I am trying to write an application which would offer user to manage users on LDAP system. One feature of this is the functionality "Forgot Password".
User uses my app to Reset his password
I ask some security questions and if they are correct, I redirect him to new screen - new password screen.
User provides new password only (as he has forgotten his old one)
I use admin Context and reset the user password (using modifyAttributes(..)).
The LDAP system, set pwdReset to true indicating that password was changed by admin and must be changed by user.
Now, I do want to set this to false, coz I don't want user to change his password again (as he already did in above steps), so I explicitly modify it to false. But I get error
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; remaining name 'cn=XXXX,ou=XXXXOU,O=XXXX'
What is the way around ? Is there some other alternative ?
For refernce, the code to reset pwdReset is as under:
List<ModificationItem> modsList = new ArrayList<ModificationItem>();
BasicAttribute attribute = new BasicAttribute(ATTR_PASSWORDRESET, "false");
modsList.add(new ModificationItem(DirContext.REPLACE_ATTRIBUTE, attribute));
ModificationItem [] modsArr = modsList.toArray(new ModificationItem[modsList.size()]);
modsArr = modsList.toArray(new ModificationItem[modsList.size()]);
this.adminCtx.modifyAttributes(userName, modsArr);
And here is my pwdPolicy
I've just spent two weeks proving to myself that OpenLDAP doesn't actually do step #5 at all, despite what the wording of the RFC draft appears to mean. I als found a message in the OpenLDAP Mail archives confirming that they think it isn't supposed to do that. So what is happening is that there is no pwdReset attribute to set to false, so you're getting a schema violation trying to add it with that value. So, all you have to do is nothing.
It would probably be safer just to set pwdReset to null, which removes it completely, or just remove it with DirContext.REMOVE_ATTRIBUTE. My code doesn't use ModificationItem, which is another clue, more like:
BasicAttributes attributes = new BasicAttributes(ATTR_PASSWORDRESET, null);
this.adminCtx.modifyAttributes(userName, attrs);
The above also means that if you want it set to TRUE you have to do so yourself.
Related
I've been making a tool to create dummy documents on Lotus Notes using the Java API.
So far I've been successful creating the documents using the NotesFactory create session method
NotesFactory.createSession(serverUrl, username, password);
And later creating the document using the Database class createDocument() method.
However, regardless of the user I put when I'm creating the session, the created document always has "Administrator" as the document originator.
Is there any way to override this behavior?
EDIT 8/24/2016:
Here is the code I'm using to create documents
Session session = NotesFactory.createSession(serverUrl, username, password);
Database db = session.getDatabase(session.getServerName(), "docLibra.nsf");
Document doc = db.createDocument();
// Set document properties
doc.replaceItemValue("Subject", "Sample Subject");
RichTextItem bodyItem = doc.createRichTextItem("Body");
bodyItem.appendText("Sample content");
doc.save();
doc.recycle();
db.recycle();
session.recycle();
I created several users (i.e. user1, user2) and I'm able to get a Session with the credentials of those, but when the document is saved. The originator is set as Administrator, even tough the Administrator credentials are nowhere on the code and the code is executed on an external computer.
Well, that means that your code is running under the identity of someone name "Administrator". That could be you, or the person who re-signed the code before allowing to run on the server. Get in touch with that person.
Now, what are you trying to do ? Impersonnating someone else ? On Domino ? No way.
Writing code that any user can run ? There are many ways.
Generating documents that can be read, or maybe modified, by all users or by a definite subset of them ? There are plenty of ways. Look for Access Control List, for the concept of Role, and for the special types of fields Author and Reader.
I'm writing a simple standalone Java class that uses Lotus Domino's NCSO JAR for remote-connecting to a Domino server.
I'm establishing a session, getting access to a database and then to a view:
Session session = NotesFactory.createSession("host", "user", "password");
Database db = session.getDatabase(null, "MyDB.nsf");
View view = db.getView("MyView");
Now, I'm printing the number of entries in the view:
int count = view.getEntryCount();
I get a nonzero number (let's say 1500).
However, I can't seem to load any document by key. For example, for any letter in the alphabet, I'm getting an empty document collection with this call:
System.err.println(view.getAllDocumentsByKey(letter, false));
When I try to load a document by key, when I know that the key exists in the view, I get null.
Document document = view.getDocumentByKey("DocKey"); // Equals null even though
// I know that 'DocKey' is
// the key of an existing
// document within the view.
The very same code is said to be working (although I didn't check it) when using local Notes calls (using Notes.jar).
What am I missing?
EDIT
I just noticed that session.getNotesVersion() returns version 8.5.2. The NCSO.jar file that I'm currently using doesn't appear to have a few methods that were added with Notes 8. Therefore, there is a possibility that the NCSO.jar file I use belongs to an earlier version of Notes than the one I'm trying to communicate with. Could that be the reason?
If the same code is working locally, then that should rule out the possibility that the first column of the view isn't sorted. Assuming that, then the most likely issue is that the documents are protected by ReaderNames fields and the identity that you are using for authenticating your session does not have access to the documents.
Assuming I understand you right, you want to get all documents where the first (lookup) column of the view contains anything that starts with a specific letter?
E.g. you send "A" to veiw.getAllDocumentsByKey() and expect a collection that contains "Apple", "Alpha", "Amoeba" and "Apricot" to be returned?
I would modify the column in the view to only hold the first letter:
#Left(MyField;1)
Then it would be easy to perform the lookup and see if you get the correct result.
i am using UnboundID LDAP SDK for ActiveDirectory management, and i want to create new user. I am able to create connection to ActiveDirectory and add new user with some attributes, but i dont know how to work with attribute userAccountControl. This attribute is used by ActiveDirectory to store some flags, and i don't know how to set these flags using UnboundID LDAP SDK. Thank for any help.
Some information about attribute userAccountControl
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680832(v=vs.85).aspx
I found out that i had some path wrong, here is code for modification userAccountControl
Modification mod = new Modification(ModificationType.REPLACE, "userAccountControl", usr.getUAC().toString());
ModifyRequest req = new ModifyRequest(userCN + userOU, mod);
LDAPResult modResult = connection.modify(req);
The userAccountControl is a bit mask so it is necessary to set is as an integer.
We have some of the values and information documented here:
http://ldapwiki.willeke.com/wiki/User-Account-Control%20Attribute%20Values
Might help if you said what you were trying to set in userAccountControl and provided the code you are using.
I have a simple MVC-based JSP application. Something like:
*.jsp -> ControllerServlet -> *Command.java -> *Service.java -> *DAO.java -> Oracle db
A typical link in the application looks like this:
myapp/controller?cmd=ShowEditUser&userid=55
Which causes ShowEditUserCommand.java execute() method to run and will forward to editUser.jsp
In editUser.jsp, they fill in the fields, then click Save which posts to myapp/controller?cmd=ModifyUser which runs ModifyUserCommand.java execute() method which modifies the user data and forwards to viewUser.jsp.
Everything works fine.
The problem is, in ModifyUserCommand.execute() I'm checking to see if the username is unique. If they try to enter a username that already exists, I set an error value to true and errorMessage value to Already in use.
Then because of the error I forward to the original editUser.jsp (not viewUser.jsp) and the error is displayed above the form.
MY PROBLEM IS (finally! ;) -- when the user is returned to editUser.jsp with the error message displayed, the data they entered in the fields is all blanked out. How can I set it so whatever they entered in the fields is still in place?
Any suggestions or advice are greatly appreciated!
Rob
Simplest way would be to pass the form fields back to your editUser.jsp in your forward action in ModifyUserCommand.execute(). You can do that with individual parameters i.e.
editUser.jsp?field1=1&field2=2
Alternatively, you could pass data with other methods - i.e. encoded JSON.
You can then process your fields in your editUser.jsp via the page's request object and set your form field values accordingly.
There may be other ways to do this depending on what underlying framework (if any) you are using. But this is a basic way of approaching it.
I've got a website, and I want to add a welcoming message which hovers on a certain part of the page which only loads for the visitor for the first time they login, and won't again(presumably cookies used). And says something like "adjust your settings here.."
I don't want it to be an external popup but something that loads on the page in a certain area, defined by me (PX-pixle reference)
What would be the best coding language to do it in, oes anyone have any examples of this, or any site based generators to make it on?
thanks
Create one more field in database with lastlogin.
When user is created then make lastlogin field with special.
When user signs the next time from Login Page, update the field the lastlogin value to regular
//query to get value of lastlogin
//add css to elements you want to hover
<element class="<?php if($last-login == 'sepcial') { echo 'sepcialcss'; } else {echo 'regularcss'; }">
Done in PHP
As you added the tag, php would do this, actually any language will do.
Generally you have two ways to do this.
Do it on your server.
Do it on client's computer.
for the first way, you check the cookies and generate the page you want.
for the second way, you need to arrange the page the visitors see with java script.
way 1 recommended, coz it loads less bits. LOL
Update:
your server supports php right? the page, say it index.php, has a special area which is different when the visitors login the first time, right?
<?php
if (firstLogin()){
genSpecial();
}
else{
genRegular();
}
?>
in the funcition firstLogin(), you shall read the cookies and determine.
in the other two functions, just gen two different part, i.e. some html source code.
to your question, if you need to load some image, do it in genSpecial(). and if you choose the first way, js is not used to gen the special area, it's used only if in the special area, there needs some js.
It is possible through javascript. Once the user is shown the settings, store the result in a cookie valid for as long as you want. The next time the user logs in, verify if the cookie is set and then proceed.
Sample code to create cookies:
function setCookie(c_name,value,exdays)
{
var exdate=new Date();
exdate.setDate(exdate.getDate() + exdays);
var c_value=escape(value) + ((exdays==null) ? "" : "; expires="+exdate.toUTCString());
document.cookie=c_name + "=" + c_value;
}
Refer this for more details on how to create and use cookies