Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2015-08-12

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:14 jjpp babbu: ldap auth module does respect ldap server saying that user needs to change password. datastore does not, iirc.
00:15 babbu egad
00:15 babbu is there a way to force user to change password upon first login?
00:15 jjpp make sure that pwdReset operational attribute exists and has value true in users entry.
00:16 jjpp we have the configuration where it is automatically set if someone else but user herself sets the password. can't remember if it was the default.
00:16 babbu where does that atrribute exist? I have gone mental looking for that flag
00:18 MegaMatt $ /path/to/OpenDJ/bin/ldapsearch -p 1389 -b dc=example,dc=com -D
00:18 MegaMatt cn=directory\ manager -w password uid=bjensen pwdReset
00:18 MegaMatt dn: uid=bjensen,ou=People,dc=example,dc=com
00:18 jjpp it is "operational" -- ie. it's eistence is somehow defined by ldap server and it is actually managed by ldap server. and it should be in the users profile. right next to the userPassword attribute
00:18 MegaMatt *pwdReset: true*
00:20 babbu MegaMatt: can this attribute be set up in the password policy of opendj (liek Default Password Policy) ?
00:20 MegaMatt it’s an operational attribute in OpenDJ
00:21 jjpp password policy seems to have parameters force-change-on-add and force-change-on-reset
00:21 babbu I set both of them to true
00:21 babbu and yet when I create a new user under a realm
00:21 babbu I am not shown change password screen
00:22 jjpp hm. by which means did you create the user. and when do you expect to see the password change prompt_
00:23 jjpp also, can you check which attributes does the profile contain after creation (ie, is the pwdreset flag there?)
00:24 babbu when I go to openam login page, and use the newly created user credentials to login, I am expecting to be presented with change password screen when I have set the force-change-on-add to be true
00:24 babbu I haven
00:24 babbu I have not tried pwdReset flag, I did not know where to add it
00:26 MegaMatt "If the value the pwdMustChange is TRUE and the modification is performed by a password administrator, then the pwdReset attribute is set to TRUE.  Otherwise, the pwdReset is removed from the user's entry if it exists.”
00:26 MegaMatt So you can just set pwdMustChange TRUE, then use ldappasswordmodify
00:26 MegaMatt and it should set it
00:27 jjpp well, for start check what the value is after add. and .. then.. the default openam login screen does use datastore module, iirc_
00:27 babbu hmmm, that's a start
00:27 MegaMatt yeah, don’t use datastore, use ldap module
00:27 babbu I am using ldap module
00:27 jjpp so.. perhaps you should try https://your.openam/openam/UI/Login?module=LDAP or something to that effect
00:27 babbu ahh
00:28 babbu ok, so I did set the pwdMustChange flag to true using admin credentials
00:28 babbu and that was done to default password policy
00:29 babbu but I see embedded datastore along side ldapStore on OpenAM - could this be a problem?
00:29 MegaMatt Ok, then if you use ldappasswordmodify it should set the pwdReset to True
00:29 babbu ldappasswordmodify is to change a user's password, right?
00:30 MegaMatt yes
00:31 babbu and will openam honour this flag even for new users?
00:31 MegaMatt If the flag is set, openam will honor it, so it’s a matter of setting the flag when the user is created
00:31 babbu because I don't care about existing users, but the new users getting added to realm should be forced to change their password at first login
00:31 babbu ah, that's the point where I am stuck
00:32 babbu I set the flag with admin credentials
00:32 babbu and even restarted the servers
00:32 MegaMatt Show us the output of the ldap search on the user
00:32 babbu ok
00:32 MegaMatt like I did above
00:32 MegaMatt it should show it as true for the user
00:32 MegaMatt if it is, then openam through ldap module should honor it
00:36 babbu dn: uid=VPUser76ac7ef7-9c04-41b3-b6f6-7f57de3aa390,ou=Users,dc=example,dc=com
00:36 babbu mail: mike@example.com
00:36 babbu sn: Pandey
00:36 babbu cn: Vinay Pandey
00:36 babbu o: example
00:36 babbu objectClass: person
00:36 babbu objectClass: organizationalPerson
00:36 babbu objectClass: inetOrgPerson
00:36 babbu objectClass: top
00:36 babbu telephoneNumber: 082082082
00:36 babbu givenName: Vinay
00:36 babbu userPassword: {SSHA}wQHs6s6G9szt8t2fr3HCAb7d8Spk4KB2wBktDg==
00:36 babbu uid: VPUser76ac7ef7-9c04-41b3-b6f6-7f57de3aa390
00:37 MegaMatt you could have just queried for pwreset
00:37 MegaMatt $ /path/to/OpenDJ/bin/ldapsearch -p 1389 -b dc=example,dc=com -D cn=directory\ manager -w password uid=<yourexampleguy> pwdReset
00:38 babbu I added pwdReset:true at the end and received dn: uid=VPUser76ac7ef7-9c04-41b3-b6f6-7f57de3aa390,ou=Users,dc=rms,dc=com
00:38 babbu dn: uid=VPUser76ac7ef7-9c04-41b3-b6f6-7f57de3aa390,ou=Users,dc=rms,dc=com
00:38 MegaMatt what do you mean you added pwReset:true at the end?
00:38 MegaMatt to an ldap search?
00:38 babbu dn: uid=VPUser76ac7ef7-9c04-41b3-b6f6-7f57de3aa390,ou=Users,dc=rms,dc=com
00:38 babbu pwdReset: TRUE
00:38 babbu my bad, here is the output
00:39 babbu so pwdReset is set to true
00:39 babbu but when I go to http://openam:8080/openam/loging/example
00:39 babbu and then enter the user credentials
00:39 babbu I am shown the default console
00:40 MegaMatt loging?
00:40 babbu login/example
00:40 MegaMatt Go to https://your.openam/openam/UI/Login?module=LDAP and login as that user
00:40 MegaMatt or http whatever
00:43 babbu where do I provide the realm?
00:44 MegaMatt He’s not in the root realm?
00:44 babbu no
00:46 MegaMatt http://openam.example.com:8080/openam/UI/Login?realm=subrealm&amp;module=LDAP
00:48 babbu ok this is interesting, I get invalid credentials when I use module=ldap
00:49 babbu but I can login as sson as I remove "module=ldap"
00:49 MegaMatt Then it’s not using the ldap module
00:49 babbu however, I can see the user in opendj
00:50 MegaMatt check the Default Authentication Chain for users
00:51 MegaMatt Just curious, did it work with &module=DataStore ?
00:52 babbu the datastore was default in authentication chain
00:52 MegaMatt Or even better, check the LDAP module in that subrealm to see if it’s configured correctly to pick up that user
00:52 babbu and I changed it to ldap and deleted datastore altogether
00:53 babbu I am going to try logging in with the url and my user
00:53 MegaMatt So now check LDAP to make sure it’s actually configured right
00:53 MegaMatt correct base dn?
00:54 MegaMatt anyhow, i’ve got to jet
00:54 MegaMatt I bet you’ll figure it out ;)
00:54 MegaMatt cyah tomorrow
00:54 babbu see you
00:54 babbu and thank you so very much for your help
01:28 MegaMatt joined #openam
01:36 babbu joined #openam
01:49 lazzurs joined #openam
04:47 ramteid joined #openam
06:58 KermitTheFragger joined #openam
07:04 aldaris joined #openam
08:25 aldaris joined #openam
09:25 aldaris joined #openam
09:56 tudorg joined #openam
10:15 jamiebowen joined #openam
11:05 MegaMatt joined #openam
11:11 jamiebowen joined #openam
11:37 jamiebowen joined #openam
12:05 mckeanbs joined #openam
12:18 tudorg joined #openam
16:05 noisebleed joined #openam
16:06 noisebleed joined #openam
16:25 aldaris joined #openam
17:44 aldaris joined #openam
20:07 aldaris joined #openam
21:11 mckeanbs joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary