LDAPchai returns disallowedattributes in NDS naming convention

[GoogleCodeExporter]

I'm not sure whether this is a bug in LDAPchai or in PWM. Currently LDAPchai 
returns the disallowed attributes of an eDirectory Universal Password Policy 
"as is". This means that the literal content of nspmDisallowedAttributeValues 
is returned to PWM.

PWM utilizes the nspmDisallowedAttributeValues unmodified to figure out the 
Password Rule Attributes. However nspmDisallowedAttributeValues is in NDS 
naming convention, which leads to problem when using those disallowed attribute 
values in LDAP queries.

In example, specifying "Full Name" in nspmDisallowedAttributeValues leads to 
PWM comparing the password of a User with the User LDAP attribute "Full Name". 
This attribute naming is illegal: an attribute name of "fullName" should be 
used.

Either LDAPchai or PWM should map the NDS attribute names to the relevant LDAP 
mapping. Since eDirectory 8.5, all eDirectory attribute and class definitions 
can be accessed from LDAP by using the eDirectory name with the colon and 
spaces removed. 

Probably the best approach would be to remove colon and spaces by LDAPchai for 
each attribute specified in nspmDisallowedAttributeValues. In that way a per 
attribute mapping isn't necessary.

Original issue reported on code.google.com by sebastia...@gmail.com on 7 May 2013 at 10:05

[GoogleCodeExporter]

Relevant part of a LDAP wire trace from catalina.out:

2013-05-07 10:53:15, TRACE, provider.WireTraceWrapper, finish op#11 result: 
{cn=univ_pwd_test,cn=Password 
Policies,cn=Security={nsimForgottenLoginConfig=[TRUE], 
nspmNumericAsFirstCharacter=[TRUE], passwordMinimumLength=[8], 
nspmMinNumericCharacters=[1], passwordUniqueRequired=[TRUE], 
nspmSpecialCharactersAllowed=[FALSE], nspmNumericCharactersAllowed=[TRUE], 
nspmConfigurationOptions=[1908], passwordExpirationInterval=[15724800], 
nspmMaximumLength=[13], nsimChallengeSetGUID=[1365693660274], 
nsimPwdRuleEnforcement=[FALSE], 
nsimForgottenAction=[<ForgottenPassword><Enabled>false</Enabled><Sequence><Authe
ntication><![CDATA[]]></Authentication><Action>ShowHint</Action></Sequence></For
gottenPassword>], nspmNumericAsLastCharacter=[TRUE], 
nspmDisallowedAttributeValues=[CN, Full Name, Surname], 
nspmMinUpperCaseCharacters=[1], nspmCaseSensitive=[TRUE], 
nspmMinLowerCaseCharacters=[1]}} (6ms)
......
2013-05-07 10:53:16, TRACE, provider.WireTraceWrapper, begin op#16 
readStringAttributes(cn=testuser,ou=users,o=meta,[Full Name, Surname, CN])

Relevant part where PWM consumes the LDAPchai data 
(util/operations/UserStatusHelper.java):

    private static Set<String> figurePasswordRuleAttributes(
            final UserInfoBean uiBean
    )
    {
        final Set<String> interestingUserAttributes = new HashSet<String>();
        interestingUserAttributes.addAll(uiBean.getPasswordPolicy().getRuleHelper().getDisallowedAttributes());
        if (uiBean.getPasswordPolicy().getRuleHelper().readBooleanValue(PwmPasswordRule.ADComplexity)) {
            interestingUserAttributes.add("sAMAccountName");
            interestingUserAttributes.add("displayName");
            interestingUserAttributes.add("fullname");
            interestingUserAttributes.add("cn");
        }
        return interestingUserAttributes;
    }

Original comment by sebastia...@gmail.com on 7 May 2013 at 10:14

[GoogleCodeExporter]

I've made a patch for LDAPchai (see attache). If I need to file this in the 
LDAPchai project site, let me know.

Original comment by sebastia...@gmail.com on 15 May 2013 at 3:39

Attachments:

• pwm-issue-385.diff

[GoogleCodeExporter]

Original comment by jrivard on 23 May 2013 at 7:41

• Changed state: Accepted
• Added labels: Type-Defect
• Removed labels: Type-Help

[GoogleCodeExporter]

Added in revision 567.  Thanks for the bug and patch!

Original comment by jrivard on 30 May 2013 at 3:42

• Changed state: Fixed