directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Carlo.Acco...@ibs-ag.com>
Subject ApacheDS Password policy issues
Date Tue, 11 Oct 2011 19:11:13 GMT
Hi, I've been working with the password policy functionality this week and have encountered
a few issues I'm hoping you can help clarify.

These attributes are on the policy itself unless otherwise specified.


1.       ads-pwdminlength (minimum # of chars require for a password) having a non-zero value
accepts passwords that are any length.

a.       I didn't test ads-pwdmaxlength but might check that while you're there.



2.       The value ads-pwmaxage is supposed to be how long a password is valid (in seconds).

a.       Setting this to a non-zero value causes a pwdChangedTime attribute to be set on the
user when their password changes (ok)

b.      However it never enforces the expiry

                                                              i.      The ads-pwdgraceauthnlimit
( # of grace logins after expiration) doesn't seem to have any effect

                                                            ii.      Also setting  ads-pwdexpirewarning
above and below  the max age doesn't seem to matter either

c.       If it did expire, how is this indicated on the user object ?



3.       When ads-pwdmaxfailure (number of times failed bind is permitted) is set to 5 , it
allows 11 login failures before locking the account.

a.       Each login failure creates an additional pwdFailureTime attribute for the user (ok)

b.      pwdAccountLockedTime attribute is created after the 11th  failed bind. (Also what
we want, but after 5 failures)

c.       This might be some caching issue because I think once it took 13 failed attempts
before it locked.



4.       When ads-pwdinhistory (# of old passwords kept so they're not reused) is set to 5
.

a.       Users initially have no pwdHistory attribute (ok)

b.      Each of the first 5 password changes happens successfully. Each time adding new pwdHistory
attribute to the user. (ok)

c.       On the 6th  change, the exception below occurs. It's like it needs to reuse the first
pwdHistory attribute but cannot.


#!RESULT ERROR
#!CONNECTION ldap://localhost:10389
#!DATE 2011-10-11T14:32:58.205
#!ERROR [LDAP: error code 20 - ATTRIBUTE_OR_VALUE_EXISTS: failed for MessageType : MODIFY_REQUEST
Message ID : 29     Modify Request         Object : 'uid=1286309809116,ou=users,ou=int,o=cpro'
            Modification[0]                 Operation :  replace                 Modification
    userPassword: '0x7B 0x53 0x48 0x41 0x7D 0x79 0x59 0x53 0x75 0x30 0x42 0x53 0x75 0x78 0x32
0x49 ...' org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@3d1acad9: ERR_54
Cannot add a value which is already present : '0x32 0x30 0x31 0x31 0x31 0x30 0x31 0x31 0x31
0x38 0x33 0x32 0x30 0x34 0x5A 0x23 ...']
dn: uid=1286309809117,ou=users,ou=int,o=cpro
changetype: modify
replace: userPassword

userPassword:: e1NIQX15VVN1MEJTdXgySTZWUEJaSGFCNmhmMUxkaTA9




I'll keep testing and thank you in advance!!
Carlo Accorsi




Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message