1

I am trying to write an application which would offer user to manage users on LDAP system. One feature of this is the functionality "Forgot Password".

  1. User uses my app to Reset his password
  2. I ask some security questions and if they are correct, I redirect him to new screen - new password screen.
  3. User provides new password only (as he has forgotten his old one)
  4. I use admin Context and reset the user password (using modifyAttributes(..)).
  5. The LDAP system, set pwdReset to true indicating that password was changed by admin and must be changed by user.

Now, I do want to set this to false, coz I don't want user to change his password again (as he already did in above steps), so I explicitly modify it to false. But I get error

javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; remaining name 'cn=XXXX,ou=XXXXOU,O=XXXX'

What is the way around ? Is there some other alternative ?

For refernce, the code to reset pwdReset is as under:

        List<ModificationItem> modsList = new ArrayList<ModificationItem>();
        BasicAttribute attribute = new BasicAttribute(ATTR_PASSWORDRESET, "false");
        modsList.add(new ModificationItem(DirContext.REPLACE_ATTRIBUTE, attribute));
        ModificationItem [] modsArr = modsList.toArray(new ModificationItem[modsList.size()]);
        modsArr = modsList.toArray(new ModificationItem[modsList.size()]);
        this.adminCtx.modifyAttributes(userName, modsArr);

enter image description here

And here is my pwdPolicy

enter image description here enter image description here

user207421
  • 305,947
  • 44
  • 307
  • 483
SimpleGuy
  • 2,764
  • 5
  • 28
  • 45

1 Answers1

2

I've just spent two weeks proving to myself that OpenLDAP doesn't actually do step #5 at all, despite what the wording of the RFC draft appears to mean. I also found a message in the OpenLDAP Mail archives confirming that they think it isn't supposed to do that. So what is happening is that there is no pwdReset attribute to set to false, so you're getting a schema violation trying to add it with that value. So, all you have to do is nothing.

It would probably be safer just to set pwdReset to null, which removes it completely, or just remove it with DirContext.REMOVE_ATTRIBUTE. My code doesn't use ModificationItem, which is another clue, more like:

BasicAttributes attributes = new BasicAttributes(ATTR_PASSWORDRESET, null);
this.adminCtx.modifyAttributes(userName, attrs);

The above also means that if you want it set to TRUE you have to do so yourself.

philippe lhardy
  • 3,096
  • 29
  • 36
user207421
  • 305,947
  • 44
  • 307
  • 483
  • I am on a LDAP system, and it does set `pwdReset` to true, when I (as admin) is resetting user's password. I tried your code, but it gives same exception – SimpleGuy Dec 16 '16 at 08:52
  • I added screenshot – SimpleGuy Dec 16 '16 at 08:53
  • Btw, i believe, that in your case OpenLDAP was not doing anything coz password policy wasn't enabled – SimpleGuy Dec 16 '16 at 09:10
  • The password policy overlay in my system has been enabled for six years. I am changing the password with the extended password-modify operation. – user207421 Dec 16 '16 at 11:02
  • then I am not sure why it isn't setting `pwdReset` to `true` in my case... coz it is setting it to `true` in my case.. – SimpleGuy Dec 16 '16 at 11:03
  • Can you post your actual policy in your question, and also your code for changing the password? – user207421 Dec 16 '16 at 11:05
  • The code is the one in the question.. what do you mean by `actual policy` ? – SimpleGuy Dec 16 '16 at 11:06
  • I mean the content of the `pwdPolicy` entry: the settings of all the policy variables, e.g. `pwdMustChange`. I don't see any actual real code for changing the password. – user207421 Dec 16 '16 at 11:06
  • But still not with the change-password code. But it all seems to be irrelevant as you aren't using OpenLDAP, despite your tag, and I am. – user207421 Dec 16 '16 at 11:12
  • **So why the [tag:openldap] tag?** I've wasted a lot of time here assuming we were using the same LDAP server. We aren't. – user207421 Dec 16 '16 at 11:15