directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Password expiry enforcement
Date Sun, 18 May 2014 12:22:56 GMT
On Sat, May 17, 2014 at 7:18 PM, Sathya S <sathya.skr.75@gmail.com> wrote:

> I am continuing on my experiments with getting password policies
> functioning on ApacheDS and I am trying to enable password expiry and a
> warning before the expiry.
>
> This is what I have configured on the server:
>
> dn:
>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc
>  eptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> ads-pwdminlength: 7
> ads-pwdinhistory: 5
> ads-pwdid: default
> ads-pwdcheckquality: 1
> ads-pwdlockout: TRUE
> ads-pwdlockoutduration: 0
>
> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180*
> ...
>

> My understanding of this is that a user's password is valid for 5 minutes
> after which authentication would fail. After 3 minutes up to 5 minutes, he
> would be able to login, but would receive a warning about impending expiry.
> Is that correct?
>
> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as well,
otherwise bind operation
always accepts the expired password

> I restarted the server after making the above change.
>
> I have the below Java code to authenticate the user:
>
>             Hashtable<String, String> env = new Hashtable<String,
> String>();
>             env.put(Context.INITIAL_CONTEXT_FACTORY,
> "com.sun.jndi.ldap.LdapCtxFactory");
>             env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
>             //
>             env.put(Context.SECURITY_AUTHENTICATION, "simple");
>             env.put(Context.SECURITY_PRINCIPAL,
> "uid=Sathya,ou=people,dc=example,dc=com");
>             env.put(Context.SECURITY_CREDENTIALS, "helloworld");
>
>             // Create the initial context
>
>             DirContext ctx = new InitialDirContext(env);
>
> I created this user account almost an hour ago but the authentication still
> goes through successfully. Anything I am missing here?
>
> Thanks.
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message