directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sathya S <sathya.skr...@gmail.com>
Subject Re: Password policy not kicking in
Date Wed, 14 May 2014 07:15:27 GMT
Thank you. I will file a bug.


On Wed, May 14, 2014 at 12:05 PM, Kiran Ayyagari <kayyagari@apache.org>wrote:

> On Wed, May 14, 2014 at 11:16 AM, Sathya Skr 75 <sathya.skr.75@gmail.com
> >wrote:
>
> > Thanks for the info. As an amateur ldap user, it does not seem right that
> > administrators are allowed to override system constraints. I am comparing
> > this to a database table with a not-null constrainnt. The constraint
> should
> > hold for all data regardless of the role of the logged in user because
> you
> > are affecting data integrity. Perhaps this is not the right analogy and I
> > just need to understand ldaps better..
> >
> yep, they are totally different, one is access control based decision
> making the other is schema/structure designing
>
> >
> > On the validators. I had done exactly what you said- placed the jar into
> > the lib directory, modified the configuration to point to my Validator
> > implementation and then restarted the server. I have logs at entry of the
> > method. These do not get printed and there is no exception raised. The
> > method or class does not seem to be invoked at all.
> >
> > can you file a bug? I will take a look at it
>
> > Thanks.
> >
> > —
> > Sent from Mailbox
> >
> > On Wed, May 14, 2014 at 3:05 AM, Kiran Ayyagari <kayyagari@apache.org>
> > wrote:
> >
> > > On Wed, May 14, 2014 at 12:56 AM, Sathya S <sathya.skr.75@gmail.com>
> > wrote:
> > >> Thank you Kiran.
> > >>
> > >> Is this a change that has been recently introduced? I actually
> > downgraded
> > >> the server versions and found that this same configurations works fine
> > till
> > >> 2.0.0-M14 but is broken (or modified) in 2.0.0-M15.
> > >>
> > >> yes, this was modified, earlier the policy was enforced for _all_
> users,
> > > which is not
> > > the correct thing (admins are gods right ;)
> > >> Another question - what is the purpose of the ads-pwdValidator class?
> I
> > >> wanted to impose additional checks on the password (alphanumeric +
> > special
> > >> characters) and as it didnt seem to be supported by ApacheDS, I
> thought
> > >> extending the validator class may be the right approach. But I find
> that
> > >> the class does not get called in at all. So curious to know the
> purpose
> > of
> > >> the ads-pwdValidator class and when it gets called in.
> > >>
> > > yes, this is created for the same purpose, which version are you using?
> > > did you add the jar to lib folder (or to the classpath, if you are
> > running
> > > the server using apacheds.sh script)
> > > provide us any error logs if present
> > >>
> > >> Thanks.
> > >>
> > >>
> > >> On Tue, May 13, 2014 at 8:19 PM, Kiran Ayyagari <kayyagari@apache.org
> > >> >wrote:
> > >>
> > >> > The configuration is correct.
> > >> >
> > >> > Make sure that you are not adding this entry as an administrator,
> > >> password
> > >> > policy is not
> > >> > enforced when an administrator adds or modifies a password
> > >> >
> > >> >
> > >> > On Tue, May 13, 2014 at 3:52 PM, Sathya S <sathya.skr.75@gmail.com>
> > >> wrote:
> > >> >
> > >> > > Hi,
> > >> > >
> > >> > > I am trying to set up a password policy on my ApacheDS instance
to
> > >> enable
> > >> > > minimum length check. I changed the minimum length from default
of
> > 5 to
> > >> > 7.
> > >> > > This is my password policy ldif:
> > >> > >
> > >> > > *dn:
> > >> > >
> > >> > >
> > >> >
> > >>
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config*
> > >> > > *objectClass: top*
> > >> > > *objectClass: ads-base*
> > >> > > *objectClass: ads-passwordPolicy*
> > >> > > *ads-pwdId: default*
> > >> > > *ads-pwdSafeModify: FALSE*
> > >> > > *ads-pwdMaxAge: 0*
> > >> > > *ads-pwdFailureCountInterval: 30*
> > >> > > *ads-pwdAttribute: userPassword*
> > >> > > *ads-pwdMaxFailure: 5*
> > >> > > *ads-pwdLockout: TRUE*
> > >> > > *ads-pwdMustChange: FALSE*
> > >> > > *ads-pwdLockoutDuration: 0*
> > >> > > *ads-pwdMinLength: 5*
> > >> > > *ads-pwdInHistory: 5*
> > >> > > *ads-pwdExpireWarning: 600*
> > >> > > *ads-pwdMinAge: 0*
> > >> > > *ads-pwdAllowUserChange: TRUE*
> > >> > > *ads-pwdGraceAuthNLimit: 5*
> > >> > > *ads-pwdCheckQuality: 1*
> > >> > > *ads-pwdMaxLength: 0 *
> > >> > > *ads-pwdGraceExpire: 0*
> > >> > > *ads-pwdMinDelay: 0*
> > >> > > *ads-pwdMaxDelay: 0*
> > >> > > *ads-pwdMaxIdle: 0*
> > >> > > *ads-pwdValidator:
> > >> > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator*
> > >> > > *ads-enabled: TRUE*
> > >> > >
> > >> > > I then import a user into the server using Apache Directory
> Studio.
> > >> > Despite
> > >> > > the password not meeting the min length criteria, the user gets
> > added
> > >> > > successfully:
> > >> > >
> > >> > > *#!RESULT OK*
> > >> > > *#!CONNECTION ldap://localhost:10389*
> > >> > > *#!DATE 2014-05-13T10:19:54.095*
> > >> > > *dn: uid=SHolmes,ou=people,dc=example,dc=com*
> > >> > > *changetype: add*
> > >> > > *mail: SHolmes@gmail.com <SHolmes@gmail.com>*
> > >> > > *uid: SHolmes*
> > >> > > *userPassword: pass*
> > >> > > *givenname: Sherlock*
> > >> > > *description: SHolmes*
> > >> > > *objectclass: person*
> > >> > > *objectclass: organizationalPerson*
> > >> > > *objectclass: inetOrgPerson*
> > >> > > *objectclass: top*
> > >> > > *sn: Holmes*
> > >> > > *cn: SHolmes*
> > >> > >
> > >> > > Could you pl help me in understanding what I am doing wrong?
> > >> > >
> > >> > > Thanks.
> > >> > >
> > >> >
> > >> >
> > >> >
> > >> > --
> > >> > Kiran Ayyagari
> > >> > http://keydap.com
> > >> >
> > >>
> > > --
> > > Kiran Ayyagari
> > > http://keydap.com
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message