(Apache DS) ads-pwdExpireWarning not working/supported?

Question

The Apache DS documentation (Advanced guide, chapter 2) mentions , in detail , all of the attributes that can be set for the password policy configuration.

Whilst some of the these work, ie we successfully manage to lock ourselves out after a configurable number of bad password attempts, we have found that one of them is not working? or perhaps we are using it incorrectly?

This is the pwdExpireWarning attribute. The documentation mentions this as follows (incorrectly specifying as a Boolean, when it should be a digit in seconds?).

"ads-pwdExpireWarning boolean 0 The maximum number of seconds before a password is due to expire, and that expiration warning messages will be returned to an authenticating user (0 means no message wil be sent to user)"

If we set ads-pwdMaxAge to 120 (just for test purposes), we correctly notice that the password does indeed expire after 120 seconds.

However, we also set ads-pwdExpireWarning to 60, hoping that after 60 seconds, when we try and login, (using Java JNDI code), we would get an error code indicating a warning that the password is about to expire. We get no such warnings, or maybe where should we look to notice this? Where should the Java code query to notice if such a warning has been flagged?

Does anyone know if this is a known issue, and in the current latest version of Apache DS, the ads-pwdExpireWarning attribute is not supported?

score 1 · Answer 1 · answered Jun 18 '13 at 07:00

1

As @EJP mentioned you need to pass the password policy control along with your request.

This is easy to achieve using the Apache LDAP API(IF possible try to move away from JNDI). Take a look at this example

answered Jun 18 '13 at 07:00

kayyagari

1,882
13
10

Thanks very much for this. Looking at the sample code is very useful, and it seems we can do everything we need. However, can you please provide a pom.xml to get the correct dependencies. When I try and run some of the sample tests I get the following error... – user2485980 Jun 20 '13 at 09:51
Multiple copies of resource named 'schema/ou=schema/cn=apachemeta/ou=matchingrules/m-oid=1.3.6.1.4.1.18060.0.4.0.1.3.ldif' located on classpath at urls (....Ive ommitted the 3 clashing jar files shown here) – user2485980 Jun 20 '13 at 09:54
I will provide details of my pom.xml. in a post (rather than a comment), as it is too long to go into the comment section..Many Thanks again, the API looks very useful – user2485980 Jun 20 '13 at 09:56
Sorry still not wrking..3 clashes are in 1 /org/apache/directory/api/api-ldap-client-all/1.0.0-M17/api-ldap-client-all-1.0.0-M17.jar!/schema/ou%3dschema/cn%3dapachemeta/ou%3dmatchingrules/m-oid%3d1.3.6.1.4.1.18060.0.4.0.1.3.ldif 2/org/apache/directory/shared/shared-ldap-schema-data/1.0.0-M7/shared-ldap-schema-data-1.0.0-M7.jar!/schema/ou%3dschema/cn%3dapachemeta/ou%3dmatchingrules/m-oid%3d1.3.6.1.4.1.18060.0.4.0.1.3.ldif 3/org/apache/directory/server/apacheds-all/2.0.0-M12/apacheds-all-2.0.0-M12.jar!/schema/ou%3dschema/cn%3dapachemeta/ou%3dmatchingrules/m-oid%3d1.3.6.1.4.1.18060.0.4.0.1.3.ldif – user2485980 Jun 21 '13 at 10:07
Apache Fortress Core's UserDAO.java is an example of code using the ApacheDS password policy control https://github.com/apache/directory-fortress-core/blob/master/src/main/java/org/apache/directory/fortress/core/impl/UserDAO.java – buzz3791 Jun 13 '17 at 19:34

score 0 · Answer 2 · answered Jun 17 '13 at 16:27

0

It might be that the server only starts the counter after a successful authentication, which is the only thing that makes sense in the case of an expire warning.

answered Jun 17 '13 at 16:27

Terry Gardner

10,957
2
28
38

score 0 · Answer 3 · answered Jun 17 '13 at 21:49

You need to use extra request controls to get the password policy warnings. Sadly you have to write them yourself as JNDI does not provide them, and it's no joke as you have to cope with ASN.1 parsing. I wrote a set of these myself, but they are for OpenLDAP, not ApacheDS, which uses different attribute names, not sure if they will work for that.

score 0 · Answer 4 · answered Jun 20 '13 at 10:00

As mentioned, I was having trouble using the LDAP API examples provided in another answer (even though it looked very useful). My pom.xml dependencies that I am using are as follows...

    <dependency>
      <groupId>log4j</groupId>
      <artifactId>log4j</artifactId>
      <version>1.2.14</version>
      <scope>provided</scope>
    </dependency>

    <dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-log4j12</artifactId>
      <version>1.5.10</version>
      <scope>provided</scope>
    </dependency>

<dependency>
    <groupId>org.apache.directory.api</groupId>
    <artifactId>api-ldap-client-all</artifactId>
    <version>1.0.0-M17</version>
</dependency>

<dependency>
    <groupId>org.apache.directory.api</groupId>
    <artifactId>api-ldap-extras-util</artifactId>
    <version>1.0.0-M17</version>
</dependency>

<dependency>
    <groupId>org.apache.directory.api</groupId>
    <artifactId>api-ldap-extras-codec-api</artifactId>
    <version>1.0.0-M17</version>
</dependency>

<dependency>
    <groupId>org.apache.directory.api</groupId>
    <artifactId>api-ldap-extras-codec</artifactId>
    <version>1.0.0-M17</version>
</dependency>

<dependency>
      <groupId>org.apache.directory.server</groupId>
      <artifactId>apacheds-core-integ</artifactId>
      <version>2.0.0-M2</version>
</dependency>

<dependency>
    <groupId>org.apache.directory.server</groupId>
    <artifactId>apacheds-all</artifactId>
    <version>2.0.0-M12</version>
</dependency>

Try excluding the api-ldap-schema-data artifact from the apacheds-all dependency org.apache.directory.server apacheds-all 2.0.0-M12 org.apache.directory.api api-ldap-schema-data — kayyagari, Jun 20 '13 at 18:40
Still not wrking.3clashes are1 /org/apache/directory/api/api-ldap-client-all/1.0.0-M17/api-ldap-client-all-1.0.‌0-M17.jar!/schema/ou%3dschema/cn%3dapachemeta/ou%3dmatchingrules/m-oid%3d1.3.6.1.‌4.1.18060.0.4.0.1.3.ldif 2/org/apache/directory/shared/shared-ldap-schema-data/1.0.0-M7/shared-ldap-schem‌a-data-1.0.0-M7.jar!/schema/ou%3dschema/cn%3dapachemeta/ou%3dmatchingrules/m-oid%‌3d1.3.6.1.4.1.18060.0.4.0.1.3.ldif 3/org/apache/directory/server/apacheds-all/2.0.0-M12/apacheds-all-2.0.0-M12.jar!‌/schema/ou%3dschema/cn%3dapachemeta/ou%3dmatchingrules/m-oid%3d1.3.6.1.4.1.18060.‌0.4.0.1.3.ldif — user2485980, Jun 21 '13 at 10:08
Can you please just copy in or send the pom.xml file, so we have all of the correct dependencies to get the test code that you sent up and working. The documentation on the apache page, seems way out of date. I would really like to get this API up and running to see if we can utilize it to carry put our particular requirements. — user2485980, Jun 21 '13 at 11:54

(Apache DS) ads-pwdExpireWarning not working/supported?

4 Answers4