directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Password expiry enforcement
Date Mon, 19 May 2014 15:01:50 GMT
On Mon, May 19, 2014 at 5:31 PM, Sathya Skr 75 <sathya.skr.75@gmail.com>wrote:

> Brilliant!! Thanks so much Kiran. That worked.
>
> But still don't get a warning before expiry. Some of my friends said that
> this is something that needs to be built into the calling code and not
> something that apacheds provides out of the box. Is that right?
>
 you need to send password policy request control (OID is
1.3.6.1.4.1.42.2.27.8.5.1) to get the warning
back, note that the error/warning will be present in the password policy
response control present in the
bind response

>
> —
> Sent from Mailbox
>
> On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari <kayyagari@apache.org>
> wrote:
>
> > On Sat, May 17, 2014 at 7:18 PM, Sathya S <sathya.skr.75@gmail.com>
> wrote:
> >> I am continuing on my experiments with getting password policies
> >> functioning on ApacheDS and I am trying to enable password expiry and a
> >> warning before the expiry.
> >>
> >> This is what I have configured on the server:
> >>
> >> dn:
> >>
> >>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
> >>  eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> >> ads-pwdminlength: 7
> >> ads-pwdinhistory: 5
> >> ads-pwdid: default
> >> ads-pwdcheckquality: 1
> >> ads-pwdlockout: TRUE
> >> ads-pwdlockoutduration: 0
> >>
> >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180*
> >> ...
> >>
> >> My understanding of this is that a user's password is valid for 5
> minutes
> >> after which authentication would fail. After 3 minutes up to 5 minutes,
> he
> >> would be able to login, but would receive a warning about impending
> expiry.
> >> Is that correct?
> >>
> >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as well,
> > otherwise bind operation
> > always accepts the expired password
> >> I restarted the server after making the above change.
> >>
> >> I have the below Java code to authenticate the user:
> >>
> >>             Hashtable<String, String> env = new Hashtable<String,
> >> String>();
> >>             env.put(Context.INITIAL_CONTEXT_FACTORY,
> >> "com.sun.jndi.ldap.LdapCtxFactory");
> >>             env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
> >>             //
> >>             env.put(Context.SECURITY_AUTHENTICATION, "simple");
> >>             env.put(Context.SECURITY_PRINCIPAL,
> >> "uid=Sathya,ou=people,dc=example,dc=com");
> >>             env.put(Context.SECURITY_CREDENTIALS, "helloworld");
> >>
> >>             // Create the initial context
> >>
> >>             DirContext ctx = new InitialDirContext(env);
> >>
> >> I created this user account almost an hour ago but the authentication
> still
> >> goes through successfully. Anything I am missing here?
> >>
> >> Thanks.
> >>
> > --
> > Kiran Ayyagari
> > http://keydap.com
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message