directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sathya Skr 75" <sathya.skr...@gmail.com>
Subject Re: Password policy not kicking in
Date Wed, 14 May 2014 05:46:26 GMT
Thanks for the info. As an amateur ldap user, it does not seem right that administrators are
allowed to override system constraints. I am comparing this to a database table with a not-null
constrainnt. The constraint should hold for all data regardless of the role of the logged
in user because you are affecting data integrity. Perhaps this is not the right analogy and
I just need to understand ldaps better..

On the validators. I had done exactly what you said- placed the jar into the lib directory,
modified the configuration to point to my Validator implementation and then restarted the
server. I have logs at entry of the method. These do not get printed and there is no exception
raised. The method or class does not seem to be invoked at all.

Thanks.

—
Sent from Mailbox

On Wed, May 14, 2014 at 3:05 AM, Kiran Ayyagari <kayyagari@apache.org>
wrote:

> On Wed, May 14, 2014 at 12:56 AM, Sathya S <sathya.skr.75@gmail.com> wrote:
>> Thank you Kiran.
>>
>> Is this a change that has been recently introduced? I actually downgraded
>> the server versions and found that this same configurations works fine till
>> 2.0.0-M14 but is broken (or modified) in 2.0.0-M15.
>>
>> yes, this was modified, earlier the policy was enforced for _all_ users,
> which is not
> the correct thing (admins are gods right ;)
>> Another question - what is the purpose of the ads-pwdValidator class? I
>> wanted to impose additional checks on the password (alphanumeric + special
>> characters) and as it didnt seem to be supported by ApacheDS, I thought
>> extending the validator class may be the right approach. But I find that
>> the class does not get called in at all. So curious to know the purpose of
>> the ads-pwdValidator class and when it gets called in.
>>
> yes, this is created for the same purpose, which version are you using?
> did you add the jar to lib folder (or to the classpath, if you are running
> the server using apacheds.sh script)
> provide us any error logs if present
>>
>> Thanks.
>>
>>
>> On Tue, May 13, 2014 at 8:19 PM, Kiran Ayyagari <kayyagari@apache.org
>> >wrote:
>>
>> > The configuration is correct.
>> >
>> > Make sure that you are not adding this entry as an administrator,
>> password
>> > policy is not
>> > enforced when an administrator adds or modifies a password
>> >
>> >
>> > On Tue, May 13, 2014 at 3:52 PM, Sathya S <sathya.skr.75@gmail.com>
>> wrote:
>> >
>> > > Hi,
>> > >
>> > > I am trying to set up a password policy on my ApacheDS instance to
>> enable
>> > > minimum length check. I changed the minimum length from default of 5 to
>> > 7.
>> > > This is my password policy ldif:
>> > >
>> > > *dn:
>> > >
>> > >
>> >
>> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config*
>> > > *objectClass: top*
>> > > *objectClass: ads-base*
>> > > *objectClass: ads-passwordPolicy*
>> > > *ads-pwdId: default*
>> > > *ads-pwdSafeModify: FALSE*
>> > > *ads-pwdMaxAge: 0*
>> > > *ads-pwdFailureCountInterval: 30*
>> > > *ads-pwdAttribute: userPassword*
>> > > *ads-pwdMaxFailure: 5*
>> > > *ads-pwdLockout: TRUE*
>> > > *ads-pwdMustChange: FALSE*
>> > > *ads-pwdLockoutDuration: 0*
>> > > *ads-pwdMinLength: 5*
>> > > *ads-pwdInHistory: 5*
>> > > *ads-pwdExpireWarning: 600*
>> > > *ads-pwdMinAge: 0*
>> > > *ads-pwdAllowUserChange: TRUE*
>> > > *ads-pwdGraceAuthNLimit: 5*
>> > > *ads-pwdCheckQuality: 1*
>> > > *ads-pwdMaxLength: 0 *
>> > > *ads-pwdGraceExpire: 0*
>> > > *ads-pwdMinDelay: 0*
>> > > *ads-pwdMaxDelay: 0*
>> > > *ads-pwdMaxIdle: 0*
>> > > *ads-pwdValidator:
>> > >
>> > >
>> >
>> org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator*
>> > > *ads-enabled: TRUE*
>> > >
>> > > I then import a user into the server using Apache Directory Studio.
>> > Despite
>> > > the password not meeting the min length criteria, the user gets added
>> > > successfully:
>> > >
>> > > *#!RESULT OK*
>> > > *#!CONNECTION ldap://localhost:10389*
>> > > *#!DATE 2014-05-13T10:19:54.095*
>> > > *dn: uid=SHolmes,ou=people,dc=example,dc=com*
>> > > *changetype: add*
>> > > *mail: SHolmes@gmail.com <SHolmes@gmail.com>*
>> > > *uid: SHolmes*
>> > > *userPassword: pass*
>> > > *givenname: Sherlock*
>> > > *description: SHolmes*
>> > > *objectclass: person*
>> > > *objectclass: organizationalPerson*
>> > > *objectclass: inetOrgPerson*
>> > > *objectclass: top*
>> > > *sn: Holmes*
>> > > *cn: SHolmes*
>> > >
>> > > Could you pl help me in understanding what I am doing wrong?
>> > >
>> > > Thanks.
>> > >
>> >
>> >
>> >
>> > --
>> > Kiran Ayyagari
>> > http://keydap.com
>> >
>>
> -- 
> Kiran Ayyagari
> http://keydap.com
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message