Comments (7)
This isn’t a question about or for the LDAP SDK. Rather, it is specific to the directory server that you’re using, and the best way to get an answer is to ask the people who make that directory server.
I can only provide an authoritative answer for the Ping Identity (formerly UnboundID) Directory Server, and the answer for that server is no, you cannot directly alter the value of the pwdReset attribute. That attribute type is defined with the NO-USER-MODIFICATION constraint and is intended to be maintained by the Directory Server itself. However, a properly authorized client can use either the manage-account command-line tool or the password policy state extended operation to manage many password policy state attributes for a user, including whether that user will be required to change their password the next time they authenticate.
If you’re using a different directory server, then you should use the appropriate support channel for that server to determine how to accomplish this in that server.
from ldapsdk.
So, I am using a InMemoryDirectoryServer of unboundid for tests in a Junit rule, and I don't know how to do this. My code
InMemoryDirectoryServerConfig c = new InMemoryDirectoryServerConfig(new DN(config.base().dn()));
c.setListenerConfigs(listenerConfig);
c.addAdditionalBindCredentials(config.bindDn(), config.password());
server = new InMemoryDirectoryServer(c);
try {
server.startListening();
return server;
}
from ldapsdk.
The in-memory directory server doesn’t currently provide any level of password policy support. It aims to be a standards-compliant server that doesn’t favor any particular vendor implementation, and password policy support is something that varies wildly from one server to another, both in terms of what features they support and how that support is implemented.
Although we could consider making password policy support pluggable so that we could offer different implementations (along with other vendor-specific features like access control), it would be a lot of effort and is not currently on the roadmap.
from ldapsdk.
Thanks @dirmgr
from ldapsdk.
@dirmgr Can you point me in the right direction for how I might implement a simple account lockout for a hardcoded user using the in memory ldap? I just need to verify my LDAP authentication mechanism responds correctly.
from ldapsdk.
There are a few key things that you need to do, which you can probably do them in a single InMemoryOperationInterceptor
. They are:
-
You need to detect requests that change a password (for example, a modify request that targets the userPassword attribute or a password modify extended request). Determine whether the request is a self change (the user is changing their own password) or an administrative reset (the password is being changed by someone else). If it’s a self change, then you’ll want to remove the pwdReset attribute if it’s there. If it’s an administrative reset, then you’ll want to make sure the pwdReset attribute gets set in the entry.
-
For bind requests that target an entry that has the pwdReset attribute, you need to indicate to the client that the account is in a “must change password” state (and the way that happens varies based on the type of server that you’re using; for example, it might be a password expired control in a successful response), and you need to set a flag somewhere (probably in the connection state) that will be able to remember that state for subsequent requests.
-
For all other requests on an authenticated connection, if the account is in a “must change” state, you should reject it with an indication that the user needs to change their password before other operations will be allowed.
from ldapsdk.
@dirmgr I appreciate the response! I'll look into it
from ldapsdk.
Related Issues (20)
- Is there way to use objectGuid instead of dn in API ? HOT 1
- What is the best option to remove object by objectGuid ? HOT 2
- Is there way to add user to multiple groups using single ldap request ? HOT 5
- How to get group by primaryGroupId ? How to convert primaryGroupId to groupDn? HOT 8
- How to search entry by operational attribute (PrimaryGroupToken)? HOT 2
- search with ALL_OPERATIONAL_ATTRIBUTES doesn't return any operational attributes HOT 2
- Filter.createSubstringFilter with "subInitial" or "subFinal" set to an empty string HOT 1
- Unable to login with AdditionalBindCredentials when certain OperationTypes are part of AuthenticationRequiredOperationTypes (Supressing Anonymous Connections) HOT 3
- Metric to show potentially available connections HOT 3
- Memory 'leak' in GSSAPIBindRequest HOT 5
- transactions support in unboundid ldap HOT 3
- Is there way to encrypt LDAP password ? (at least Base 64) HOT 1
- Is there way to get page number N during pagination request without iterating over previous pages ? HOT 13
- IdleTimeout parameter for pooled connections HOT 6
- KeyStoreKeyManager doesn't expose alternative KeyStore loading mechanisms. HOT 4
- InMemoryDirectoryServer is single threaded and blocks for searches HOT 1
- Simple bind fails if password contains latin character HOT 2
- multihomed ldap server HOT 3
- Unable to read or decode an LDAP message: Invalid value length of 0 for an ASN.1 HOT 2
- Is there a way to get multiple entries by dn using a single ldap call? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ldapsdk.