vandepitte Absent Member.
Absent Member.
543 views

Set Challenge Response of Other User with REST

Hi all,

It seems impossible to set the response of a challenge for another user
with the REST services.

Why would I want to change the response of a challenge of another user?
We are migrating our current IAM environment to Novell. We want to keep
current forgotten password functionality because it works great. A user
who forgot his password can request an 'activation code'. This code is
sent to the user's mobile phone or email address. With this code the
user can set a new password. My goal was to build a webapp (deployed on
the User App JBoss server) which allows an anonymous user to request an
activation code. A random code would be created by the webapp, which
would be sent to the user's email or mobile phone and stored as answer
in the response of the challenge "Enter Activationcode".

First I tried the GET method for a particular user:

$ restauth=`echo -n 'uaadmin:password' | openssl enc -base64`
$ curl -v -H "RESTAuthorization: $restauth" -H "Accept:
application/json"
"http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
* About to connect() to localhost port 8180 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8180 (#0)
> GET /IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares

HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: localhost:8180
> RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
> Accept: application/json
>

< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
< Set-Cookie: JSESSIONID=-A1PAVMzVto4aQj2SWlfCQ__; Path=/IDMProv
< Expires: Mon, 26 Jul 1997 05:00:00 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Wed, 16 Nov 2011 12:59:03 GMT
<
[{"error_message":"There is no password policy available."},{},{},{},{}]
* Connection #0 to host localhost left intact
* Closing connection #0

The REST service returns this error message: "There is no password
policy available."
I was surprised since iManager ("Roles and Tasks" > "View Policy
Assignments") showed me that user 'test' (cn=test,dc=accounts,dc=data)
did have a policy assigned. Then by accident I noticed that my uaadmin
(User App Administrator) user had no policy assigned. So I assigned it
the same policy.

Now everything _seemed_ to work...

curl -d "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode"
-v -H "RESTAuthorization: $restauth" -H "Accept: application/json"
"http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
* About to connect() to localhost port 8180 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8180 (#0)
> POST

/IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: localhost:8180
> RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
> Accept: application/json
> Content-Length: 64
> Content-Type: application/x-www-form-urlencoded
>

< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
< Set-Cookie: JSESSIONID=5zkmgk2-fsk9GsKzOHGBQA__; Path=/IDMProv
< Expires: Mon, 26 Jul 1997 05:00:00 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Wed, 16 Nov 2011 13:20:33 GMT
<
[{"success_message":"Challenge responses were saved successfully"}]
* Connection #0 to host localhost left intact
* Closing connection #0

.... Until I tried out the Challenge Response in the User App. The
following error appears when using the forgotten password functionality
for the user 'test': "Answers to challenge response questions have not
been set, or cannot be read at this time."
Then I started to try out some stuff and it appears that the answer was
set to the 'uaadmin' account instead of the 'test' account. So no matter
which user is provided in the URL, the answer is always set to the user
performing the REST call. This is confusing and undocumented.

I thought it perhaps could have something to do with ACLs or so, but
even with eDirectory admin, it doesn't work (and even another error is
thrown as can be seen below)

: u0040925@icts-d-ua-1 ~ 15:02$; curl -d
"_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode" -v -H
"RESTAuthorization: $header" -H "Accept: application/json"
"http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
* About to connect() to localhost port 8180 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8180 (#0)
> POST

/IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: localhost:8180
> RESTAuthorization: Y249YWRtaW4sZGM9YWRtaW5zLGRjPXN5c3RlbTpwYXNzd29yZA==
> Accept: application/json
> Content-Length: 64
> Content-Type: application/x-www-form-urlencoded
>

< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
< Set-Cookie: JSESSIONID=Y1itd1sZoSrmSAgwjzSwKQ__; Path=/IDMProv
< Expires: Mon, 26 Jul 1997 05:00:00 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Wed, 16 Nov 2011 14:02:20 GMT
<
[{"error_message":"User in URI is not the same as logged in user."}]
* Connection #0 to host localhost left intact
* Closing connection #0

Is there a way to set the response to the challenge for another user?

Thanks in advance

Pieter
Labels (1)
0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Set Challenge Response of Other User with REST

On 11/16/2011 10:08 AM, Pieter Vandepitte wrote:
> Hi all,
>
> It seems impossible to set the response of a challenge for another user
> with the REST services.
>
> Why would I want to change the response of a challenge of another user?
> We are migrating our current IAM environment to Novell. We want to keep
> current forgotten password functionality because it works great. A user
> who forgot his password can request an 'activation code'. This code is
> sent to the user's mobile phone or email address. With this code the
> user can set a new password. My goal was to build a webapp (deployed on
> the User App JBoss server) which allows an anonymous user to request an
> activation code. A random code would be created by the webapp, which
> would be sent to the user's email or mobile phone and stored as answer
> in the response of the challenge "Enter Activationcode".
>
> First I tried the GET method for a particular user:
>
> $ restauth=`echo -n 'uaadmin:password' | openssl enc -base64`
> $ curl -v -H "RESTAuthorization: $restauth" -H "Accept:
> application/json"
> "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
>
> * About to connect() to localhost port 8180 (#0)
> * Trying ::1... Connection refused
> * Trying 127.0.0.1... connected
> * Connected to localhost (127.0.0.1) port 8180 (#0)
> > GET /IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares

> HTTP/1.1
> > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

> NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> > Host: localhost:8180
> > RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
> > Accept: application/json
> >

> < HTTP/1.1 200 OK
> < Server: Apache-Coyote/1.1
> < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
> < Set-Cookie: JSESSIONID=-A1PAVMzVto4aQj2SWlfCQ__; Path=/IDMProv
> < Expires: Mon, 26 Jul 1997 05:00:00 GMT
> < Content-Type: application/json
> < Transfer-Encoding: chunked
> < Date: Wed, 16 Nov 2011 12:59:03 GMT
> <
> [{"error_message":"There is no password policy available."},{},{},{},{}]
> * Connection #0 to host localhost left intact
> * Closing connection #0
>
> The REST service returns this error message: "There is no password
> policy available."
> I was surprised since iManager ("Roles and Tasks" > "View Policy
> Assignments") showed me that user 'test' (cn=test,dc=accounts,dc=data)
> did have a policy assigned. Then by accident I noticed that my uaadmin
> (User App Administrator) user had no policy assigned. So I assigned it
> the same policy.
>
> Now everything _seemed_ to work...
>
> curl -d "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode"
> -v -H "RESTAuthorization: $restauth" -H "Accept: application/json"
> "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
>
> * About to connect() to localhost port 8180 (#0)
> * Trying ::1... Connection refused
> * Trying 127.0.0.1... connected
> * Connected to localhost (127.0.0.1) port 8180 (#0)
> > POST

> /IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares HTTP/1.1
> > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

> NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> > Host: localhost:8180
> > RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
> > Accept: application/json
> > Content-Length: 64
> > Content-Type: application/x-www-form-urlencoded
> >

> < HTTP/1.1 200 OK
> < Server: Apache-Coyote/1.1
> < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
> < Set-Cookie: JSESSIONID=5zkmgk2-fsk9GsKzOHGBQA__; Path=/IDMProv
> < Expires: Mon, 26 Jul 1997 05:00:00 GMT
> < Content-Type: application/json
> < Transfer-Encoding: chunked
> < Date: Wed, 16 Nov 2011 13:20:33 GMT
> <
> [{"success_message":"Challenge responses were saved successfully"}]
> * Connection #0 to host localhost left intact
> * Closing connection #0
>
> ... Until I tried out the Challenge Response in the User App. The
> following error appears when using the forgotten password functionality
> for the user 'test': "Answers to challenge response questions have not
> been set, or cannot be read at this time."
> Then I started to try out some stuff and it appears that the answer was
> set to the 'uaadmin' account instead of the 'test' account. So no matter
> which user is provided in the URL, the answer is always set to the user
> performing the REST call. This is confusing and undocumented.
>
> I thought it perhaps could have something to do with ACLs or so, but
> even with eDirectory admin, it doesn't work (and even another error is
> thrown as can be seen below)
>
> : u0040925@icts-d-ua-1 ~ 15:02$; curl -d
> "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode" -v -H
> "RESTAuthorization: $header" -H "Accept: application/json"
> "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
>
> * About to connect() to localhost port 8180 (#0)
> * Trying ::1... Connection refused
> * Trying 127.0.0.1... connected
> * Connected to localhost (127.0.0.1) port 8180 (#0)
> > POST

> /IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares HTTP/1.1
> > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

> NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> > Host: localhost:8180
> > RESTAuthorization: Y249YWRtaW4sZGM9YWRtaW5zLGRjPXN5c3RlbTpwYXNzd29yZA==
> > Accept: application/json
> > Content-Length: 64
> > Content-Type: application/x-www-form-urlencoded
> >

> < HTTP/1.1 200 OK
> < Server: Apache-Coyote/1.1
> < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
> < Set-Cookie: JSESSIONID=Y1itd1sZoSrmSAgwjzSwKQ__; Path=/IDMProv
> < Expires: Mon, 26 Jul 1997 05:00:00 GMT
> < Content-Type: application/json
> < Transfer-Encoding: chunked
> < Date: Wed, 16 Nov 2011 14:02:20 GMT
> <
> [{"error_message":"User in URI is not the same as logged in user."}]
> * Connection #0 to host localhost left intact
> * Closing connection #0
>
> Is there a way to set the response to the challenge for another user?
>
> Thanks in advance
>
> Pieter

Greetings,
No. It is not supported in the User Application to update / modify
the Password Information for another user. You must be logging in as
the User in question.



--
Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
vandepitte Absent Member.
Absent Member.

Re: Set Challenge Response of Other User with REST

Hi Steven,

Thanks for your quick response. Will have to find other ways...

It also seems impossible to change a user's password with the REST APIs
without entering the old password (with admin credentials of course).
Would be nice to have that. Perhaps in future versions of the REST APIs...

Pieter

On 16/11/2011 4:20, Steven Williams wrote:
> On 11/16/2011 10:08 AM, Pieter Vandepitte wrote:
>> Hi all,
>>
>> It seems impossible to set the response of a challenge for another user
>> with the REST services.
>>
>> Why would I want to change the response of a challenge of another user?
>> We are migrating our current IAM environment to Novell. We want to keep
>> current forgotten password functionality because it works great. A user
>> who forgot his password can request an 'activation code'. This code is
>> sent to the user's mobile phone or email address. With this code the
>> user can set a new password. My goal was to build a webapp (deployed on
>> the User App JBoss server) which allows an anonymous user to request an
>> activation code. A random code would be created by the webapp, which
>> would be sent to the user's email or mobile phone and stored as answer
>> in the response of the challenge "Enter Activationcode".
>>
>> First I tried the GET method for a particular user:
>>
>> $ restauth=`echo -n 'uaadmin:password' | openssl enc -base64`
>> $ curl -v -H "RESTAuthorization: $restauth" -H "Accept:
>> application/json"
>> "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
>>
>>
>> * About to connect() to localhost port 8180 (#0)
>> * Trying ::1... Connection refused
>> * Trying 127.0.0.1... connected
>> * Connected to localhost (127.0.0.1) port 8180 (#0)
>> > GET /IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares

>> HTTP/1.1
>> > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

>> NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
>> > Host: localhost:8180
>> > RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
>> > Accept: application/json
>> >

>> < HTTP/1.1 200 OK
>> < Server: Apache-Coyote/1.1
>> < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
>> < Set-Cookie: JSESSIONID=-A1PAVMzVto4aQj2SWlfCQ__; Path=/IDMProv
>> < Expires: Mon, 26 Jul 1997 05:00:00 GMT
>> < Content-Type: application/json
>> < Transfer-Encoding: chunked
>> < Date: Wed, 16 Nov 2011 12:59:03 GMT
>> <
>> [{"error_message":"There is no password policy available."},{},{},{},{}]
>> * Connection #0 to host localhost left intact
>> * Closing connection #0
>>
>> The REST service returns this error message: "There is no password
>> policy available."
>> I was surprised since iManager ("Roles and Tasks" > "View Policy
>> Assignments") showed me that user 'test' (cn=test,dc=accounts,dc=data)
>> did have a policy assigned. Then by accident I noticed that my uaadmin
>> (User App Administrator) user had no policy assigned. So I assigned it
>> the same policy.
>>
>> Now everything _seemed_ to work...
>>
>> curl -d "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode"
>> -v -H "RESTAuthorization: $restauth" -H "Accept: application/json"
>> "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
>>
>>
>> * About to connect() to localhost port 8180 (#0)
>> * Trying ::1... Connection refused
>> * Trying 127.0.0.1... connected
>> * Connected to localhost (127.0.0.1) port 8180 (#0)
>> > POST

>> /IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares
>> HTTP/1.1
>> > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

>> NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
>> > Host: localhost:8180
>> > RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
>> > Accept: application/json
>> > Content-Length: 64
>> > Content-Type: application/x-www-form-urlencoded
>> >

>> < HTTP/1.1 200 OK
>> < Server: Apache-Coyote/1.1
>> < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
>> < Set-Cookie: JSESSIONID=5zkmgk2-fsk9GsKzOHGBQA__; Path=/IDMProv
>> < Expires: Mon, 26 Jul 1997 05:00:00 GMT
>> < Content-Type: application/json
>> < Transfer-Encoding: chunked
>> < Date: Wed, 16 Nov 2011 13:20:33 GMT
>> <
>> [{"success_message":"Challenge responses were saved successfully"}]
>> * Connection #0 to host localhost left intact
>> * Closing connection #0
>>
>> ... Until I tried out the Challenge Response in the User App. The
>> following error appears when using the forgotten password functionality
>> for the user 'test': "Answers to challenge response questions have not
>> been set, or cannot be read at this time."
>> Then I started to try out some stuff and it appears that the answer was
>> set to the 'uaadmin' account instead of the 'test' account. So no matter
>> which user is provided in the URL, the answer is always set to the user
>> performing the REST call. This is confusing and undocumented.
>>
>> I thought it perhaps could have something to do with ACLs or so, but
>> even with eDirectory admin, it doesn't work (and even another error is
>> thrown as can be seen below)
>>
>> : u0040925@icts-d-ua-1 ~ 15:02$; curl -d
>> "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode" -v -H
>> "RESTAuthorization: $header" -H "Accept: application/json"
>> "http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
>>
>>
>> * About to connect() to localhost port 8180 (#0)
>> * Trying ::1... Connection refused
>> * Trying 127.0.0.1... connected
>> * Connected to localhost (127.0.0.1) port 8180 (#0)
>> > POST

>> /IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares
>> HTTP/1.1
>> > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

>> NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
>> > Host: localhost:8180
>> > RESTAuthorization: Y249YWRtaW4sZGM9YWRtaW5zLGRjPXN5c3RlbTpwYXNzd29yZA==
>> > Accept: application/json
>> > Content-Length: 64
>> > Content-Type: application/x-www-form-urlencoded
>> >

>> < HTTP/1.1 200 OK
>> < Server: Apache-Coyote/1.1
>> < X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
>> < Set-Cookie: JSESSIONID=Y1itd1sZoSrmSAgwjzSwKQ__; Path=/IDMProv
>> < Expires: Mon, 26 Jul 1997 05:00:00 GMT
>> < Content-Type: application/json
>> < Transfer-Encoding: chunked
>> < Date: Wed, 16 Nov 2011 14:02:20 GMT
>> <
>> [{"error_message":"User in URI is not the same as logged in user."}]
>> * Connection #0 to host localhost left intact
>> * Closing connection #0
>>
>> Is there a way to set the response to the challenge for another user?
>>
>> Thanks in advance
>>
>> Pieter

> Greetings,
> No. It is not supported in the User Application to update / modify the
> Password Information for another user. You must be logging in as the
> User in question.
>
>
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.