OpenDS issue

Posted Mon, 08/03/2010 - 09:39 by shlomo
, , , , ,

HI,
For a client I am using the following configuration:
1-An OpenDS server version 2.2
2-An OpenLDAP client (the Novel libraries)

Both are very easy to use.

There is a need to query the LDAP server for information such as password expiration time, number of failed logins etc. This information is readily available by using a command line interface which is provided by OpenDS : https://docs.opends.org/wiki/Diff.jsp?page=HowToManageUserAccounts&r1=20...

For instance to get the failure time one would invoke:

 

<code>
manage-account get-authentication-failures-times \
--targetDN "uid=kvaughan,ou=People,dc=example,dc=com" \
--hostname localhost --port 1389 \
--bindDN "cn=Directory Manager" --bindPassword password

 

</code>
The command line interface is of course using OpenDS Java libs, I looked at the code and it would be a nightmare to refactor.

I tried invoking the corresponding "main" function of the ManageAccount class (matches the above command line) and it works however it is very problematic since first the main function returns void and though I can capture the output from the main and parse it, it is not an ideal solution. A second issue is that the command line interface is interactive and requires a response while being processed.

has anyone had any experience with this? I need someone who really dealt with it, not just installed OpenDS and went to drink coffee ...

Thanks,

 

‹ Injecting request scope beans into singletons with RESTeasy and Spring @XStreamOmitField ›

Comments

by ludovic.poitou - 09/03/2010 - 00:57

  Hi,

 

You might have better success getting an answer, if you'd posted your comments and questions to the OpenDS community directly, either on the public mailing lists, the forum or the IRC channel

  •  

This said, I noticed a couple of errors with the command you've used.

With OpenDS 2.x, the manage-account command should be directed to the Administrative port i.e. 4444 by default, with the -X option (to trust the certificate).

 

 

$ bin/manage-account get-authentication-failure-times \

--targetDN "uid=user.1,ou=people,dc=example,dc=com" \

-p 4444 -X -D "cn=directory manager" -w secret12

Authentication Failure Times:

 

This command didn't required any interaction.

 

I understand that re-implementing the (undocumented) password policy state extended operation with JLDAP will be tedious.

I'm afraid that you will have to either to copy/paste some of the manage-account code in a new wrapping code that you can then call from your code (in compliance with OpenDS license) or deal with the command-line tool itself.

 

Regards,

Ludovic.

by shlomo - 09/03/2010 - 08:15

Thanks a lot for your detailed reply. The code was cut and pasted from the documentation, I am actually invoking the command line from Java so there I am using the correct port (4444) as you kindly noted.

The "interaction" is the SSL trust interaction, each time the command line was invoked, it prompted a yes/no question with respect to the self signed certificate the server was configured with. I managed to solve that as well by passing the "--trustAll" flag on the commands argument list.

In addition, the command line which is invoked by calling its "main()" method, has an overloaded main which its second parameter is an OutPutStream. So by passing that, I can capture the output directly and process it.

I shall post a code snipped when Ill get top the office,

Once again, thanks for your reply,

by shlomo - 09/03/2010 - 09:05

This is the method invocation I mentioned in the previous post (it was simplified for brevity):

String[] args1 = {
                "get-password-changed-time",
                "--targetDN",
                "cn=James Smith14436,ou=People,dc=example,dc=com",
                "--hostname",
                "localhost",
                "--port",
                "4444",
                "--bindDN",
                "cn=admin",
                "--bindPassword",
                "password",
                "--trustAll"};

        OutputStream outStream = new ByteArrayOutputStream();
        OutputStream errStream = new ByteArrayOutputStream();

        org.opends.server.tools.ManageAccount.main(args1, outStream, errStream);

        try {

            logger.info (outStream.toString());

        } catch (IOException e) {
            e.printStackTrace(); 
        }

by shlomo - 09/03/2010 - 10:40

Let me ask you one more question:
When I attempt to retrieve information such as:
Seconds Until Account Expiration (get-seconds-until-account-expiration)

OR

Authentication Failure Times (get-authentication-failure-times)

The result is empty. Is it because of lack of a security policy associated with the user or some other reason?

Thanks,

by ludovic.poitou - 09/03/2010 - 11:34

It could be because there is no expiration policy for the user (or the password was never changed) for the get-seconds-until-account-expiration.

It could be because there is no lockout policy for the user or no authentication failure for the get-authentication-failure-times.

 

Ludovic.