Re: Storage for Assigned Password Policy?

[Shawn McKinney <sm...@apache.org>]

> On May 31, 2017, at 4:17 PM, Brian Brooks (US) <Br...@datapath.com> wrote:
> 
> We need to implement in our application password quality checks like IETF Password Policy for LDAP Directories draft, section 5.2.5 pwdCheckQuality, https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.  These would be applied during new user creation, password change, etc.  We're planning to use Fortress and ApacheDS. 

This should work but I have not tested the combination of fortress w/ apacheds and pw policies.  If you want to give it a go, we’ll do our best to support it.

> Two questions:
> 1. Is there a way to extend Fortress password policy validation with pwdCheckQuality validations?  Is this better done with an ApacheDS extension?

No, on fortress validation for password quality checks.  Not sure about using apacheds extension, that’s a good idea but would be a question for their user ML.  Since it is useful, and broadly applicable, we will support your efforts, and make changes, as needed, assuming reasonable.

> 2. When a user is assigned a password policy, where is the assignment stored in the directory server?
> For example, if I do the following
> 2.1.Login to fotress-commander.
> 2.2. Select a user.
> 2.3. Set the user's "PW Policy".
> 2.4. Click "Commit".
> What happens?  Where does fortress-commander store the 

It is stored as an attribute on the user object itself.

For example if the policy was ‘Test1’, you would see this attribute:

pwdPolicySubentry=cn=Test1,ou=Policies,dc=example,dc=com

There are three ways to enable a pwpolicy, globally, by group or by user, which is how commander is setting it.


Thanks,
Shawn