Restful interface returned message for expired password

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Restful interface returned message for expired password

Alex Zeng

Hi,

I'm using OpenAM 13 as access manager and OpenDJ 3 as OpenAM's user store. In OpenDJ I have a password policy that expires after a certain period. 

When a password expired and I login from OpenAM's restful interface, the message I got is 'Authentication Failed', same as if a wrong password is supplied. As below: 

 curl --request POST --header "X-OpenAM-Username: user" --header "X-OpenAM-Password: password" --header "Content-Type: application/json" http://[openamserver]/openam/json/authenticate
{"code":401,"reason":"Unauthorized","message":"Authentication Failed"}

Is this an expected behaviour rather than telling the user that their password is expired? If it is, is there any way we can check through the RESTful interface the age of the password, or whether the password is expired?

Regards

Alex

This email with any attachments is confidential and may be subject to legal privilege. If it is not intended for you please reply immediately, destroy it and do not copy, disclose or use it in any way.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restful interface returned message for expired password

Bernhard Thalmayr
Am 12/05/17 um 06:47 schrieb Alex Zeng:
> Hi,
>
> I'm using OpenAM 13 as access manager and OpenDJ 3 as OpenAM's user
> store. In OpenDJ I have a password policy that expires after a certain
> period.

.... and you are using the LDAP auth-module and not the datastore
auth-module?

-Bernhard

>
> When a password expired and I login from OpenAM's restful interface, the
> message I got is 'Authentication Failed', same as if a wrong password is
> supplied. As below:
>
> / curl --request POST --header "X-OpenAM-Username: user" --header
> "X-OpenAM-Password: password" --header "Content-Type: application/json"
> http://[openamserver]/openam/json/authenticate/
> /{"code":401,"reason":"Unauthorized","message":"Authentication Failed"}/
>
> Is this an expected behaviour rather than telling the user that their
> password is expired? If it is, is there any way we can check through the
> RESTful interface the age of the password, or whether the password is
> expired?
>
> Regards
>
> Alex
>
> This email with any attachments is confidential and may be subject to
> legal privilege. If it is not intended for you please reply immediately,
> destroy it and do not copy, disclose or use it in any way.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restful interface returned message for expired password

Alex Zeng

Yes it's LDAP auth-module.

Thanks

Alex


From: [hidden email] <[hidden email]> on behalf of Bernhard Thalmayr <[hidden email]>
Sent: Wednesday, 17 May 2017 7:19:06 a.m.
To: [hidden email]
Subject: Re: [OpenAM] Restful interface returned message for expired password
 
Am 12/05/17 um 06:47 schrieb Alex Zeng:
> Hi,
>
> I'm using OpenAM 13 as access manager and OpenDJ 3 as OpenAM's user
> store. In OpenDJ I have a password policy that expires after a certain
> period.

.... and you are using the LDAP auth-module and not the datastore
auth-module?

-Bernhard
>
> When a password expired and I login from OpenAM's restful interface, the
> message I got is 'Authentication Failed', same as if a wrong password is
> supplied. As below:
>
> / curl --request POST --header "X-OpenAM-Username: user" --header
> "X-OpenAM-Password: password" --header "Content-Type: application/json"
> http://[openamserver]/openam/json/authenticate/
> /{"code":401,"reason":"Unauthorized","message":"Authentication Failed"}/
>
> Is this an expected behaviour rather than telling the user that their
> password is expired? If it is, is there any way we can check through the
> RESTful interface the age of the password, or whether the password is
> expired?
>
> Regards
>
> Alex
>
> This email with any attachments is confidential and may be subject to
> legal privilege. If it is not intended for you please reply immediately,
> destroy it and do not copy, disclose or use it in any way.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
This email with any attachments is confidential and may be subject to legal privilege. If it is not intended for you please reply immediately, destroy it and do not copy, disclose or use it in any way.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restful interface returned message for expired password

Paul Figura

Hi Alex,


Are you sure you correctly crafted your password policy? Particularly, you will want to make sure the password is still changeable after expiration, and you set a long enough warning interval that it is caught some time before expiration as well.


You will want to make sure the Behera support is enables on your LDAP module.


Lastly, you may way to validate (via logs) on OpenDJ to see what error message it is passing to OpenAM.


Regards,
Paul Figura
Identity & Access Management Architect
Indigo Consulting Canada
Tel: 514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 5/16/2017 5:17 PM, Alex Zeng wrote:

Yes it's LDAP auth-module.

Thanks

Alex


From: [hidden email] [hidden email] on behalf of Bernhard Thalmayr [hidden email]
Sent: Wednesday, 17 May 2017 7:19:06 a.m.
To: [hidden email]
Subject: Re: [OpenAM] Restful interface returned message for expired password
 
Am 12/05/17 um 06:47 schrieb Alex Zeng:
> Hi,
>
> I'm using OpenAM 13 as access manager and OpenDJ 3 as OpenAM's user
> store. In OpenDJ I have a password policy that expires after a certain
> period.

.... and you are using the LDAP auth-module and not the datastore
auth-module?

-Bernhard
>
> When a password expired and I login from OpenAM's restful interface, the
> message I got is 'Authentication Failed', same as if a wrong password is
> supplied. As below:
>
> / curl --request POST --header "X-OpenAM-Username: user" --header
> "X-OpenAM-Password: password" --header "Content-Type: application/json"
> http://[openamserver]/openam/json/authenticate/
> /{"code":401,"reason":"Unauthorized","message":"Authentication Failed"}/
>
> Is this an expected behaviour rather than telling the user that their
> password is expired? If it is, is there any way we can check through the
> RESTful interface the age of the password, or whether the password is
> expired?
>
> Regards
>
> Alex
>
> This email with any attachments is confidential and may be subject to
> legal privilege. If it is not intended for you please reply immediately,
> destroy it and do not copy, disclose or use it in any way.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
This email with any attachments is confidential and may be subject to legal privilege. If it is not intended for you please reply immediately, destroy it and do not copy, disclose or use it in any way.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restful interface returned message for expired password

Alex Zeng

Hi Paul,


Thanks for your response. 


I'm currently in a proof of concept stage so I've actually tried every possibility with password expiration warning intervals and all that.


From what I can see in OpenDJ log, there is message showing that the password is actually expired when I tried to log in. But searched through OpenAM log, all messages are the same as if a wrong password has been provided.





From: Paul Figura <[hidden email]>
Sent: Friday, 19 May 2017 5:28 a.m.
To: Users
Cc: Alex Zeng
Subject: Re: [OpenAM] Restful interface returned message for expired password
 

Hi Alex,


Are you sure you correctly crafted your password policy? Particularly, you will want to make sure the password is still changeable after expiration, and you set a long enough warning interval that it is caught some time before expiration as well.


You will want to make sure the Behera support is enables on your LDAP module.


Lastly, you may way to validate (via logs) on OpenDJ to see what error message it is passing to OpenAM.


Regards,
Paul Figura
Identity & Access Management Architect
Indigo Consulting Canada
Tel: 514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 5/16/2017 5:17 PM, Alex Zeng wrote:

Yes it's LDAP auth-module.

Thanks

Alex


From: [hidden email] [hidden email] on behalf of Bernhard Thalmayr [hidden email]
Sent: Wednesday, 17 May 2017 7:19:06 a.m.
To: [hidden email]
Subject: Re: [OpenAM] Restful interface returned message for expired password
 
Am 12/05/17 um 06:47 schrieb Alex Zeng:
> Hi,
>
> I'm using OpenAM 13 as access manager and OpenDJ 3 as OpenAM's user
> store. In OpenDJ I have a password policy that expires after a certain
> period.

.... and you are using the LDAP auth-module and not the datastore
auth-module?

-Bernhard
>
> When a password expired and I login from OpenAM's restful interface, the
> message I got is 'Authentication Failed', same as if a wrong password is
> supplied. As below:
>
> / curl --request POST --header "X-OpenAM-Username: user" --header
> "X-OpenAM-Password: password" --header "Content-Type: application/json"
> http://[openamserver]/openam/json/authenticate/
> /{"code":401,"reason":"Unauthorized","message":"Authentication Failed"}/
>
> Is this an expected behaviour rather than telling the user that their
> password is expired? If it is, is there any way we can check through the
> RESTful interface the age of the password, or whether the password is
> expired?
>
> Regards
>
> Alex
>
> This email with any attachments is confidential and may be subject to
> legal privilege. If it is not intended for you please reply immediately,
> destroy it and do not copy, disclose or use it in any way.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
This email with any attachments is confidential and may be subject to legal privilege. If it is not intended for you please reply immediately, destroy it and do not copy, disclose or use it in any way.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

This email with any attachments is confidential and may be subject to legal privilege. If it is not intended for you please reply immediately, destroy it and do not copy, disclose or use it in any way.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...