-
Type:
New Feature
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 13.0.0
-
Component/s: rest
-
Labels:
-
Sprint:AM Sustaining Sprint 31, AM Sustaining Sprint 32, AM Sustaining Sprint 33, AM Sustaining Sprint 34, AM Sustaining Sprint 35, AM Sustaining Sprint 36, AM Sustaining Sprint 37
-
Story Points:5
-
Support Ticket IDs:
When setting Password Constraints on OpenDJ. I set for passwords to be validated against dictionary.
In AM 11, the Rest API would report back an "ldap exception 19" now it reports back 400/bad request in AM 13
This is what OpenAM 13 shows from the client:
curl --request POST --header "am13iPlanetDirectoryPro: AQIC5wM2LY4SfcxLhGRcgPzBxCP8Go1Cqa5lQz8WI7QDy9s.*AAJTSQACMDEAAlNLABQtMjg1Mjc4ODY1NDUxNzc2NDE1MgACUzEAAA..*" --header "Content-Type: application/json" --data '{ "username": "bjensen", "userpassword": "secret12", "mail": "bjensen@example.com"}' http://openam.example.com:1300/openam/json/dj/users/?_action=create {"code":400,"reason":"Bad Request","message":"Bad Request"}
IdRepo logs show the true meaning behind the error: "The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary"
DJLDAPv3Repo:05/27/2016 05:55:52:032 PM PDT: Thread[http-bio-1300-exec-6,5,main]: TransactionId[81d59535-2fc0-4dc0-8a19-3b4fe2d6e9fe-1013] ERROR: Unable to add a new entry: bjensen attrMap: {uid=[bjensen], sn=[bjensen], mail=[bjensen@example.com], cn=[bjensen], inetuserstatus=[Active], userpassword=xxx..., objectclass=[devicePrintProfilesContainer, person, sunIdentityServerLibertyPPService, inetorgperson, sunFederationManagerDataStore, oathDeviceProfilesContainer, iPlanetPreferences, iplanet-am-auth-configuration-service, sunFMSAML2NameIdentifier, organizationalperson, inetuser, kbaInfoContainer, forgerock-am-dashboard-service, iplanet-am-managed-person, iplanet-am-user-service, sunAMAuthAccountLockout, top]} org.forgerock.opendj.ldap.ConstraintViolationException: Constraint Violation: The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:176) at org.forgerock.opendj.ldap.spi.ResultLdapPromiseImpl.setResultOrError(ResultLdapPromiseImpl.java:142) at org.forgerock.opendj.grizzly.LDAPClientFilter$ClientResponseHandler.addResult(LDAPClientFilter.java:126) at org.forgerock.opendj.io.LDAPReader.readAddResult(LDAPReader.java:173) at org.forgerock.opendj.io.LDAPReader.readProtocolOp(LDAPReader.java:571) at org.forgerock.opendj.io.LDAPReader.readMessage(LDAPReader.java:132) at org.forgerock.opendj.grizzly.LDAPBaseFilter.handleRead(LDAPBaseFilter.java:82) at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:283) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:200) at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:132) at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:111) at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:536) at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:591) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:571) at java.lang.Thread.run(Thread.java:745) amIdm:05/27/2016 05:55:52:033 PM PDT: Thread[http-bio-1300-exec-6,5,main]: TransactionId[81d59535-2fc0-4dc0-8a19-3b4fe2d6e9fe-1013] ERROR: IdServicesImpl.create: Create: Fatal Exception Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2480) at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:682) at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:450) at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:462) at com.sun.identity.idsvcs.opensso.IdentityServicesImpl.create(IdentityServicesImpl.java:158) at org.forgerock.openam.core.rest.IdentityResourceV2.attemptResourceCreation(IdentityResourceV2.java:1192) at org.forgerock.openam.core.rest.IdentityResourceV2.createInstance(IdentityResourceV2.java:1159) at org.forgerock.openam.core.rest.IdentityResourceV3.createInstance(IdentityResourceV3.java:161) at org.forgerock.json.resource.InterfaceCollectionHandler.handleCreate(InterfaceCollectionHandler.java:40) at org.forgerock.json.resource.Router.handleCreate(Router.java:255) at org.forgerock.json.resource.Router.handleCreate(Router.java:255) at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:69) at org.forgerock.openam.rest.fluent.AuditFilter.filterCreate(AuditFilter.java:110) at org.forgerock.openam.rest.fluent.AuditFilterWrapper.filterCreate(AuditFilterWrapper.java:66) at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67) at org.forgerock.openam.rest.fluent.CrestLoggingFilter.filterCreate(CrestLoggingFilter.java:92) at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67) at org.forgerock.openam.rest.ContextFilter.filterCreate(ContextFilter.java:63) at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67) at org.forgerock.openam.rest.AuthenticationEnforcer.filterCreate(AuthenticationEnforcer.java:146) at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67) at org.forgerock.json.resource.FilterChain.handleCreate(FilterChain.java:213) at org.forgerock.json.resource.Router.handleCreate(Router.java:255) at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:69) at org.forgerock.openam.rest.ContextFilter.filterCreate(ContextFilter.java:63) at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:67) at org.forgerock.json.resource.FilterChain.handleCreate(FilterChain.java:213) at org.forgerock.json.resource.InternalConnection.createAsync(InternalConnection.java:44) at org.forgerock.json.resource.http.RequestRunner.visitCreateRequest(RequestRunner.java:160) at org.forgerock.json.resource.http.RequestRunner.visitCreateRequest(RequestRunner.java:73) at org.forgerock.json.resource.Requests$CreateRequestImpl.accept(Requests.java:258) at org.forgerock.json.resource.http.RequestRunner.handleResult(RequestRunner.java:119) at org.forgerock.json.resource.http.HttpAdapter$2.apply(HttpAdapter.java:566) at org.forgerock.json.resource.http.HttpAdapter$2.apply(HttpAdapter.java:563) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:221) at org.forgerock.json.resource.http.HttpAdapter.doRequest(HttpAdapter.java:562) at org.forgerock.json.resource.http.HttpAdapter.doCreate(HttpAdapter.java:432) at org.forgerock.json.resource.http.HttpAdapter.handle(HttpAdapter.java:161) at org.forgerock.http.handler.Chain.handle(Chain.java:57) at org.forgerock.http.filter.OptionsFilter.filter(OptionsFilter.java:77) at org.forgerock.http.handler.Chain.handle(Chain.java:55) at org.forgerock.http.handler.Chain.handle(Chain.java:57) at org.forgerock.openam.rest.CrestProtocolEnforcementFilter.filter(CrestProtocolEnforcementFilter.java:61) at org.forgerock.http.handler.Chain.handle(Chain.java:55) at org.forgerock.http.routing.Router.handle(Router.java:92) at org.forgerock.http.handler.Chain.handle(Chain.java:57) at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:84) at org.forgerock.http.handler.Chain.handle(Chain.java:55) at org.forgerock.http.routing.Router.handle(Router.java:92) at org.forgerock.http.handler.Chain.handle(Chain.java:57) at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:64) at org.forgerock.http.handler.Chain.handle(Chain.java:55) at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220) at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65) at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212) at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205) at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:221) at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:168) at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65) at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155) at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152) at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:445) at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:521) at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:509) at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:438) at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:146) at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96) at org.forgerock.http.handler.Chain.handle(Chain.java:55) at org.forgerock.openam.http.HandlerProvider.handle(HandlerProvider.java:50) at org.forgerock.openam.http.HttpRoute$3.handle(HttpRoute.java:142) at org.forgerock.http.routing.Router.handle(Router.java:92) at org.forgerock.http.handler.Chain.handle(Chain.java:57) at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60) at org.forgerock.http.handler.Chain.handle(Chain.java:55) at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:222) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:106) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)
DJ Access logs are showing: [27/May/2016:17:55:51 -0700] ADD REQ conn=1 op=217 msgID=218 dn="uid=bjensen,ou=people,dc=example,dc=com" [27/May/2016:17:55:51 -0700] ADD RES conn=1 op=217 msgID=218 result=19 message="The password value for attribute userPassword was found to be unacceptable: The provided password contained a word from the server's dictionary" etime=1 [27/May/2016:17:55:53 -0700] SEARCH REQ conn=2 op=212 msgID=213 base="" scope=base filter="(objectClass=*)" attrs="1.1" [27/May/2016:17:55:53 -0700] SEARCH RES conn=2 op=212 msgID=213 result=0 nentries=1 etime=0
- is duplicated by
-
OPENAM-9860 Creating a user via json/users that does not meet password requirements results in 404 status
-
- Resolved
-
-
OPENAM-11922 Error code(500) is returning when updating a password that exists in the password history(policy configured)
-
- Closed
-
- is related to
-
OPENAM-11428 When using REST endpoint "json/users/?_action=create" with password policy violation, AM returns HTTP 400 "bad request", reason "Bad Request" , Message "Bad Request" (for non-Behera case)
-
- Resolved
-
- relates to
-
OPENAM-9459 500 Internal Server Error from changePassword endpoint with AD repo
-
- Resolved
-
-
OPENAM-16402 The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.
-
- Closed
-
-
OPENAM-12050 Password error message not specific
-
- Resolved
-