Hi all,

It seems impossible to set the response of a challenge for another user
with the REST services.

Why would I want to change the response of a challenge of another user?
We are migrating our current IAM environment to Novell. We want to keep
current forgotten password functionality because it works great. A user
who forgot his password can request an 'activation code'. This code is
sent to the user's mobile phone or email address. With this code the
user can set a new password. My goal was to build a webapp (deployed on
the User App JBoss server) which allows an anonymous user to request an
activation code. A random code would be created by the webapp, which
would be sent to the user's email or mobile phone and stored as answer
in the response of the challenge "Enter Activationcode".

First I tried the GET method for a particular user:

$ restauth=`echo -n 'uaadminassword' | openssl enc -base64`
$ curl -v -H "RESTAuthorization: $restauth" -H "Accept:
application/json"
"http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
* About to connect() to localhost port 8180 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8180 (#0)
> GET /IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares

HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: localhost:8180
> RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
> Accept: application/json
>

< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
< Set-Cookie: JSESSIONID=-A1PAVMzVto4aQj2SWlfCQ__; Path=/IDMProv
< Expires: Mon, 26 Jul 1997 05:00:00 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Wed, 16 Nov 2011 12:59:03 GMT
<
[{"error_message":"There is no password policy available."},{},{},{},{}]
* Connection #0 to host localhost left intact
* Closing connection #0

The REST service returns this error message: "There is no password
policy available."
I was surprised since iManager ("Roles and Tasks" > "View Policy
Assignments") showed me that user 'test' (cn=test,dc=accounts,dc=data)
did have a policy assigned. Then by accident I noticed that my uaadmin
(User App Administrator) user had no policy assigned. So I assigned it
the same policy.

Now everything _seemed_ to work...

curl -d "_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode"
-v -H "RESTAuthorization: $restauth" -H "Accept: application/json"
"http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
* About to connect() to localhost port 8180 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8180 (#0)
> POST

/IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: localhost:8180
> RESTAuthorization: dWFhZG1pbjpwYXNzd29yZA==
> Accept: application/json
> Content-Length: 64
> Content-Type: application/x-www-form-urlencoded
>

< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
< Set-Cookie: JSESSIONID=5zkmgk2-fsk9GsKzOHGBQA__; Path=/IDMProv
< Expires: Mon, 26 Jul 1997 05:00:00 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Wed, 16 Nov 2011 13:20:33 GMT
<
[{"success_message":"Challenge responses were saved successfully"}]
* Connection #0 to host localhost left intact
* Closing connection #0

.... Until I tried out the Challenge Response in the User App. The
following error appears when using the forgotten password functionality
for the user 'test': "Answers to challenge response questions have not
been set, or cannot be read at this time."
Then I started to try out some stuff and it appears that the answer was
set to the 'uaadmin' account instead of the 'test' account. So no matter
which user is provided in the URL, the answer is always set to the user
performing the REST call. This is confusing and undocumented.

I thought it perhaps could have something to do with ACLs or so, but
even with eDirectory admin, it doesn't work (and even another error is
thrown as can be seen below)

: u0040925@icts-d-ua-1 ~ 15:02$; curl -d
"_answer0=mycode&_from_seq0=1&_question0=Enter Activationcode" -v -H
"RESTAuthorization: $header" -H "Accept: application/json"
"http://localhost:8180/IDMProv/roa/v1/pwdmgt/user/cn=test,dc=accounts,dc=data/chares"
* About to connect() to localhost port 8180 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8180 (#0)
> POST

/IDMProv/roa/v1/pwdmgt/user/cn=u0040925,dc=accounts,dc=data/chares HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7

NSS/3.12.6.2 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: localhost:8180
> RESTAuthorization: Y249YWRtaW4sZGM9YWRtaW5zLGRjPXN5c3RlbTpwYXNzd29yZA ==
> Accept: application/json
> Content-Length: 64
> Content-Type: application/x-www-form-urlencoded
>

< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
< Set-Cookie: JSESSIONID=Y1itd1sZoSrmSAgwjzSwKQ__; Path=/IDMProv
< Expires: Mon, 26 Jul 1997 05:00:00 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Wed, 16 Nov 2011 14:02:20 GMT
<
[{"error_message":"User in URI is not the same as logged in user."}]
* Connection #0 to host localhost left intact
* Closing connection #0

Is there a way to set the response to the challenge for another user?

Thanks in advance

Pieter