directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Re: Using REST API to get user's locked and reset states
Date Thu, 08 Jun 2017 17:06:26 GMT
Need to change core to support pw policies in apacheds formally.  Ticket open:
https://issues.apache.org/jira/browse/FC-211

Shawn


> On Jun 8, 2017, at 11:25 AM, Shawn McKinney <smckinney@apache.org> wrote:
> 
> I finally got around to trying this myself.  Changing the ldap.server.type prop as described
means fortress will process the pw policy ops.  I was able to verify on a test against apacheds,
new response pasted below.  I noticed before that you don’t have the pwpolicy attribute
set on your user which means the default policy for the server will be enforced.  
> 
> Let me know if you have any more questions.
> 
> 
> <FortResponse>
>  <errorCode>0</errorCode>
>  <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="user">
>    <modId>18e5955f-90cf-420a-8580-fc47be245f0a</modId>
>    <sequenceId>0</sequenceId>
>    <userId>foo1</userId>
>    <description>foo fighters 1</description>
>    <name>foo1 fighters</name>
>    <internalId>d301b72a-916f-4419-94a4-df24fc8ac7ad</internalId>
>    <ou>dev1</ou>
>    <pwPolicy>cn=test1</pwPolicy>
>    <sn>fighters</sn>
>    <cn>foo1 fighters</cn>
>    <dn>uid=foo1,ou=People,dc=example,dc=com</dn>
>    <address/>
>    <props>
>      <modId>8e4f30a3-d452-4fc0-9ac6-fd73b298990f</modId>
>      <sequenceId>0</sequenceId>
>      <entry>
>        <key>initAttrArrays</key>
>        <value/>
>      </entry>
>    </props>
>    <locked>true</locked>
>    <reset>true</reset>
>    <timeout>0</timeout>
>  </entity>
> </FortResponse>
> 
> Shawn
> 
>> On Jun 5, 2017, at 9:56 PM, Shawn McKinney <smckinney@apache.org> wrote:
>> 
>> Hey Brian,
>> 
>> can you add/replace with this fortress.properties:
>> 
>> ldap.server.type=openldap
>> 
>> and tell me what happens.  Normally I'd try it myself first but am sort of busy right
now.  Will have more time in a couple of days.
>> 
>> Thanks,
>> Shawn
>> 
>>> On Jun 5, 2017, at 8:41 AM, Brian Brooks (US) <Brian.Brooks@datapath.com>
wrote:
>>> 
>>> Good Morning Shawn,
>>> 
>>>> How did you enable pw policies in apacheds, can you point me to the setup
instructions you used?
>>> 
>>> We just setup a vanilla install of ApacheDS on a Windows 10 virtual machine using
apacheds-2.0.0-M23.exe downloaded from
>>> 
>>> http://directory.apache.org/apacheds/download/download-windows.html
>>> 
>>> The ApacheDS instances is configured with default settings which includes enabling
a default password policy.
>>> 
>>> http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html
>>> 
>>> Dave setup the ApacheDS, when he gets back in the office I can confirm whether
he customized anything.
>>> 
>>> Here's an LDIF export of 
>>> 
>>> * ou=config
>>>  * ads-directoryServiceId=<default>
>>>      * ou=interceptors
>>>          * ads-interceptorId=authenticationInterceptor
>>>              * ou=passwordPolicies
>>> 
>>> from our ApacheDS installation of
>>> 
>>> 
>>> dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
>>> terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>>> objectclass: ads-passwordPolicy
>>> objectclass: ads-base
>>> objectclass: top
>>> ads-pwdattribute: userPassword
>>> ads-pwdid: default
>>> ads-enabled: TRUE
>>> ads-pwdallowuserchange: TRUE
>>> ads-pwdcheckquality: 1
>>> ads-pwdexpirewarning: 600
>>> ads-pwdfailurecountinterval: 30
>>> ads-pwdgraceauthnlimit: 5
>>> ads-pwdgraceexpire: 0
>>> ads-pwdinhistory: 5
>>> ads-pwdlockout: TRUE
>>> ads-pwdlockoutduration: 0
>>> ads-pwdmaxage: 0
>>> ads-pwdmaxdelay: 0
>>> ads-pwdmaxfailure: 5
>>> ads-pwdmaxidle: 0
>>> ads-pwdmaxlength: 0
>>> ads-pwdminage: 0
>>> ads-pwdmindelay: 0
>>> ads-pwdminlength: 5
>>> ads-pwdmustchange: FALSE
>>> ads-pwdsafemodify: FALSE
>>> ads-pwdvalidator: org.apache.directory.server.core.api.authn.ppolicy.Default
>>> PasswordValidator
>>> createtimestamp: 20170523201006.896Z
>>> creatorsname: uid=admin,ou=system
>>> entrycsn: 20170523201006.896000Z#000000#000#000000
>>> entryDN: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticat
>>> ionInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>>> entryParentId: 81135817-120c-4b89-81be-33f759cd5319
>>> entryuuid:: ZGYyYjI2OTctNzQ4OC00NzUzLWFiOGEtZWJhMmRhOTE1NmQ1
>>> nbChildren: 0
>>> nbSubordinates: 0
>>> subschemaSubentry: cn=schema
>>> 
>>> Brian Brooks
>>> Sr Software Engineer
>>> brian.brooks@datapath.com
>>> Office: +1 678 252 4498
>>> 2205 Northmont Pkwy, STE 100
>>> Duluth, GA 30096
>>> 
>>> -----Original Message-----
>>> From: Shawn McKinney [mailto:smckinney@apache.org] 
>>> Sent: Monday, June 05, 2017 8:23 AM
>>> To: fortress@directory.apache.org
>>> Subject: Re: Using REST API to get user's locked and reset states
>>> 
>>> Hi Brian,
>>> 
>>> I’ll need to setup an apacheds instance locally that matches your config. 
  
>>> 
>>> How did you enable pw policies in apacheds, can you point me to the setup instructions
you used?
>>> 
>>> In the meantime, here is a response via enmasse of user who’s account is both
locked and reset.  
>>> 
>>> The policy attributes are being populated.  But again I’m using openldap, and
need to run the exact same test with ads.
>>> 
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FortResponse>
 <errorCode>0</errorCode>  <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="user">
>>> <modId>cb792bd1-c8fe-424f-a629-aad6c5572aa9</modId>
>>> <sequenceId>0</sequenceId>
>>> <userId>foo1</userId>
>>> <description>foo fighter</description>
>>> <name>foo1</name>
>>> <internalId>fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551</internalId>
>>> <ou>dev1</ou>
>>> <pwPolicy>cn=test1</pwPolicy>
>>> <sn>fighter</sn>
>>> <cn>foo1</cn>
>>> <dn>uid=foo1,ou=People,dc=example,dc=com</dn>
>>> <address/>
>>> <props>
>>>   <modId>fc416338-69bd-46df-8b00-e1fd6be7ed9c</modId>
>>>   <sequenceId>0</sequenceId>
>>>   <entry>
>>>     <key>initAttrArrays</key>
>>>     <value/>
>>>   </entry>
>>> </props>
>>> <locked>true</locked>
>>> <reset>true</reset>
>>> <timeout>0</timeout>
>>> </entity>
>>> </FortResponse>
>>> 
>>> 
>>> Shawn
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Jun 2, 2017, at 3:39 PM, Brian Brooks (US) <Brian.Brooks@datapath.com>
wrote:
>>>> 
>>>> Hi Shawn,
>>>> 
>>>> Dave and I work together.  He's on vacation for a couple days.
>>>> 
>>>>> Can you export that corresponding user entry into ldif and post it here?
>>>> 
>>>> Below is the dave user's entry exported to ldif (I omitted the jpegPhoto,
userPassword, and the 5 pwdHistory attributes). 
>>>> 
>>>> I don't see the policy attribute even though fotress-commander seems to successfully
commit the password policy assignment.  For example, I just tried to change another user's
password policy and tomcat recorded an HTTP 200 in it's access log.  I don't see any obvious
errors in the tomcat stdout/stderr/catalina logs.
>>>> 
>>>> 10.1.122.55 - test [02/Jun/2017:16:26:34 -0400] "POST 
>>>> /fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.Us
>>>> erPage?2-1.IBehaviorListener.0-layout-userdetailpanel-editFields-commi
>>>> t&wicket-ajax=true&wicket-ajax-baseurl=wicket%2Fbookmarkable%2Forg.apa
>>>> che.directory.fortress.web.UserPage%3F2 HTTP/1.1" 200 261634
>>>> 
>>>> dn: uid=dave,ou=People,dc=example,dc=com
>>>> objectClass: extensibleObject
>>>> objectClass: ftMods
>>>> objectClass: ftProperties
>>>> objectClass: ftUserAttrs
>>>> objectClass: organizationalPerson
>>>> objectClass: person
>>>> objectClass: inetOrgPerson
>>>> objectClass: top
>>>> cn: dave
>>>> ftId: 8f35b947-6db5-4e4f-a73a-98b448b15874
>>>> sn: dave
>>>> displayName: dave
>>>> ftCstr: dave$0$$$$$$$
>>>> ftModCode: AdminMgrImpl.resetPassword
>>>> ftModId: e351aa19-aded-4a92-ab3b-725c5c75ec9b
>>>> ftModifier: 70e12de5-cbf5-4152-b98a-89d185667bda
>>>> ftProps: initAttrArrays:
>>>> ftRA: fortress-rest-super-user
>>>> ftRC: fortress-rest-super-user$0$$$$$$$
>>>> ftSystem: FALSE
>>>> ou: dev0
>>>> uid: dave
>>>> createTimestamp: 20170531211627.651Z
>>>> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>>>> entryCSN: 20170601195338.392000Z#000000#001#000000
>>>> entryDN: uid=dave,ou=People,dc=example,dc=com
>>>> entryParentId: a59bdb1e-b9eb-40c1-acbc-6be60ee64b42
>>>> entryUUID:: M2MyNzc0YTctNWQzMy00ODdlLTk1ZWItMjZhNWNmMTJiYTkz
>>>> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>>>> modifyTimestamp: 20170601195338.057Z
>>>> nbChildren: 0
>>>> nbSubordinates: 0
>>>> pwdAccountLockedTime: 000001010000Z
>>>> pwdReset: TRUE
>>>> subschemaSubentry: cn=schema
>>>> 
>>>> 
>>>> Brian Brooks
>>>> Sr Software Engineer
>>>> brian.brooks@datapath.com
>>>> Office: +1 678 252 4498
>>>> 2205 Northmont Pkwy, STE 100
>>>> Duluth, GA 30096
>>>> 
>>>> -----Original Message-----
>>>> From: Shawn McKinney [mailto:smckinney@apache.org]
>>>> Sent: Thursday, June 01, 2017 6:12 PM
>>>> To: fortress@directory.apache.org
>>>> Subject: Re: Using REST API to get user's locked and reset states
>>>> 
>>>> Welcome Dave,
>>>> 
>>>> Can you export that corresponding user entry into ldif and post it here?
  We’ll need to see the operational attributes before trying to figure out where the problem
is.  
>>>> 
>>>> For example, here’s an export I did of test user ‘foo1’.  You can see
that I’ve put that user’s account into both a locked and reset state (in openldap).
>>>> 
>>>> You can also see this user’s password policy is ‘test1’.
>>>> 
>>>> dn: uid=foo1,ou=People,dc=example,dc=com
>>>> objectClass: extensibleObject
>>>> objectClass: ftMods
>>>> objectClass: ftProperties
>>>> objectClass: ftUserAttrs
>>>> objectClass: inetOrgPerson
>>>> objectClass: top
>>>> cn: foo1
>>>> ftId: fdc4a7f3-62f7-47d4-aac4-bac4b7cdb551
>>>> sn: fighter
>>>> description: foo fighter
>>>> displayName: foo1
>>>> ftCstr: foo1$0$$$$$$$
>>>> ftProps: initAttrArrays:
>>>> ou: dev1
>>>> uid: foo1
>>>> userPassword:: e1NTSEF9UVQ0K21NdE5lYTBwckFRTC96QlQ2akZrK1ZESTIxd3E=
>>>> createTimestamp: 20170601212713Z
>>>> creatorsName: cn=Manager,dc=example,dc=com
>>>> entryCSN: 20170601213012.870902Z#000000#000#000000
>>>> entryDN: uid=foo1,ou=People,dc=example,dc=com
>>>> entryUUID:: ZDJlMDE3YjItZGI1Yy0xMDM2LThlMzMtNTkzZmZmYzA1ODU4
>>>> hasSubordinates: FALSE
>>>> modifiersName: cn=Manager,dc=example,dc=com
>>>> modifyTimestamp: 20170601213012Z
>>>> pwdAccountLockedTime: 000001010000Z
>>>> pwdChangedTime: 20170601212844Z
>>>> pwdHistory:: 
>>>> MjAxNzA2MDEyMTI4NDRaIzEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjQwIzM
>>>> 4I3tTU0hBfXlSVm5jMjVUUThZN2libnVuVEpUR2VVY1pYeFBCdjFR
>>>> pwdPolicySubentry: cn=test1,ou=Policies,dc=example,dc=com
>>>> pwdReset: TRUE
>>>> structuralObjectClass: inetOrgPerson
>>>> subschemaSubentry: cn=Subschema
>>>> 
>>>> 
>>>> 
>>>> thanks
>>>> Shawn
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> On Jun 1, 2017, at 10:57 AM, David Erie (US) <David.Erie@datapath.com>
wrote:
>>>>> 
>>>>> Hello,
>>>>> We're evaluating Fortress with ApacheDS, and I'm trying to get a user's
account status (locked and reset, specifically) via the REST API for a user whose account
is locked and whose password has been reset.
>>>>> 
>>>>> What I get back is this:
>>>>> 
>>>>> <entity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
>>>>> xsi:type="user"> ..
>>>>>           <userId>dave</userId>
>>>>>           <locked>false</locked>
>>>>>           <reset>false</reset>
>>>>> ..
>>>>> </entity>
>>>>> 
>>>>> How can I tell that a user's account has been locked or reset when these
Boolean properties don't seem to contain the correct information?
>>>>> 
>>>>> Thank you,
>>>>> Dave
>>>> 
>>> 
>> 
> 


Mime
View raw message