Mailing-List: contact users-help@directory.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@directory.apache.org
Received-SPF: pass (athena.apache.org: local policy)
From: <Carlo.Accorsi@ibs-ag.com>
To: <users@directory.apache.org>
Date: Tue, 11 Oct 2011 21:11:13 +0200
Subject: ApacheDS  Password policy issues
Thread-Topic: ApacheDS  Password policy issues
Thread-Index: AcyIQjtNgYUs2ITgREil055echYgPQ==
Message-ID: <2BE7E81B77921F43A6A273C2DF2FA6A43A42781D7A@IBSMBX.ibs-ag.com>
Accept-Language: en-US, de-DE
Content-Language: en-US
acceptlanguage: en-US, de-DE
Content-Type: multipart/alternative;
	boundary="_000_2BE7E81B77921F43A6A273C2DF2FA6A43A42781D7AIBSMBXibsagco_"
MIME-Version: 1.0

--_000_2BE7E81B77921F43A6A273C2DF2FA6A43A42781D7AIBSMBXibsagco_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi, I've been working with the password policy functionality this week and =
have encountered a few issues I'm hoping you can help clarify.

These attributes are on the policy itself unless otherwise specified.


1.       ads-pwdminlength (minimum # of chars require for a password) havin=
g a non-zero value accepts passwords that are any length.

a.       I didn't test ads-pwdmaxlength but might check that while you're t=
here.


2.       The value ads-pwmaxage is supposed to be how long a password is va=
lid (in seconds).

a.       Setting this to a non-zero value causes a pwdChangedTime attribute=
 to be set on the user when their password changes (ok)

b.      However it never enforces the expiry

                                                              i.      The a=
ds-pwdgraceauthnlimit ( # of grace logins after expiration) doesn't seem to=
 have any effect

                                                            ii.      Also s=
etting  ads-pwdexpirewarning above and below  the max age doesn't seem to m=
atter either

c.       If it did expire, how is this indicated on the user object ?


3.       When ads-pwdmaxfailure (number of times failed bind is permitted) =
is set to 5 , it allows 11 login failures before locking the account.

a.       Each login failure creates an additional pwdFailureTime attribute =
for the user (ok)

b.      pwdAccountLockedTime attribute is created after the 11th  failed bi=
nd. (Also what we want, but after 5 failures)

c.       This might be some caching issue because I think once it took 13 f=
ailed attempts before it locked.


4.       When ads-pwdinhistory (# of old passwords kept so they're not reus=
ed) is set to 5 .

a.       Users initially have no pwdHistory attribute (ok)

b.      Each of the first 5 password changes happens successfully. Each tim=
e adding new pwdHistory attribute to the user. (ok)

c.       On the 6th  change, the exception below occurs. It's like it needs=
 to reuse the first pwdHistory attribute but cannot.


#!RESULT ERROR
#!CONNECTION ldap://localhost:10389
#!DATE 2011-10-11T14:32:58.205
#!ERROR [LDAP: error code 20 - ATTRIBUTE_OR_VALUE_EXISTS: failed for Messag=
eType : MODIFY_REQUEST Message ID : 29     Modify Request         Object : =
'uid=3D1286309809116,ou=3Dusers,ou=3Dint,o=3Dcpro'             Modification=
[0]                 Operation :  replace                 Modification     u=
serPassword: '0x7B 0x53 0x48 0x41 0x7D 0x79 0x59 0x53 0x75 0x30 0x42 0x53 0=
x75 0x78 0x32 0x49 ...' org.apache.directory.shared.ldap.model.message.Modi=
fyRequestImpl@3d1acad9: ERR_54 Cannot add a value which is already present =
: '0x32 0x30 0x31 0x31 0x31 0x30 0x31 0x31 0x31 0x38 0x33 0x32 0x30 0x34 0x=
5A 0x23 ...']
dn: uid=3D1286309809117,ou=3Dusers,ou=3Dint,o=3Dcpro
changetype: modify
replace: userPassword

userPassword:: e1NIQX15VVN1MEJTdXgySTZWUEJaSGFCNmhmMUxkaTA9


I'll keep testing and thank you in advance!!
Carlo Accorsi


--_000_2BE7E81B77921F43A6A273C2DF2FA6A43A42781D7AIBSMBXibsagco_--