Home

Results 1 to 3 of 3

Thread: Set Challenge Response of Other User with REST

  1. #1
    Join Date
    Jun 2010
    Posts
    8

    Set Challenge Response of Other User with REST

    Hi all,

    It seems impossible to set the response of a challenge for another user
    with the REST services.

    Why would I want to change the response of a challenge of another user?
    We are migrating our current IAM environment to Novell. We want to keep
    current forgotten password functionality because it works great. A user
    who forgot his password can request an 'activation code'. This code is
    sent to the user's mobile phone or email address. With this code the
    user can set a new password. My goal was to build a webapp (deployed on
    the User App JBoss server) which allows an anonymous user to request an
    activation code. A random code would be created by the webapp, which
    would be sent to the user's email or mobile phone and stored as answer
    in the response of the challenge "Enter Activationcode".

    First I tried the GET method for a particular user:

    $ restauth=`echo -n 'uaadminassword' | openssl enc -base64`
    $ curl -v -H "RESTAuthorization: $restauth" -H "Accept:
    application/json"
    "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
    * About to connect() to localhost port 8180 (#0)
    * Trying ::1... Connection refused
    * Trying 127.0.0.1... connected
    * Connected to localhost (127.0.0.1) port 8180 (#0)
    > GET /IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares

    HTTP/1.1
    > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

    NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
    > Host: localhost:8180
    > RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
    > Accept: application/json
    >

    < HTTP/1.1 200 OK
    < Server: Apache-Coyote/1.1
    < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
    < Set-Cookie: JSESSIONID=-A1PAVMzVto4aQj2SWlfCQ__; Path=/IDMProv
    < Expires: Mon, 26 Jul 1997 05:00:00 GMT
    < Content-Type: application/json
    < Transfer-Encoding: chunked
    < Date: Wed, 16 Nov 2011 12:59:03 GMT
    <
    [{"error_message":"There is no password policy available."},{},{},{},{}]
    * Connection #0 to host localhost left intact
    * Closing connection #0

    The REST service returns this error message: "There is no password
    policy available."
    I was surprised since iManager ("Roles and Tasks" > "View Policy
    Assignments") showed me that user 'test' (cn=test,dc=accounts,dc=data)
    did have a policy assigned. Then by accident I noticed that my uaadmin
    (User App Administrator) user had no policy assigned. So I assigned it
    the same policy.

    Now everything _seemed_ to work...

    curl -d "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode"
    -v -H "RESTAuthorization: $restauth" -H "Accept: application/json"
    "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
    * About to connect() to localhost port 8180 (#0)
    * Trying ::1... Connection refused
    * Trying 127.0.0.1... connected
    * Connected to localhost (127.0.0.1) port 8180 (#0)
    > POST

    /IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares HTTP/1.1
    > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

    NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
    > Host: localhost:8180
    > RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
    > Accept: application/json
    > Content-Length: 64
    > Content-Type: application/x-www-form-urlencoded
    >

    < HTTP/1.1 200 OK
    < Server: Apache-Coyote/1.1
    < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
    < Set-Cookie: JSESSIONID=5zkmgk2-fsk9GsKzOHGBQA__; Path=/IDMProv
    < Expires: Mon, 26 Jul 1997 05:00:00 GMT
    < Content-Type: application/json
    < Transfer-Encoding: chunked
    < Date: Wed, 16 Nov 2011 13:20:33 GMT
    <
    [{"success_message":"Challenge responses were saved successfully"}]
    * Connection #0 to host localhost left intact
    * Closing connection #0

    .... Until I tried out the Challenge Response in the User App. The
    following error appears when using the forgotten password functionality
    for the user 'test': "Answers to challenge response questions have not
    been set, or cannot be read at this time."
    Then I started to try out some stuff and it appears that the answer was
    set to the 'uaadmin' account instead of the 'test' account. So no matter
    which user is provided in the URL, the answer is always set to the user
    performing the REST call. This is confusing and undocumented.

    I thought it perhaps could have something to do with ACLs or so, but
    even with eDirectory admin, it doesn't work (and even another error is
    thrown as can be seen below)

    : u0040925@icts-d-ua-1 ~ 15:02$; curl -d
    "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode" -v -H
    "RESTAuthorization: $header" -H "Accept: application/json"
    "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
    * About to connect() to localhost port 8180 (#0)
    * Trying ::1... Connection refused
    * Trying 127.0.0.1... connected
    * Connected to localhost (127.0.0.1) port 8180 (#0)
    > POST

    /IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares HTTP/1.1
    > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

    NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
    > Host: localhost:8180
    > RESTAuthorization: Y249YWRtaW4sZGM9YWRtaW5zLGRjPXN5c3RlbTpwYXNzd29yZA ==
    > Accept: application/json
    > Content-Length: 64
    > Content-Type: application/x-www-form-urlencoded
    >

    < HTTP/1.1 200 OK
    < Server: Apache-Coyote/1.1
    < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
    < Set-Cookie: JSESSIONID=Y1itd1sZoSrmSAgwjzSwKQ__; Path=/IDMProv
    < Expires: Mon, 26 Jul 1997 05:00:00 GMT
    < Content-Type: application/json
    < Transfer-Encoding: chunked
    < Date: Wed, 16 Nov 2011 14:02:20 GMT
    <
    [{"error_message":"User in URI is not the same as logged in user."}]
    * Connection #0 to host localhost left intact
    * Closing connection #0

    Is there a way to set the response to the challenge for another user?

    Thanks in advance

    Pieter

  2. #2
    Steven Williams NNTP User

    Re: Set Challenge Response of Other User with REST

    On 11/16/2011 10:08 AM, Pieter Vandepitte wrote:
    > Hi all,
    >
    > It seems impossible to set the response of a challenge for another user
    > with the REST services.
    >
    > Why would I want to change the response of a challenge of another user?
    > We are migrating our current IAM environment to Novell. We want to keep
    > current forgotten password functionality because it works great. A user
    > who forgot his password can request an 'activation code'. This code is
    > sent to the user's mobile phone or email address. With this code the
    > user can set a new password. My goal was to build a webapp (deployed on
    > the User App JBoss server) which allows an anonymous user to request an
    > activation code. A random code would be created by the webapp, which
    > would be sent to the user's email or mobile phone and stored as answer
    > in the response of the challenge "Enter Activationcode".
    >
    > First I tried the GET method for a particular user:
    >
    > $ restauth=`echo -n 'uaadminassword' | openssl enc -base64`
    > $ curl -v -H "RESTAuthorization: $restauth" -H "Accept:
    > application/json"
    > "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
    >
    > * About to connect() to localhost port 8180 (#0)
    > * Trying ::1... Connection refused
    > * Trying 127.0.0.1... connected
    > * Connected to localhost (127.0.0.1) port 8180 (#0)
    > > GET /IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares

    > HTTP/1.1
    > > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

    > NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
    > > Host: localhost:8180
    > > RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
    > > Accept: application/json
    > >

    > < HTTP/1.1 200 OK
    > < Server: Apache-Coyote/1.1
    > < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
    > < Set-Cookie: JSESSIONID=-A1PAVMzVto4aQj2SWlfCQ__; Path=/IDMProv
    > < Expires: Mon, 26 Jul 1997 05:00:00 GMT
    > < Content-Type: application/json
    > < Transfer-Encoding: chunked
    > < Date: Wed, 16 Nov 2011 12:59:03 GMT
    > <
    > [{"error_message":"There is no password policy available."},{},{},{},{}]
    > * Connection #0 to host localhost left intact
    > * Closing connection #0
    >
    > The REST service returns this error message: "There is no password
    > policy available."
    > I was surprised since iManager ("Roles and Tasks" > "View Policy
    > Assignments") showed me that user 'test' (cn=test,dc=accounts,dc=data)
    > did have a policy assigned. Then by accident I noticed that my uaadmin
    > (User App Administrator) user had no policy assigned. So I assigned it
    > the same policy.
    >
    > Now everything _seemed_ to work...
    >
    > curl -d "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode"
    > -v -H "RESTAuthorization: $restauth" -H "Accept: application/json"
    > "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
    >
    > * About to connect() to localhost port 8180 (#0)
    > * Trying ::1... Connection refused
    > * Trying 127.0.0.1... connected
    > * Connected to localhost (127.0.0.1) port 8180 (#0)
    > > POST

    > /IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares HTTP/1.1
    > > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

    > NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
    > > Host: localhost:8180
    > > RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
    > > Accept: application/json
    > > Content-Length: 64
    > > Content-Type: application/x-www-form-urlencoded
    > >

    > < HTTP/1.1 200 OK
    > < Server: Apache-Coyote/1.1
    > < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
    > < Set-Cookie: JSESSIONID=5zkmgk2-fsk9GsKzOHGBQA__; Path=/IDMProv
    > < Expires: Mon, 26 Jul 1997 05:00:00 GMT
    > < Content-Type: application/json
    > < Transfer-Encoding: chunked
    > < Date: Wed, 16 Nov 2011 13:20:33 GMT
    > <
    > [{"success_message":"Challenge responses were saved successfully"}]
    > * Connection #0 to host localhost left intact
    > * Closing connection #0
    >
    > ... Until I tried out the Challenge Response in the User App. The
    > following error appears when using the forgotten password functionality
    > for the user 'test': "Answers to challenge response questions have not
    > been set, or cannot be read at this time."
    > Then I started to try out some stuff and it appears that the answer was
    > set to the 'uaadmin' account instead of the 'test' account. So no matter
    > which user is provided in the URL, the answer is always set to the user
    > performing the REST call. This is confusing and undocumented.
    >
    > I thought it perhaps could have something to do with ACLs or so, but
    > even with eDirectory admin, it doesn't work (and even another error is
    > thrown as can be seen below)
    >
    > : u0040925@icts-d-ua-1 ~ 15:02$; curl -d
    > "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode" -v -H
    > "RESTAuthorization: $header" -H "Accept: application/json"
    > "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
    >
    > * About to connect() to localhost port 8180 (#0)
    > * Trying ::1... Connection refused
    > * Trying 127.0.0.1... connected
    > * Connected to localhost (127.0.0.1) port 8180 (#0)
    > > POST

    > /IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares HTTP/1.1
    > > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

    > NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
    > > Host: localhost:8180
    > > RESTAuthorization: Y249YWRtaW4sZGM9YWRtaW5zLGRjPXN5c3RlbTpwYXNzd29yZA ==
    > > Accept: application/json
    > > Content-Length: 64
    > > Content-Type: application/x-www-form-urlencoded
    > >

    > < HTTP/1.1 200 OK
    > < Server: Apache-Coyote/1.1
    > < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
    > < Set-Cookie: JSESSIONID=Y1itd1sZoSrmSAgwjzSwKQ__; Path=/IDMProv
    > < Expires: Mon, 26 Jul 1997 05:00:00 GMT
    > < Content-Type: application/json
    > < Transfer-Encoding: chunked
    > < Date: Wed, 16 Nov 2011 14:02:20 GMT
    > <
    > [{"error_message":"User in URI is not the same as logged in user."}]
    > * Connection #0 to host localhost left intact
    > * Closing connection #0
    >
    > Is there a way to set the response to the challenge for another user?
    >
    > Thanks in advance
    >
    > Pieter

    Greetings,
    No. It is not supported in the User Application to update / modify
    the Password Information for another user. You must be logging in as
    the User in question.



    --
    Sincerely,
    Steven Williams
    Lead Software Engineer
    NetIQ

  3. #3
    Join Date
    Jun 2010
    Posts
    8

    Re: Set Challenge Response of Other User with REST

    Hi Steven,

    Thanks for your quick response. Will have to find other ways...

    It also seems impossible to change a user's password with the REST APIs
    without entering the old password (with admin credentials of course).
    Would be nice to have that. Perhaps in future versions of the REST APIs...

    Pieter

    On 16/11/2011 4:20, Steven Williams wrote:
    > On 11/16/2011 10:08 AM, Pieter Vandepitte wrote:
    >> Hi all,
    >>
    >> It seems impossible to set the response of a challenge for another user
    >> with the REST services.
    >>
    >> Why would I want to change the response of a challenge of another user?
    >> We are migrating our current IAM environment to Novell. We want to keep
    >> current forgotten password functionality because it works great. A user
    >> who forgot his password can request an 'activation code'. This code is
    >> sent to the user's mobile phone or email address. With this code the
    >> user can set a new password. My goal was to build a webapp (deployed on
    >> the User App JBoss server) which allows an anonymous user to request an
    >> activation code. A random code would be created by the webapp, which
    >> would be sent to the user's email or mobile phone and stored as answer
    >> in the response of the challenge "Enter Activationcode".
    >>
    >> First I tried the GET method for a particular user:
    >>
    >> $ restauth=`echo -n 'uaadminassword' | openssl enc -base64`
    >> $ curl -v -H "RESTAuthorization: $restauth" -H "Accept:
    >> application/json"
    >> "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
    >>
    >>
    >> * About to connect() to localhost port 8180 (#0)
    >> * Trying ::1... Connection refused
    >> * Trying 127.0.0.1... connected
    >> * Connected to localhost (127.0.0.1) port 8180 (#0)
    >> > GET /IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares

    >> HTTP/1.1
    >> > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

    >> NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
    >> > Host: localhost:8180
    >> > RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
    >> > Accept: application/json
    >> >

    >> < HTTP/1.1 200 OK
    >> < Server: Apache-Coyote/1.1
    >> < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
    >> < Set-Cookie: JSESSIONID=-A1PAVMzVto4aQj2SWlfCQ__; Path=/IDMProv
    >> < Expires: Mon, 26 Jul 1997 05:00:00 GMT
    >> < Content-Type: application/json
    >> < Transfer-Encoding: chunked
    >> < Date: Wed, 16 Nov 2011 12:59:03 GMT
    >> <
    >> [{"error_message":"There is no password policy available."},{},{},{},{}]
    >> * Connection #0 to host localhost left intact
    >> * Closing connection #0
    >>
    >> The REST service returns this error message: "There is no password
    >> policy available."
    >> I was surprised since iManager ("Roles and Tasks" > "View Policy
    >> Assignments") showed me that user 'test' (cn=test,dc=accounts,dc=data)
    >> did have a policy assigned. Then by accident I noticed that my uaadmin
    >> (User App Administrator) user had no policy assigned. So I assigned it
    >> the same policy.
    >>
    >> Now everything _seemed_ to work...
    >>
    >> curl -d "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode"
    >> -v -H "RESTAuthorization: $restauth" -H "Accept: application/json"
    >> "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
    >>
    >>
    >> * About to connect() to localhost port 8180 (#0)
    >> * Trying ::1... Connection refused
    >> * Trying 127.0.0.1... connected
    >> * Connected to localhost (127.0.0.1) port 8180 (#0)
    >> > POST

    >> /IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares
    >> HTTP/1.1
    >> > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

    >> NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
    >> > Host: localhost:8180
    >> > RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
    >> > Accept: application/json
    >> > Content-Length: 64
    >> > Content-Type: application/x-www-form-urlencoded
    >> >

    >> < HTTP/1.1 200 OK
    >> < Server: Apache-Coyote/1.1
    >> < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
    >> < Set-Cookie: JSESSIONID=5zkmgk2-fsk9GsKzOHGBQA__; Path=/IDMProv
    >> < Expires: Mon, 26 Jul 1997 05:00:00 GMT
    >> < Content-Type: application/json
    >> < Transfer-Encoding: chunked
    >> < Date: Wed, 16 Nov 2011 13:20:33 GMT
    >> <
    >> [{"success_message":"Challenge responses were saved successfully"}]
    >> * Connection #0 to host localhost left intact
    >> * Closing connection #0
    >>
    >> ... Until I tried out the Challenge Response in the User App. The
    >> following error appears when using the forgotten password functionality
    >> for the user 'test': "Answers to challenge response questions have not
    >> been set, or cannot be read at this time."
    >> Then I started to try out some stuff and it appears that the answer was
    >> set to the 'uaadmin' account instead of the 'test' account. So no matter
    >> which user is provided in the URL, the answer is always set to the user
    >> performing the REST call. This is confusing and undocumented.
    >>
    >> I thought it perhaps could have something to do with ACLs or so, but
    >> even with eDirectory admin, it doesn't work (and even another error is
    >> thrown as can be seen below)
    >>
    >> : u0040925@icts-d-ua-1 ~ 15:02$; curl -d
    >> "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode" -v -H
    >> "RESTAuthorization: $header" -H "Accept: application/json"
    >> "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
    >>
    >>
    >> * About to connect() to localhost port 8180 (#0)
    >> * Trying ::1... Connection refused
    >> * Trying 127.0.0.1... connected
    >> * Connected to localhost (127.0.0.1) port 8180 (#0)
    >> > POST

    >> /IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares
    >> HTTP/1.1
    >> > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

    >> NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
    >> > Host: localhost:8180
    >> > RESTAuthorization: Y249YWRtaW4sZGM9YWRtaW5zLGRjPXN5c3RlbTpwYXNzd29yZA ==
    >> > Accept: application/json
    >> > Content-Length: 64
    >> > Content-Type: application/x-www-form-urlencoded
    >> >

    >> < HTTP/1.1 200 OK
    >> < Server: Apache-Coyote/1.1
    >> < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
    >> < Set-Cookie: JSESSIONID=Y1itd1sZoSrmSAgwjzSwKQ__; Path=/IDMProv
    >> < Expires: Mon, 26 Jul 1997 05:00:00 GMT
    >> < Content-Type: application/json
    >> < Transfer-Encoding: chunked
    >> < Date: Wed, 16 Nov 2011 14:02:20 GMT
    >> <
    >> [{"error_message":"User in URI is not the same as logged in user."}]
    >> * Connection #0 to host localhost left intact
    >> * Closing connection #0
    >>
    >> Is there a way to set the response to the challenge for another user?
    >>
    >> Thanks in advance
    >>
    >> Pieter

    > Greetings,
    > No. It is not supported in the User Application to update / modify the
    > Password Information for another user. You must be logging in as the
    > User in question.
    >
    >
    >



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •