I am accessing the HP UX directory server through my java code, for reset & unlock a locked out user account in the Directory server.
Here is my code for user account password reset.
openConnection(details);
loadUserInformation((String)details.get("END_USER_NAME"));
ModificationItem[] mods = new ModificationItem[1];
Attribute mod0 = new BasicAttribute("userpassword", (String)details.get("NEW_PASSWORD"));
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, mod0);
connection.modifyAttributes(user, mods);
closeConnection();
But I can't do the account unlock for the given user because I can't find the LDAP attribute for account lockout in my LDAP browser.
Looks like HPUX Directory server is a clone of Red hat Directory server.
First, which unlock are you trying to perform?
An account could be locked by different aspects depending on how you have setup your password policy.
If the account is intruder detected lockout, then you need to perform the following operation:
dn: uid=scarter,ou=people,dc=example,dc=com
changetype: modify
delete: passwordRetryCount
-
delete: accountUnlockTime
-jim
The correct answer is to configure the password policies first then configure subtree level or user based password policies and account lockout policies then make a user account get locked and try the following code will unlocks a locked out account.
ModificationItem[] mods = new ModificationItem[2];
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("passwordRetryCount"));
mods[1] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("accountUnlockTime"));
connection.modifyAttributes(user, mods);
The entry's object class(es) define which attributes are allowed. You should lookup the entry's object class and try to find the correct attribute from there.
Related
I'm trying to automate next scenario with EWS API:
user1 shares his calendar with user2 with permission level 'FreeBusyTimeAndSubjectAndLocation'
user1 creates an event in his calendar
user2 tries to get info about user1 event
Method to set permission
public void iWantFolderPermission(String email) throws Exception {
PropertySet propSet = new PropertySet(BasePropertySet.IdOnly, FolderSchema.Permissions);
// Specify the SMTP address of the new user and the folder permissions level.
FolderPermission fldperm = new FolderPermission(email, FolderPermissionLevel.FreeBusyTimeAndSubjectAndLocation);
// Bind to the folder and get the current permissions.
// This call results in a GetFolder call to EWS.
Folder sentItemsFolder = Folder.bind(service, WellKnownFolderName.Calendar, propSet);
// Add the permissions for the new user to the Sent Items DACL.
sentItemsFolder.getPermissions().add(fldperm);
// This call results in a UpdateFolder call to EWS.
sentItemsFolder.update();
}
But when I try to get event from shared Calendar I get an error - microsoft.exchange.webservices.data.core.exception.service.remote.ServiceResponseException: The specified folder could not be found in the store.
If I set permission to FolderPermissionLevel.Reviewer then everything works just fine.
So why shared Calendar can not be accessed with permission level FreeBusyTimeAndSubjectAndLocation?
FreeBusyTimeAndSubjectAndLocation only gives you access to a limited subset of information when using the GetUserAvailiblity operation https://learn.microsoft.com/en-us/exchange/client-developer/web-service-reference/getuseravailability-operation the Appointment details are then returned in CalendarEventArray. To be able to access the folderitems directly you need to have at least reviewer rights.
We are working on a custom password reset tool which is currently able to reset the passwords for users (using the admin DN), but I need to also remove/modify some Operational Attributes in order to completely handle the business use cases. I connect to the LDAP server using:
private void connect() throws NamingException {
Properties props = new Properties();
props.put(INITIAL_CONTEXT_FACTORY, LDAP_CTX_FACTORY);
props.put(PROVIDER_URL, format("ldap://%s:%d/", config.ldapHost(), config.ldapPort()));
props.put(SECURITY_CREDENTIALS, config.ldapBindPassword());
props.put(SECURITY_PRINCIPAL, config.ldapBindUser());
props.put(SECURITY_AUTHENTICATION, "simple");
props.put(REFERRAL, "follow");
props.put(BATCHSIZE, "1000");
connection = new InitialLdapContext(props, null);
connection.setRequestControls(LDAPControls.controls());
LOG.debug("Successfully completed bind to LDAP server '{}'", config.ldapHost());
connected = true;
}
And I need to modify some operational attributes to do things like unlock accounts/update modified time/etc...
List<BasicAttribute> attrs = new ArrayList<>();
List<ModificationItem> mods = new ArrayList<>();
// Set password hash
attrs.add(new BasicAttribute("userPassword", "{SSHA}" + hashPassword(salt, password)));
mods.add(new ModificationItem(REPLACE_ATTRIBUTE, attrs.get(0)));
// Set last modified timestamp
attrs.add(new BasicAttribute("modifyTimestamp", date.withZone(UTC).format(now())));
mods.add(new ModificationItem(REPLACE_ATTRIBUTE, attrs.get(1)));
// Set password changed time
attrs.add(new BasicAttribute("pwdChangeTime", date.withZone(UTC).format(now())));
mods.add(new ModificationItem(REPLACE_ATTRIBUTE, attrs.get(2)));
// Remove password lock
attrs.add(new BasicAttribute("pwdAccountLockedTime"));
mods.add(new ModificationItem(REMOVE_ATTRIBUTE, attrs.get(3)));
// Clear password failure time
attrs.add(new BasicAttribute("pwdFailureTime"));
mods.add(new ModificationItem(REMOVE_ATTRIBUTE, attrs.get(4)));
this.reconnect();
ModificationItem[] modItems = new ModificationItem[mods.size()];
mods.toArray(modItems);
connection.modifyAttributes(getDN(email), modItems);
LOG.debug("Completed update of user password for '{}'", email);
return true;
But when I run this, I get:
LDAP: error code 21 - modifyTimestamp: value #0 invalid per syntax
Could anyone help me to figure out why?
How do I modify Operational Attributes in OpenLDAP from Java/JNDI?
You don't. The server does. That's what 'operational attribute' means.
I need to also remove/modify some Operational Attributes in order to completely handle the business use cases
Bad luck.
You should be using the 'ppolicy' overlay and the associated extended password-modify operations, rather than rolling all this yourself. It does everything you need, and if it doesn't you need to adjust your needs ;-)
NB You should not hash the password yourself. OpenLDAP will do that for you when configured correctly.
I am trying to access the VersionOne data using the V1APIConnector. I can verify that I am using the correct data and meta URLs. I also have the correct domain/username and password.
But everytime I execute the below code, I get an Authentication error saying username/password is invalid and my account gets locked.
Once I unlocked my account, I tried again and the account was locked again. I am the V1 Administrator so I have the permissions.
Our VersionOne instance uses Windows Integrated Auththentication. Also my username is in the format -mydomain/myusername
Is there any different way to pass the credentials? Since my account is getting locked, it must mean at least the domain and the username are being passed correctly. Any Ideas?
V1APIConnector dataConnector = new V1APIConnector( _dataUrl, _username, _password);
V1APIConnector metaConnector = new V1APIConnector( _metaUrl );
IMetaModel metaModel = new MetaModel(metaConnector);
IServices services = new Services(metaModel, dataConnector);
System.out.println("Creating query");
IAssetType defectType = metaModel.getAssetType("Defect");
Query query = new Query(defectType);
IAttributeDefinition nameAttribute = defectType.getAttributeDefinition("Name");
query.getSelection().add(nameAttribute);
query.getPaging().setPageSize(3);
query.getPaging().setStart(0);
System.out.println("Retrieve from query");
QueryResult result = services.retrieve(query);
The Java.SDK ignores the username and password parameters of the V1APIConnector constructor when attempting to connect to a Windows Integrated instance, and instead uses the domain credentials that it is running under. If you are logged into your machine as "MyDomain\MyUsername" then that is the credentials that it will use. It does not support supplying the credentials of another account.
Note that there must also exist a VersionOne member account with the username set to "MyDomain\MyUsername" to successfully authenticate.
VersionOne locks accounts only when your license has expired, and if that happens, only the system administrator (Member:20) will remain active. In addition, administrators can deactivate accounts manually.
I am creating users in Active Directory using Java code.
I am using this AD in my authentication provider in WebLogic server.
I've googled a bit but didn't find satisfactory solution to this issue - my requirement is typical: user must change password after first logon.
I know there is an attribute called pwdLastSet for this purpose, however the issue is, if I set it to 0 at the time of user creation, this user is not able to login.
That's how I am setting it to 0:
mods[2] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("pwdLastSet", Integer.toString(0)));
Just in case if anyone would like to know what's value of userAccountControl:
For userAccountControl, I am doing following:
attrs.put("userAccountControl", Integer.toString(LDAPConstants.UF_NORMAL_ACCOUNT + LDAPConstants.UF_ACCOUNTDISABLE));
After disabled user is created, I set password and enable it:
mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(LDAPConstants.UF_NORMAL_ACCOUNT)));
Help?
Thanks.
Can i read user password policy from LDAP, like when it expires or more details like password strength (minimal length etc.) ? I need these information so I can use the same policy for users kept in my database. My java application require that users from the database have to be synchronized with domain.
If you want to get the password policy through LDAP queries try this
without PSO policy in your current domain
String searchDomain= "DC=company,DC=ORG";
String ldapQuery = "(&(objectClass=domainDNS))";
String ldapAttribute = "maxPwdAge";
If you use a PSO policy try this code
String domainLookupString = "CN=UsersPSO,CN=Password Settings Container,CN=System,DC=company,DC=ORG";
String ldapFilterString = "(&(objectClass=msDS-PasswordSettings))";
String ldapAttribute = "msDS-MaximumPasswordAge"
Usually, there are at least three different things that are of concern in these circumstances.
Account status, which includes such information as is the account locked, expired or disabled.
The account "status" is typically reflected on the MMC Account Tab.
We put some information on our wiki about the LDAP values at:
http://ldapwiki.willeke.com/wiki/Active%20Directory%20Account%20Lockout
and
http://ldapwiki.willeke.com/wiki/MMC%20Account%20Tab
Password status, is the password expired.
Unfortunately, the attributes that reflect the status of these conditions are not reflected in AD in real time. Some are only updated when a user attempts to authenticate. (either successfully or un-successfully).
-jim
Yes you can, with JNDI. You have to read the value of the pwdPolicySubentry operational attribute from the user's Context. This gives you the DN of the pwdPolicy object, which you then lookup as a Context with attributes, and get all the attributes starting with 'pwd'. However if the user has the default password policy you will have to look at your LDAP server configuration to find its DN. In OpenLDAP this is in slapd.conf in the ppolicy_default line in the 'overlay ppolicy' directives block.
It depends the underlying LDAP server.
For instance, if you are using Microsoft Active Directory, a user entry will have an attribute called accountExpires which is the date the account expires.
Active Directory also have a user attribute called userAccountControl which is a bit-mask specifying various account related states. For instance, if bit 24 is set, that means that the password has expired (userAccountControl & 0x800000 != 0). Bit 2 is "account disabled" etc. Read more at http://support.microsoft.com/kb/305144.
For other LDAP servers (OpenLDAP, ApacheDS, etc, etc) you'll have to look into the documentation.