directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Password policy not kicking in
Date Wed, 14 May 2014 06:35:50 GMT
On Wed, May 14, 2014 at 11:16 AM, Sathya Skr 75 <sathya.skr.75@gmail.com>wrote:

> Thanks for the info. As an amateur ldap user, it does not seem right that
> administrators are allowed to override system constraints. I am comparing
> this to a database table with a not-null constrainnt. The constraint should
> hold for all data regardless of the role of the logged in user because you
> are affecting data integrity. Perhaps this is not the right analogy and I
> just need to understand ldaps better..
>
yep, they are totally different, one is access control based decision
making the other is schema/structure designing

>
> On the validators. I had done exactly what you said- placed the jar into
> the lib directory, modified the configuration to point to my Validator
> implementation and then restarted the server. I have logs at entry of the
> method. These do not get printed and there is no exception raised. The
> method or class does not seem to be invoked at all.
>
> can you file a bug? I will take a look at it

> Thanks.
>
> —
> Sent from Mailbox
>
> On Wed, May 14, 2014 at 3:05 AM, Kiran Ayyagari <kayyagari@apache.org>
> wrote:
>
> > On Wed, May 14, 2014 at 12:56 AM, Sathya S <sathya.skr.75@gmail.com>
> wrote:
> >> Thank you Kiran.
> >>
> >> Is this a change that has been recently introduced? I actually
> downgraded
> >> the server versions and found that this same configurations works fine
> till
> >> 2.0.0-M14 but is broken (or modified) in 2.0.0-M15.
> >>
> >> yes, this was modified, earlier the policy was enforced for _all_ users,
> > which is not
> > the correct thing (admins are gods right ;)
> >> Another question - what is the purpose of the ads-pwdValidator class? I
> >> wanted to impose additional checks on the password (alphanumeric +
> special
> >> characters) and as it didnt seem to be supported by ApacheDS, I thought
> >> extending the validator class may be the right approach. But I find that
> >> the class does not get called in at all. So curious to know the purpose
> of
> >> the ads-pwdValidator class and when it gets called in.
> >>
> > yes, this is created for the same purpose, which version are you using?
> > did you add the jar to lib folder (or to the classpath, if you are
> running
> > the server using apacheds.sh script)
> > provide us any error logs if present
> >>
> >> Thanks.
> >>
> >>
> >> On Tue, May 13, 2014 at 8:19 PM, Kiran Ayyagari <kayyagari@apache.org
> >> >wrote:
> >>
> >> > The configuration is correct.
> >> >
> >> > Make sure that you are not adding this entry as an administrator,
> >> password
> >> > policy is not
> >> > enforced when an administrator adds or modifies a password
> >> >
> >> >
> >> > On Tue, May 13, 2014 at 3:52 PM, Sathya S <sathya.skr.75@gmail.com>
> >> wrote:
> >> >
> >> > > Hi,
> >> > >
> >> > > I am trying to set up a password policy on my ApacheDS instance to
> >> enable
> >> > > minimum length check. I changed the minimum length from default of
> 5 to
> >> > 7.
> >> > > This is my password policy ldif:
> >> > >
> >> > > *dn:
> >> > >
> >> > >
> >> >
> >>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config*
> >> > > *objectClass: top*
> >> > > *objectClass: ads-base*
> >> > > *objectClass: ads-passwordPolicy*
> >> > > *ads-pwdId: default*
> >> > > *ads-pwdSafeModify: FALSE*
> >> > > *ads-pwdMaxAge: 0*
> >> > > *ads-pwdFailureCountInterval: 30*
> >> > > *ads-pwdAttribute: userPassword*
> >> > > *ads-pwdMaxFailure: 5*
> >> > > *ads-pwdLockout: TRUE*
> >> > > *ads-pwdMustChange: FALSE*
> >> > > *ads-pwdLockoutDuration: 0*
> >> > > *ads-pwdMinLength: 5*
> >> > > *ads-pwdInHistory: 5*
> >> > > *ads-pwdExpireWarning: 600*
> >> > > *ads-pwdMinAge: 0*
> >> > > *ads-pwdAllowUserChange: TRUE*
> >> > > *ads-pwdGraceAuthNLimit: 5*
> >> > > *ads-pwdCheckQuality: 1*
> >> > > *ads-pwdMaxLength: 0 *
> >> > > *ads-pwdGraceExpire: 0*
> >> > > *ads-pwdMinDelay: 0*
> >> > > *ads-pwdMaxDelay: 0*
> >> > > *ads-pwdMaxIdle: 0*
> >> > > *ads-pwdValidator:
> >> > >
> >> > >
> >> >
> >>
> org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator*
> >> > > *ads-enabled: TRUE*
> >> > >
> >> > > I then import a user into the server using Apache Directory Studio.
> >> > Despite
> >> > > the password not meeting the min length criteria, the user gets
> added
> >> > > successfully:
> >> > >
> >> > > *#!RESULT OK*
> >> > > *#!CONNECTION ldap://localhost:10389*
> >> > > *#!DATE 2014-05-13T10:19:54.095*
> >> > > *dn: uid=SHolmes,ou=people,dc=example,dc=com*
> >> > > *changetype: add*
> >> > > *mail: SHolmes@gmail.com <SHolmes@gmail.com>*
> >> > > *uid: SHolmes*
> >> > > *userPassword: pass*
> >> > > *givenname: Sherlock*
> >> > > *description: SHolmes*
> >> > > *objectclass: person*
> >> > > *objectclass: organizationalPerson*
> >> > > *objectclass: inetOrgPerson*
> >> > > *objectclass: top*
> >> > > *sn: Holmes*
> >> > > *cn: SHolmes*
> >> > >
> >> > > Could you pl help me in understanding what I am doing wrong?
> >> > >
> >> > > Thanks.
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > Kiran Ayyagari
> >> > http://keydap.com
> >> >
> >>
> > --
> > Kiran Ayyagari
> > http://keydap.com
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message