Password policy not kicking in

[Sathya S <sa...@gmail.com>]

Hi,

I am trying to set up a password policy on my ApacheDS instance to enable
minimum length check. I changed the minimum length from default of 5 to 7.
This is my password policy ldif:

*dn:
ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config*
*objectClass: top*
*objectClass: ads-base*
*objectClass: ads-passwordPolicy*
*ads-pwdId: default*
*ads-pwdSafeModify: FALSE*
*ads-pwdMaxAge: 0*
*ads-pwdFailureCountInterval: 30*
*ads-pwdAttribute: userPassword*
*ads-pwdMaxFailure: 5*
*ads-pwdLockout: TRUE*
*ads-pwdMustChange: FALSE*
*ads-pwdLockoutDuration: 0*
*ads-pwdMinLength: 5*
*ads-pwdInHistory: 5*
*ads-pwdExpireWarning: 600*
*ads-pwdMinAge: 0*
*ads-pwdAllowUserChange: TRUE*
*ads-pwdGraceAuthNLimit: 5*
*ads-pwdCheckQuality: 1*
*ads-pwdMaxLength: 0 *
*ads-pwdGraceExpire: 0*
*ads-pwdMinDelay: 0*
*ads-pwdMaxDelay: 0*
*ads-pwdMaxIdle: 0*
*ads-pwdValidator:
org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator*
*ads-enabled: TRUE*

I then import a user into the server using Apache Directory Studio. Despite
the password not meeting the min length criteria, the user gets added
successfully:

*#!RESULT OK*
*#!CONNECTION ldap://localhost:10389*
*#!DATE 2014-05-13T10:19:54.095*
*dn: uid=SHolmes,ou=people,dc=example,dc=com*
*changetype: add*
*mail: SHolmes@gmail.com <SH...@gmail.com>*
*uid: SHolmes*
*userPassword: pass*
*givenname: Sherlock*
*description: SHolmes*
*objectclass: person*
*objectclass: organizationalPerson*
*objectclass: inetOrgPerson*
*objectclass: top*
*sn: Holmes*
*cn: SHolmes*

Could you pl help me in understanding what I am doing wrong?

Thanks.

Re: Password policy not kicking in

[Sathya S <sa...@gmail.com>]

Thank you. I will file a bug.


On Wed, May 14, 2014 at 12:05 PM, Kiran Ayyagari <ka...@apache.org>wrote:

> On Wed, May 14, 2014 at 11:16 AM, Sathya Skr 75 <sathya.skr.75@gmail.com
> >wrote:
>
> > Thanks for the info. As an amateur ldap user, it does not seem right that
> > administrators are allowed to override system constraints. I am comparing
> > this to a database table with a not-null constrainnt. The constraint
> should
> > hold for all data regardless of the role of the logged in user because
> you
> > are affecting data integrity. Perhaps this is not the right analogy and I
> > just need to understand ldaps better..
> >
> yep, they are totally different, one is access control based decision
> making the other is schema/structure designing
>
> >
> > On the validators. I had done exactly what you said- placed the jar into
> > the lib directory, modified the configuration to point to my Validator
> > implementation and then restarted the server. I have logs at entry of the
> > method. These do not get printed and there is no exception raised. The
> > method or class does not seem to be invoked at all.
> >
> > can you file a bug? I will take a look at it
>
> > Thanks.
> >
> > —
> > Sent from Mailbox
> >
> > On Wed, May 14, 2014 at 3:05 AM, Kiran Ayyagari <ka...@apache.org>
> > wrote:
> >
> > > On Wed, May 14, 2014 at 12:56 AM, Sathya S <sa...@gmail.com>
> > wrote:
> > >> Thank you Kiran.
> > >>
> > >> Is this a change that has been recently introduced? I actually
> > downgraded
> > >> the server versions and found that this same configurations works fine
> > till
> > >> 2.0.0-M14 but is broken (or modified) in 2.0.0-M15.
> > >>
> > >> yes, this was modified, earlier the policy was enforced for _all_
> users,
> > > which is not
> > > the correct thing (admins are gods right ;)
> > >> Another question - what is the purpose of the ads-pwdValidator class?
> I
> > >> wanted to impose additional checks on the password (alphanumeric +
> > special
> > >> characters) and as it didnt seem to be supported by ApacheDS, I
> thought
> > >> extending the validator class may be the right approach. But I find
> that
> > >> the class does not get called in at all. So curious to know the
> purpose
> > of
> > >> the ads-pwdValidator class and when it gets called in.
> > >>
> > > yes, this is created for the same purpose, which version are you using?
> > > did you add the jar to lib folder (or to the classpath, if you are
> > running
> > > the server using apacheds.sh script)
> > > provide us any error logs if present
> > >>
> > >> Thanks.
> > >>
> > >>
> > >> On Tue, May 13, 2014 at 8:19 PM, Kiran Ayyagari <kayyagari@apache.org
> > >> >wrote:
> > >>
> > >> > The configuration is correct.
> > >> >
> > >> > Make sure that you are not adding this entry as an administrator,
> > >> password
> > >> > policy is not
> > >> > enforced when an administrator adds or modifies a password
> > >> >
> > >> >
> > >> > On Tue, May 13, 2014 at 3:52 PM, Sathya S <sa...@gmail.com>
> > >> wrote:
> > >> >
> > >> > > Hi,
> > >> > >
> > >> > > I am trying to set up a password policy on my ApacheDS instance to
> > >> enable
> > >> > > minimum length check. I changed the minimum length from default of
> > 5 to
> > >> > 7.
> > >> > > This is my password policy ldif:
> > >> > >
> > >> > > *dn:
> > >> > >
> > >> > >
> > >> >
> > >>
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config*
> > >> > > *objectClass: top*
> > >> > > *objectClass: ads-base*
> > >> > > *objectClass: ads-passwordPolicy*
> > >> > > *ads-pwdId: default*
> > >> > > *ads-pwdSafeModify: FALSE*
> > >> > > *ads-pwdMaxAge: 0*
> > >> > > *ads-pwdFailureCountInterval: 30*
> > >> > > *ads-pwdAttribute: userPassword*
> > >> > > *ads-pwdMaxFailure: 5*
> > >> > > *ads-pwdLockout: TRUE*
> > >> > > *ads-pwdMustChange: FALSE*
> > >> > > *ads-pwdLockoutDuration: 0*
> > >> > > *ads-pwdMinLength: 5*
> > >> > > *ads-pwdInHistory: 5*
> > >> > > *ads-pwdExpireWarning: 600*
> > >> > > *ads-pwdMinAge: 0*
> > >> > > *ads-pwdAllowUserChange: TRUE*
> > >> > > *ads-pwdGraceAuthNLimit: 5*
> > >> > > *ads-pwdCheckQuality: 1*
> > >> > > *ads-pwdMaxLength: 0 *
> > >> > > *ads-pwdGraceExpire: 0*
> > >> > > *ads-pwdMinDelay: 0*
> > >> > > *ads-pwdMaxDelay: 0*
> > >> > > *ads-pwdMaxIdle: 0*
> > >> > > *ads-pwdValidator:
> > >> > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator*
> > >> > > *ads-enabled: TRUE*
> > >> > >
> > >> > > I then import a user into the server using Apache Directory
> Studio.
> > >> > Despite
> > >> > > the password not meeting the min length criteria, the user gets
> > added
> > >> > > successfully:
> > >> > >
> > >> > > *#!RESULT OK*
> > >> > > *#!CONNECTION ldap://localhost:10389*
> > >> > > *#!DATE 2014-05-13T10:19:54.095*
> > >> > > *dn: uid=SHolmes,ou=people,dc=example,dc=com*
> > >> > > *changetype: add*
> > >> > > *mail: SHolmes@gmail.com <SH...@gmail.com>*
> > >> > > *uid: SHolmes*
> > >> > > *userPassword: pass*
> > >> > > *givenname: Sherlock*
> > >> > > *description: SHolmes*
> > >> > > *objectclass: person*
> > >> > > *objectclass: organizationalPerson*
> > >> > > *objectclass: inetOrgPerson*
> > >> > > *objectclass: top*
> > >> > > *sn: Holmes*
> > >> > > *cn: SHolmes*
> > >> > >
> > >> > > Could you pl help me in understanding what I am doing wrong?
> > >> > >
> > >> > > Thanks.
> > >> > >
> > >> >
> > >> >
> > >> >
> > >> > --
> > >> > Kiran Ayyagari
> > >> > http://keydap.com
> > >> >
> > >>
> > > --
> > > Kiran Ayyagari
> > > http://keydap.com
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Re: Password policy not kicking in

[Kiran Ayyagari <ka...@apache.org>]

On Wed, May 14, 2014 at 11:16 AM, Sathya Skr 75 <sa...@gmail.com>wrote:

> Thanks for the info. As an amateur ldap user, it does not seem right that
> administrators are allowed to override system constraints. I am comparing
> this to a database table with a not-null constrainnt. The constraint should
> hold for all data regardless of the role of the logged in user because you
> are affecting data integrity. Perhaps this is not the right analogy and I
> just need to understand ldaps better..
>
yep, they are totally different, one is access control based decision
making the other is schema/structure designing

>
> On the validators. I had done exactly what you said- placed the jar into
> the lib directory, modified the configuration to point to my Validator
> implementation and then restarted the server. I have logs at entry of the
> method. These do not get printed and there is no exception raised. The
> method or class does not seem to be invoked at all.
>
> can you file a bug? I will take a look at it

> Thanks.
>
> —
> Sent from Mailbox
>
> On Wed, May 14, 2014 at 3:05 AM, Kiran Ayyagari <ka...@apache.org>
> wrote:
>
> > On Wed, May 14, 2014 at 12:56 AM, Sathya S <sa...@gmail.com>
> wrote:
> >> Thank you Kiran.
> >>
> >> Is this a change that has been recently introduced? I actually
> downgraded
> >> the server versions and found that this same configurations works fine
> till
> >> 2.0.0-M14 but is broken (or modified) in 2.0.0-M15.
> >>
> >> yes, this was modified, earlier the policy was enforced for _all_ users,
> > which is not
> > the correct thing (admins are gods right ;)
> >> Another question - what is the purpose of the ads-pwdValidator class? I
> >> wanted to impose additional checks on the password (alphanumeric +
> special
> >> characters) and as it didnt seem to be supported by ApacheDS, I thought
> >> extending the validator class may be the right approach. But I find that
> >> the class does not get called in at all. So curious to know the purpose
> of
> >> the ads-pwdValidator class and when it gets called in.
> >>
> > yes, this is created for the same purpose, which version are you using?
> > did you add the jar to lib folder (or to the classpath, if you are
> running
> > the server using apacheds.sh script)
> > provide us any error logs if present
> >>
> >> Thanks.
> >>
> >>
> >> On Tue, May 13, 2014 at 8:19 PM, Kiran Ayyagari <kayyagari@apache.org
> >> >wrote:
> >>
> >> > The configuration is correct.
> >> >
> >> > Make sure that you are not adding this entry as an administrator,
> >> password
> >> > policy is not
> >> > enforced when an administrator adds or modifies a password
> >> >
> >> >
> >> > On Tue, May 13, 2014 at 3:52 PM, Sathya S <sa...@gmail.com>
> >> wrote:
> >> >
> >> > > Hi,
> >> > >
> >> > > I am trying to set up a password policy on my ApacheDS instance to
> >> enable
> >> > > minimum length check. I changed the minimum length from default of
> 5 to
> >> > 7.
> >> > > This is my password policy ldif:
> >> > >
> >> > > *dn:
> >> > >
> >> > >
> >> >
> >>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config*
> >> > > *objectClass: top*
> >> > > *objectClass: ads-base*
> >> > > *objectClass: ads-passwordPolicy*
> >> > > *ads-pwdId: default*
> >> > > *ads-pwdSafeModify: FALSE*
> >> > > *ads-pwdMaxAge: 0*
> >> > > *ads-pwdFailureCountInterval: 30*
> >> > > *ads-pwdAttribute: userPassword*
> >> > > *ads-pwdMaxFailure: 5*
> >> > > *ads-pwdLockout: TRUE*
> >> > > *ads-pwdMustChange: FALSE*
> >> > > *ads-pwdLockoutDuration: 0*
> >> > > *ads-pwdMinLength: 5*
> >> > > *ads-pwdInHistory: 5*
> >> > > *ads-pwdExpireWarning: 600*
> >> > > *ads-pwdMinAge: 0*
> >> > > *ads-pwdAllowUserChange: TRUE*
> >> > > *ads-pwdGraceAuthNLimit: 5*
> >> > > *ads-pwdCheckQuality: 1*
> >> > > *ads-pwdMaxLength: 0 *
> >> > > *ads-pwdGraceExpire: 0*
> >> > > *ads-pwdMinDelay: 0*
> >> > > *ads-pwdMaxDelay: 0*
> >> > > *ads-pwdMaxIdle: 0*
> >> > > *ads-pwdValidator:
> >> > >
> >> > >
> >> >
> >>
> org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator*
> >> > > *ads-enabled: TRUE*
> >> > >
> >> > > I then import a user into the server using Apache Directory Studio.
> >> > Despite
> >> > > the password not meeting the min length criteria, the user gets
> added
> >> > > successfully:
> >> > >
> >> > > *#!RESULT OK*
> >> > > *#!CONNECTION ldap://localhost:10389*
> >> > > *#!DATE 2014-05-13T10:19:54.095*
> >> > > *dn: uid=SHolmes,ou=people,dc=example,dc=com*
> >> > > *changetype: add*
> >> > > *mail: SHolmes@gmail.com <SH...@gmail.com>*
> >> > > *uid: SHolmes*
> >> > > *userPassword: pass*
> >> > > *givenname: Sherlock*
> >> > > *description: SHolmes*
> >> > > *objectclass: person*
> >> > > *objectclass: organizationalPerson*
> >> > > *objectclass: inetOrgPerson*
> >> > > *objectclass: top*
> >> > > *sn: Holmes*
> >> > > *cn: SHolmes*
> >> > >
> >> > > Could you pl help me in understanding what I am doing wrong?
> >> > >
> >> > > Thanks.
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > Kiran Ayyagari
> >> > http://keydap.com
> >> >
> >>
> > --
> > Kiran Ayyagari
> > http://keydap.com
>



-- 
Kiran Ayyagari
http://keydap.com

Re: Password policy not kicking in

[Sathya Skr 75 <sa...@gmail.com>]

Thanks for the info. As an amateur ldap user, it does not seem right that administrators are allowed to override system constraints. I am comparing this to a database table with a not-null constrainnt. The constraint should hold for all data regardless of the role of the logged in user because you are affecting data integrity. Perhaps this is not the right analogy and I just need to understand ldaps better..

On the validators. I had done exactly what you said- placed the jar into the lib directory, modified the configuration to point to my Validator implementation and then restarted the server. I have logs at entry of the method. These do not get printed and there is no exception raised. The method or class does not seem to be invoked at all.

Thanks.

—
Sent from Mailbox

On Wed, May 14, 2014 at 3:05 AM, Kiran Ayyagari <ka...@apache.org>
wrote:

> On Wed, May 14, 2014 at 12:56 AM, Sathya S <sa...@gmail.com> wrote:
>> Thank you Kiran.
>>
>> Is this a change that has been recently introduced? I actually downgraded
>> the server versions and found that this same configurations works fine till
>> 2.0.0-M14 but is broken (or modified) in 2.0.0-M15.
>>
>> yes, this was modified, earlier the policy was enforced for _all_ users,
> which is not
> the correct thing (admins are gods right ;)
>> Another question - what is the purpose of the ads-pwdValidator class? I
>> wanted to impose additional checks on the password (alphanumeric + special
>> characters) and as it didnt seem to be supported by ApacheDS, I thought
>> extending the validator class may be the right approach. But I find that
>> the class does not get called in at all. So curious to know the purpose of
>> the ads-pwdValidator class and when it gets called in.
>>
> yes, this is created for the same purpose, which version are you using?
> did you add the jar to lib folder (or to the classpath, if you are running
> the server using apacheds.sh script)
> provide us any error logs if present
>>
>> Thanks.
>>
>>
>> On Tue, May 13, 2014 at 8:19 PM, Kiran Ayyagari <kayyagari@apache.org
>> >wrote:
>>
>> > The configuration is correct.
>> >
>> > Make sure that you are not adding this entry as an administrator,
>> password
>> > policy is not
>> > enforced when an administrator adds or modifies a password
>> >
>> >
>> > On Tue, May 13, 2014 at 3:52 PM, Sathya S <sa...@gmail.com>
>> wrote:
>> >
>> > > Hi,
>> > >
>> > > I am trying to set up a password policy on my ApacheDS instance to
>> enable
>> > > minimum length check. I changed the minimum length from default of 5 to
>> > 7.
>> > > This is my password policy ldif:
>> > >
>> > > *dn:
>> > >
>> > >
>> >
>> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config*
>> > > *objectClass: top*
>> > > *objectClass: ads-base*
>> > > *objectClass: ads-passwordPolicy*
>> > > *ads-pwdId: default*
>> > > *ads-pwdSafeModify: FALSE*
>> > > *ads-pwdMaxAge: 0*
>> > > *ads-pwdFailureCountInterval: 30*
>> > > *ads-pwdAttribute: userPassword*
>> > > *ads-pwdMaxFailure: 5*
>> > > *ads-pwdLockout: TRUE*
>> > > *ads-pwdMustChange: FALSE*
>> > > *ads-pwdLockoutDuration: 0*
>> > > *ads-pwdMinLength: 5*
>> > > *ads-pwdInHistory: 5*
>> > > *ads-pwdExpireWarning: 600*
>> > > *ads-pwdMinAge: 0*
>> > > *ads-pwdAllowUserChange: TRUE*
>> > > *ads-pwdGraceAuthNLimit: 5*
>> > > *ads-pwdCheckQuality: 1*
>> > > *ads-pwdMaxLength: 0 *
>> > > *ads-pwdGraceExpire: 0*
>> > > *ads-pwdMinDelay: 0*
>> > > *ads-pwdMaxDelay: 0*
>> > > *ads-pwdMaxIdle: 0*
>> > > *ads-pwdValidator:
>> > >
>> > >
>> >
>> org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator*
>> > > *ads-enabled: TRUE*
>> > >
>> > > I then import a user into the server using Apache Directory Studio.
>> > Despite
>> > > the password not meeting the min length criteria, the user gets added
>> > > successfully:
>> > >
>> > > *#!RESULT OK*
>> > > *#!CONNECTION ldap://localhost:10389*
>> > > *#!DATE 2014-05-13T10:19:54.095*
>> > > *dn: uid=SHolmes,ou=people,dc=example,dc=com*
>> > > *changetype: add*
>> > > *mail: SHolmes@gmail.com <SH...@gmail.com>*
>> > > *uid: SHolmes*
>> > > *userPassword: pass*
>> > > *givenname: Sherlock*
>> > > *description: SHolmes*
>> > > *objectclass: person*
>> > > *objectclass: organizationalPerson*
>> > > *objectclass: inetOrgPerson*
>> > > *objectclass: top*
>> > > *sn: Holmes*
>> > > *cn: SHolmes*
>> > >
>> > > Could you pl help me in understanding what I am doing wrong?
>> > >
>> > > Thanks.
>> > >
>> >
>> >
>> >
>> > --
>> > Kiran Ayyagari
>> > http://keydap.com
>> >
>>
> -- 
> Kiran Ayyagari
> http://keydap.com

Re: Password policy not kicking in

[Kiran Ayyagari <ka...@apache.org>]

On Wed, May 14, 2014 at 12:56 AM, Sathya S <sa...@gmail.com> wrote:

> Thank you Kiran.
>
> Is this a change that has been recently introduced? I actually downgraded
> the server versions and found that this same configurations works fine till
> 2.0.0-M14 but is broken (or modified) in 2.0.0-M15.
>
> yes, this was modified, earlier the policy was enforced for _all_ users,
which is not
the correct thing (admins are gods right ;)

> Another question - what is the purpose of the ads-pwdValidator class? I
> wanted to impose additional checks on the password (alphanumeric + special
> characters) and as it didnt seem to be supported by ApacheDS, I thought
> extending the validator class may be the right approach. But I find that
> the class does not get called in at all. So curious to know the purpose of
> the ads-pwdValidator class and when it gets called in.
>
yes, this is created for the same purpose, which version are you using?
did you add the jar to lib folder (or to the classpath, if you are running
the server using apacheds.sh script)

provide us any error logs if present

>
> Thanks.
>
>
> On Tue, May 13, 2014 at 8:19 PM, Kiran Ayyagari <kayyagari@apache.org
> >wrote:
>
> > The configuration is correct.
> >
> > Make sure that you are not adding this entry as an administrator,
> password
> > policy is not
> > enforced when an administrator adds or modifies a password
> >
> >
> > On Tue, May 13, 2014 at 3:52 PM, Sathya S <sa...@gmail.com>
> wrote:
> >
> > > Hi,
> > >
> > > I am trying to set up a password policy on my ApacheDS instance to
> enable
> > > minimum length check. I changed the minimum length from default of 5 to
> > 7.
> > > This is my password policy ldif:
> > >
> > > *dn:
> > >
> > >
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config*
> > > *objectClass: top*
> > > *objectClass: ads-base*
> > > *objectClass: ads-passwordPolicy*
> > > *ads-pwdId: default*
> > > *ads-pwdSafeModify: FALSE*
> > > *ads-pwdMaxAge: 0*
> > > *ads-pwdFailureCountInterval: 30*
> > > *ads-pwdAttribute: userPassword*
> > > *ads-pwdMaxFailure: 5*
> > > *ads-pwdLockout: TRUE*
> > > *ads-pwdMustChange: FALSE*
> > > *ads-pwdLockoutDuration: 0*
> > > *ads-pwdMinLength: 5*
> > > *ads-pwdInHistory: 5*
> > > *ads-pwdExpireWarning: 600*
> > > *ads-pwdMinAge: 0*
> > > *ads-pwdAllowUserChange: TRUE*
> > > *ads-pwdGraceAuthNLimit: 5*
> > > *ads-pwdCheckQuality: 1*
> > > *ads-pwdMaxLength: 0 *
> > > *ads-pwdGraceExpire: 0*
> > > *ads-pwdMinDelay: 0*
> > > *ads-pwdMaxDelay: 0*
> > > *ads-pwdMaxIdle: 0*
> > > *ads-pwdValidator:
> > >
> > >
> >
> org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator*
> > > *ads-enabled: TRUE*
> > >
> > > I then import a user into the server using Apache Directory Studio.
> > Despite
> > > the password not meeting the min length criteria, the user gets added
> > > successfully:
> > >
> > > *#!RESULT OK*
> > > *#!CONNECTION ldap://localhost:10389*
> > > *#!DATE 2014-05-13T10:19:54.095*
> > > *dn: uid=SHolmes,ou=people,dc=example,dc=com*
> > > *changetype: add*
> > > *mail: SHolmes@gmail.com <SH...@gmail.com>*
> > > *uid: SHolmes*
> > > *userPassword: pass*
> > > *givenname: Sherlock*
> > > *description: SHolmes*
> > > *objectclass: person*
> > > *objectclass: organizationalPerson*
> > > *objectclass: inetOrgPerson*
> > > *objectclass: top*
> > > *sn: Holmes*
> > > *cn: SHolmes*
> > >
> > > Could you pl help me in understanding what I am doing wrong?
> > >
> > > Thanks.
> > >
> >
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
> >
>



-- 
Kiran Ayyagari
http://keydap.com

Re: Password policy not kicking in

[Sathya S <sa...@gmail.com>]

Thank you Kiran.

Is this a change that has been recently introduced? I actually downgraded
the server versions and found that this same configurations works fine till
2.0.0-M14 but is broken (or modified) in 2.0.0-M15.

Another question - what is the purpose of the ads-pwdValidator class? I
wanted to impose additional checks on the password (alphanumeric + special
characters) and as it didnt seem to be supported by ApacheDS, I thought
extending the validator class may be the right approach. But I find that
the class does not get called in at all. So curious to know the purpose of
the ads-pwdValidator class and when it gets called in.

Thanks.


On Tue, May 13, 2014 at 8:19 PM, Kiran Ayyagari <ka...@apache.org>wrote:

> The configuration is correct.
>
> Make sure that you are not adding this entry as an administrator, password
> policy is not
> enforced when an administrator adds or modifies a password
>
>
> On Tue, May 13, 2014 at 3:52 PM, Sathya S <sa...@gmail.com> wrote:
>
> > Hi,
> >
> > I am trying to set up a password policy on my ApacheDS instance to enable
> > minimum length check. I changed the minimum length from default of 5 to
> 7.
> > This is my password policy ldif:
> >
> > *dn:
> >
> >
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config*
> > *objectClass: top*
> > *objectClass: ads-base*
> > *objectClass: ads-passwordPolicy*
> > *ads-pwdId: default*
> > *ads-pwdSafeModify: FALSE*
> > *ads-pwdMaxAge: 0*
> > *ads-pwdFailureCountInterval: 30*
> > *ads-pwdAttribute: userPassword*
> > *ads-pwdMaxFailure: 5*
> > *ads-pwdLockout: TRUE*
> > *ads-pwdMustChange: FALSE*
> > *ads-pwdLockoutDuration: 0*
> > *ads-pwdMinLength: 5*
> > *ads-pwdInHistory: 5*
> > *ads-pwdExpireWarning: 600*
> > *ads-pwdMinAge: 0*
> > *ads-pwdAllowUserChange: TRUE*
> > *ads-pwdGraceAuthNLimit: 5*
> > *ads-pwdCheckQuality: 1*
> > *ads-pwdMaxLength: 0 *
> > *ads-pwdGraceExpire: 0*
> > *ads-pwdMinDelay: 0*
> > *ads-pwdMaxDelay: 0*
> > *ads-pwdMaxIdle: 0*
> > *ads-pwdValidator:
> >
> >
> org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator*
> > *ads-enabled: TRUE*
> >
> > I then import a user into the server using Apache Directory Studio.
> Despite
> > the password not meeting the min length criteria, the user gets added
> > successfully:
> >
> > *#!RESULT OK*
> > *#!CONNECTION ldap://localhost:10389*
> > *#!DATE 2014-05-13T10:19:54.095*
> > *dn: uid=SHolmes,ou=people,dc=example,dc=com*
> > *changetype: add*
> > *mail: SHolmes@gmail.com <SH...@gmail.com>*
> > *uid: SHolmes*
> > *userPassword: pass*
> > *givenname: Sherlock*
> > *description: SHolmes*
> > *objectclass: person*
> > *objectclass: organizationalPerson*
> > *objectclass: inetOrgPerson*
> > *objectclass: top*
> > *sn: Holmes*
> > *cn: SHolmes*
> >
> > Could you pl help me in understanding what I am doing wrong?
> >
> > Thanks.
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Re: Password policy not kicking in

[Kiran Ayyagari <ka...@apache.org>]

The configuration is correct.

Make sure that you are not adding this entry as an administrator, password
policy is not
enforced when an administrator adds or modifies a password


On Tue, May 13, 2014 at 3:52 PM, Sathya S <sa...@gmail.com> wrote:

> Hi,
>
> I am trying to set up a password policy on my ApacheDS instance to enable
> minimum length check. I changed the minimum length from default of 5 to 7.
> This is my password policy ldif:
>
> *dn:
>
> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config*
> *objectClass: top*
> *objectClass: ads-base*
> *objectClass: ads-passwordPolicy*
> *ads-pwdId: default*
> *ads-pwdSafeModify: FALSE*
> *ads-pwdMaxAge: 0*
> *ads-pwdFailureCountInterval: 30*
> *ads-pwdAttribute: userPassword*
> *ads-pwdMaxFailure: 5*
> *ads-pwdLockout: TRUE*
> *ads-pwdMustChange: FALSE*
> *ads-pwdLockoutDuration: 0*
> *ads-pwdMinLength: 5*
> *ads-pwdInHistory: 5*
> *ads-pwdExpireWarning: 600*
> *ads-pwdMinAge: 0*
> *ads-pwdAllowUserChange: TRUE*
> *ads-pwdGraceAuthNLimit: 5*
> *ads-pwdCheckQuality: 1*
> *ads-pwdMaxLength: 0 *
> *ads-pwdGraceExpire: 0*
> *ads-pwdMinDelay: 0*
> *ads-pwdMaxDelay: 0*
> *ads-pwdMaxIdle: 0*
> *ads-pwdValidator:
>
> org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator*
> *ads-enabled: TRUE*
>
> I then import a user into the server using Apache Directory Studio. Despite
> the password not meeting the min length criteria, the user gets added
> successfully:
>
> *#!RESULT OK*
> *#!CONNECTION ldap://localhost:10389*
> *#!DATE 2014-05-13T10:19:54.095*
> *dn: uid=SHolmes,ou=people,dc=example,dc=com*
> *changetype: add*
> *mail: SHolmes@gmail.com <SH...@gmail.com>*
> *uid: SHolmes*
> *userPassword: pass*
> *givenname: Sherlock*
> *description: SHolmes*
> *objectclass: person*
> *objectclass: organizationalPerson*
> *objectclass: inetOrgPerson*
> *objectclass: top*
> *sn: Holmes*
> *cn: SHolmes*
>
> Could you pl help me in understanding what I am doing wrong?
>
> Thanks.
>



-- 
Kiran Ayyagari
http://keydap.com