, here is a response via enmasse of user who’s account is both locked
and reset.  
> 
> The policy attributes are being populated.  But again I’m using openldap, and need
to run the exact same test with ads.
> 
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FortResponse>  <errorCode>0</errorCode>
 <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
>   <modId>cb792bd1-c8fe-424f-a629-aad6c5572aa9</modId>
>   <sequenceId>0</sequenceId>
>   <userId>foo1</userId>
>   <description>foo fighter</description>
>   <name>foo1</name>
>   <internalId>fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551</internalId>
>   <ou>dev1</ou>
>   <pwPolicy>cn=test1</pwPolicy>
>   <sn>fighter</sn>
>   <cn>foo1</cn>
>   <dn>uid=foo1,ou=People,dc=example,dc=com</dn>
>   <address/>
>   <props>
>     <modId>fc416338-69bd-46df-8b00-e1fd6be7ed9c</modId>
>     <sequenceId>0</sequenceId>
>     <entry>
>       <key>initAttrArrays</key>
>       <value/>
>     </entry>
>   </props>
>   <locked>true</locked>
>   <reset>true</reset>
>   <timeout>0</timeout>
> </entity>
> </FortResponse>
> 
> 
> Shawn
> 
> 
> 
> 
> 
>> On Jun 2, 2017, at 3:39 PM, Brian Brooks (US) <Brian.Brooks@datapath.com> wrote:
>> 
>> Hi Shawn,
>> 
>> Dave and I work together.  He's on vacation for a couple days.
>> 
>>> Can you export that corresponding user entry into ldif and post it here?
>> 
>> Below is the dave user's entry exported to ldif (I omitted the jpegPhoto, userPassword,
and the 5 pwdHistory attributes). 
>> 
>> I don't see the policy attribute even though fotress-commander seems to successfully
commit the password policy assignment.  For example, I just tried to change another user's
password policy and tomcat recorded an HTTP 200 in it's access log.  I don't see any obvious
errors in the tomcat stdout/stderr/catalina logs.
>> 
>> 10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST 
>> /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.Us
>> erPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commi
>> t&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apa
>> che.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634
>> 
>> dn: uid=dave,ou=People,dc=example,dc=com
>> objectClass: extensibleObject
>> objectClass: ftMods
>> objectClass: ftProperties
>> objectClass: ftUserAttrs
>> objectClass: organizationalPerson
>> objectClass: person
>> objectClass: inetOrgPerson
>> objectClass: top
>> cn: dave
>> ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874
>> sn: dave
>> displayName: dave
>> ftCstr: dave$0$$$$$$$
>> ftModCode: AdminMgrImpl.resetPassword
>> ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b
>> ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda
>> ftProps: initAttrArrays:
>> ftRA: fortress-rest-super-user
>> ftRC: fortress-rest-super-user$0$$$$$$$
>> ftSystem: FALSE
>> ou: dev0
>> uid: dave
>> createTimestamp: 20170531211627.651Z
>> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>> entryCSN: 20170601195338.392000Z#000000#001#000000
>> entryDN: uid=dave,ou=People,dc=example,dc=com
>> entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42
>> entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz
>> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>> modifyTimestamp: 20170601195338.057Z
>> nbChildren: 0
>> nbSubordinates: 0
>> pwdAccountLockedTime: 000001010000Z
>> pwdReset: TRUE
>> subschemaSubentry: cn=schema
>> 
>> 
>> Brian Brooks
>> Sr Software Engineer
>> brian.brooks@datapath.com
>> Office: +1 678 252 4498
>> 2205 Northmont Pkwy, STE 100
>> Duluth, GA 30096
>> 
>> -----Original Message-----
>> From: Shawn McKinney [mailto:smckinney@apache.org]
>> Sent: Thursday, June 01, 2017 6:12 PM
>> To: fortress@directory.apache.org
>> Subject: Re: Using REST API to get user's locked and reset states
>> 
>> Welcome Dave,
>> 
>> Can you export that corresponding user entry into ldif and post it here?   We’ll
need to see the operational attributes before trying to figure out where the problem is. 

>> 
>> For example, here’s an export I did of test user ‘foo1’.  You can see that
I’ve put that user’s account into both a locked and reset state (in openldap).
>> 
>> You can also see this user’s password policy is ‘test1’.
>> 
>> dn: uid=foo1,ou=People,dc=example,dc=com
>> objectClass: extensibleObject
>> objectClass: ftMods
>> objectClass: ftProperties
>> objectClass: ftUserAttrs
>> objectClass: inetOrgPerson
>> objectClass: top
>> cn: foo1
>> ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551
>> sn: fighter
>> description: foo fighter
>> displayName: foo1
>> ftCstr: foo1$0$$$$$$$
>> ftProps: initAttrArrays:
>> ou: dev1
>> uid: foo1
>> userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E=
>> createTimestamp: 20170601212713Z
>> creatorsName: cn=Manager,dc=example,dc=com
>> entryCSN: 20170601213012.870902Z#000000#000#000000
>> entryDN: uid=foo1,ou=People,dc=example,dc=com
>> entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4
>> hasSubordinates: FALSE
>> modifiersName: cn=Manager,dc=example,dc=com
>> modifyTimestamp: 20170601213012Z
>> pwdAccountLockedTime: 000001010000Z
>> pwdChangedTime: 20170601212844Z
>> pwdHistory:: 
>> MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM
>> 4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR
>> pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com
>> pwdReset: TRUE
>> structuralObjectClass: inetOrgPerson
>> subschemaSubentry: cn=Subschema
>> 
>> 
>> 
>> thanks
>> Shawn
>> 
>> 
>> 
>> 
>> 
>>> On Jun 1, 2017, at 10:57 AM, David Erie (US) <David.Erie@datapath.com>
wrote:
>>> 
>>> Hello,
>>> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's account
status (locked and reset, specifically) via the REST API for a user whose account is locked
and whose password has been reset.
>>> 
>>> What I get back is this:
>>> 
>>> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
>>> xsi:type="user"> ..
>>>             <userId>dave</userId>
>>>             <locked>false</locked>
>>>             <reset>false</reset>
>>> ..
>>> </entity>
>>> 
>>> How can I tell that a user's account has been locked or reset when these Boolean
properties don't seem to contain the correct information?
>>> 
>>> Thank you,
>>> Dave
>> 
> 


Mime
View raw message