You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Ca...@ibs-ag.com on 2011/10/04 15:39:04 UTC
RE: [ApacheDS] looking for simple config for password policy
enforcement.
Hi,
1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK
2.) Import LDIF of my own JDBM partition. - OK
3.) Import LDIF root DSE for my new partition - OK
4.) Import LDIF for my own password policy - OK
5.) Import LDIF user in my new partition with pwdPolicySubEntry set for policy in step 4. - OK
6.) Try and modify any attribute of user imported in step 5 and the exception below is thrown.
Any ideas?
// step 5 result
#!RESULT OK
#!CONNECTION ldap://localhost:10389
#!DATE 2011-10-04T09:30:33.945
dn: uid=1286309809117,ou=users,ou=int,o=cpro
changetype: add
employeeNumber: jsmith
initials: w
sn: Smith
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
mail: null@locahost
givenName: John
uid: 1286309809117
pwdPolicySubEntry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
cn: Smith, John
displayName: Smith, John
userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9
// step 6, change givenName
#!RESULT ERROR
#!CONNECTION ldap://localhost:10389
#!DATE 2011-10-04T09:30:47.177
#!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message ID : 14 Modify Request Object : 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] Operation : replace Modification givenName: John2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2: ERR_333 Unexpected exception.]
dn: uid=1286309809117,ou=users,ou=int,o=cpro
changetype: modify
replace: givenName
givenName: John2
// ldif of my password policy
dn: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectclass: top
objectclass: ads-base
objectclass: ads-passwordPolicy
ads-pwdattribute: userPassword
ads-pwdid: cproext
ads-enabled: TRUE
ads-pwdallowuserchange: TRUE
ads-pwdcheckquality: 1
ads-pwdexpirewarning: 600
ads-pwdfailurecountinterval: 30
ads-pwdgraceauthnlimit: 5
ads-pwdgraceexpire: 0
ads-pwdinhistory: 5
ads-pwdlockout: TRUE
ads-pwdlockoutduration: 0
ads-pwdmaxage: 0
ads-pwdmaxdelay: 0
ads-pwdmaxfailure: 5
ads-pwdmaxidle: 0
ads-pwdmaxlength: 0
ads-pwdminage: 0
ads-pwdmindelay: 0
ads-pwdminlength: 5
ads-pwdmustchange: FALSE
ads-pwdsafemodify: FALSE
Thank you!!
-----Original Message-----
From: Carlo.Accorsi@ibs-ag.com [mailto:Carlo.Accorsi@ibs-ag.com]
Sent: Friday, September 30, 2011 5:05 PM
To: users@directory.apache.org
Subject: RE: [ApacheDS] looking for simple config for password policy enforcement.
Hi, and thank you for your response.
I've been able to create a second policy all along, however I kept running into the same problem when trying to add the 'pwdPolicySubentry' to an existing user.
Is it possible to modify the pwdPolicySubentry attribute on an existing user?
The schema browser shows that the attribute has a read-only flag, ( NO-USER-MODIFICATION )
#!RESULT ERROR
#!CONNECTION ldap://localhost:10389
#!DATE 2011-09-30T16:16:01.784
#!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 31 Modify Request Object : 'uid=1286309809116,ou=users,ou=int,o=cpro' Modification[0] Operation : add Modification pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b131069: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ]
dn: uid=1286309809116,ou=users,ou=int,o=cpro
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf ig
Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, however,
#!RESULT OK
#!CONNECTION ldap://localhost:10389
#!DATE 2011-09-30T16:31:17.973
dn: uid=1286309809117,ou=users,ou=int,o=cpro
changetype: add
sn: Accorsi
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
mail: null
givenName: Carlo
uid: 1286309809117
cn: Accorsi, Carlo
displayName: Accorsi, Carlo
pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf ig
userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09
Now when any type of modification is made to the entry a LOOP_DETECT exception is thrown.
#!RESULT ERROR
#!CONNECTION ldap://localhost:10389
#!DATE 2011-09-30T16:45:33.245
#!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message ID : 21 Modify Request Object : 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] Operation : replace Modification givenName: Carlo2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad: ERR_333 Unexpected exception.]
dn: uid=1286309809117,ou=users,ou=int,o=cpro
changetype: modify
replace: givenName
givenName: Carlo2
Thinking this was because there were two policies, I decided to delete the default password policy. Not smart, now the uid=admin,ou=system user can no longer bind..
I'm starting over but can you see anything I'm missing?
I know my ads-pwdcheckquality = 2 in my new policy.
Thanks,
Carlo Accorsi
-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Friday, September 30, 2011 3:39 PM
To: users@directory.apache.org
Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.
On Fri, Sep 30, 2011 at 12:23 PM, <Ca...@ibs-ag.com> wrote:
> I would like to apply and enforce two different password policies to two different sub trees (that share the same root).
>
> I see where the policies (I think ) are supposed to go.
> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int
> erceptors,ads-directoryServiceId=default,ou=config
>
correct place
> The question is how does this policy then get linked or applied to a user?
>
> In other directory servers, the pwdPolicy schema defines the policy object and all the supporting attributes (min/max pw length, etc).
> Then the pwdPolicySubentry attribute (on the user object) refers to the DN of the policy object and this is how it's enforced.
>
> I can't seem to make the connection in ApacheDS how this occurs?
> I've tried creating ads-passwordPolicy object at the subtree level of my users. Doesn't work.
> I've tried creating a simple pwdPolicy object but it cannot be saved because there's no structural objectclass associate with it.
>
no, this won't work, just create another policy under the above mentioned DN with a name like ads-pwdId=custom and for enforcing this for a specific user:
add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpolicy entry's DN
Note that the default password policy(ads-pwdId=default) is applicable for all other user entries which doesn't have a 'pwdPolicySubEntry'
attribute specified.
> Even if the functionality isn't fully implemented, I'd like to structure the directory correctly. Your help is most appreciated.
>
please let us know if you have any other questions
HTH
--
Kiran Ayyagari
RE: [ApacheDS] looking for simple config for password policy
enforcement.
Posted by Ca...@ibs-ag.com.
Hi Kiran, yes this worked. Thank you very much.
Regards,
Carlo Accorsi
-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Tuesday, October 04, 2011 3:31 PM
To: users@directory.apache.org
Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.
Have fixed this, please verify with the latest trunk source and let us know.
Thanks for reporting
On Tue, Oct 4, 2011 at 11:13 AM, Kiran Ayyagari <ka...@apache.org> wrote:
> I have found the issue and filed a report[1] Will let you know after
> committing the fix(approx. 2 hours).
> Appreciate your patience
>
> [1] https://issues.apache.org/jira/browse/DIRSERVER-1665
>
> On Tue, Oct 4, 2011 at 10:00 AM, Kiran Ayyagari <ka...@apache.org> wrote:
>> am currently looking at this issue, will let you know as soon as I
>> find
>>
>> On Tue, Oct 4, 2011 at 9:39 AM, <Ca...@ibs-ag.com> wrote:
>>> Hi,
>>> 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK
>>> 2.) Import LDIF of my own JDBM partition. - OK
>>> 3.) Import LDIF root DSE for my new partition - OK
>>> 4.) Import LDIF for my own password policy - OK
>>> 5.) Import LDIF user in my new partition with pwdPolicySubEntry set
>>> for policy in step 4. - OK
>>> 6.) Try and modify any attribute of user imported in step 5 and the exception below is thrown.
>>>
>>> Any ideas?
>>>
>>> // step 5 result
>>> #!RESULT OK
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-10-04T09:30:33.945
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: add
>>> employeeNumber: jsmith
>>> initials: w
>>> sn: Smith
>>> objectClass: inetOrgPerson
>>> objectClass: organizationalPerson
>>> objectClass: person
>>> objectClass: top
>>> mail: null@locahost
>>> givenName: John
>>> uid: 1286309809117
>>> pwdPolicySubEntry:
>>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticati
>>> onInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
>>> ig
>>> cn: Smith, John
>>> displayName: Smith, John
>>> userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9
>>>
>>> // step 6, change givenName
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-10-04T09:30:47.177
>>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType :
>>> MODIFY_REQUEST Message ID : 14 Modify Request Object :
>>> 'uid=1286309809117,ou=users,ou=int,o=cpro'
>>> Modification[0] Operation : replace
>>> Modification givenName: John2
>>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@863
>>> 92ad2: ERR_333 Unexpected exception.]
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> replace: givenName
>>> givenName: John2
>>>
>>>
>>> // ldif of my password policy
>>> dn:
>>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticati
>>> onInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
>>> ig
>>> objectclass: top
>>> objectclass: ads-base
>>> objectclass: ads-passwordPolicy
>>> ads-pwdattribute: userPassword
>>> ads-pwdid: cproext
>>> ads-enabled: TRUE
>>> ads-pwdallowuserchange: TRUE
>>> ads-pwdcheckquality: 1
>>> ads-pwdexpirewarning: 600
>>> ads-pwdfailurecountinterval: 30
>>> ads-pwdgraceauthnlimit: 5
>>> ads-pwdgraceexpire: 0
>>> ads-pwdinhistory: 5
>>> ads-pwdlockout: TRUE
>>> ads-pwdlockoutduration: 0
>>> ads-pwdmaxage: 0
>>> ads-pwdmaxdelay: 0
>>> ads-pwdmaxfailure: 5
>>> ads-pwdmaxidle: 0
>>> ads-pwdmaxlength: 0
>>> ads-pwdminage: 0
>>> ads-pwdmindelay: 0
>>> ads-pwdminlength: 5
>>> ads-pwdmustchange: FALSE
>>> ads-pwdsafemodify: FALSE
>>>
>>> Thank you!!
>>>
>>>
>>> -----Original Message-----
>>> From: Carlo.Accorsi@ibs-ag.com [mailto:Carlo.Accorsi@ibs-ag.com]
>>> Sent: Friday, September 30, 2011 5:05 PM
>>> To: users@directory.apache.org
>>> Subject: RE: [ApacheDS] looking for simple config for password policy enforcement.
>>>
>>> Hi, and thank you for your response.
>>>
>>> I've been able to create a second policy all along, however I kept running into the same problem when trying to add the 'pwdPolicySubentry' to an existing user.
>>> Is it possible to modify the pwdPolicySubentry attribute on an existing user?
>>> The schema browser shows that the attribute has a read-only flag,
>>> ( NO-USER-MODIFICATION )
>>>
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:16:01.784
>>> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed
>>> for MessageType : MODIFY_REQUEST Message ID : 31 Modify Request
>>> Object : 'uid=1286309809116,ou=users,ou=int,o=cpro'
>>> Modification[0] Operation : add
>>> Modification pwdPolicySubentry:
>>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticati
>>> onInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
>>> ig
>>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b1
>>> 31069: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE (
>>> 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The
>>> pwdPolicy subentry in effect for this object EQUALITY
>>> distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>>> SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ]
>>> dn: uid=1286309809116,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> add: pwdPolicySubentry
>>> pwdPolicySubentry:
>>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticati
>>> onInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
>>> ig
>>>
>>>
>>> Anyway, I then tried a NEW user and set pwdPolicySubentry and this
>>> worked, however,
>>>
>>> #!RESULT OK
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:31:17.973
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: add
>>> sn: Accorsi
>>> objectClass: organizationalPerson
>>> objectClass: person
>>> objectClass: inetOrgPerson
>>> objectClass: top
>>> mail: null
>>> givenName: Carlo
>>> uid: 1286309809117
>>> cn: Accorsi, Carlo
>>> displayName: Accorsi, Carlo
>>> pwdPolicySubentry:
>>> ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticati
>>> onInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf
>>> ig
>>> userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09
>>>
>>> Now when any type of modification is made to the entry a LOOP_DETECT exception is thrown.
>>>
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:45:33.245
>>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType :
>>> MODIFY_REQUEST Message ID : 21 Modify Request Object :
>>> 'uid=1286309809117,ou=users,ou=int,o=cpro'
>>> Modification[0] Operation : replace
>>> Modification givenName: Carlo2
>>> org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902
>>> ef1ad: ERR_333 Unexpected exception.]
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> replace: givenName
>>> givenName: Carlo2
>>>
>>> Thinking this was because there were two policies, I decided to delete the default password policy. Not smart, now the uid=admin,ou=system user can no longer bind..
>>>
>>> I'm starting over but can you see anything I'm missing?
>>>
>>> I know my ads-pwdcheckquality = 2 in my new policy.
>>>
>>> Thanks,
>>> Carlo Accorsi
>>>
>>> -----Original Message-----
>>> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On
>>> Behalf Of Kiran Ayyagari
>>> Sent: Friday, September 30, 2011 3:39 PM
>>> To: users@directory.apache.org
>>> Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.
>>>
>>> On Fri, Sep 30, 2011 at 12:23 PM, <Ca...@ibs-ag.com> wrote:
>>>> I would like to apply and enforce two different password policies to two different sub trees (that share the same root).
>>>>
>>>> I see where the policies (I think ) are supposed to go.
>>>> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=
>>>> int erceptors,ads-directoryServiceId=default,ou=config
>>>>
>>> correct place
>>>> The question is how does this policy then get linked or applied to a user?
>>>>
>>>> In other directory servers, the pwdPolicy schema defines the policy object and all the supporting attributes (min/max pw length, etc).
>>>> Then the pwdPolicySubentry attribute (on the user object) refers to the DN of the policy object and this is how it's enforced.
>>>>
>>>> I can't seem to make the connection in ApacheDS how this occurs?
>>>> I've tried creating ads-passwordPolicy object at the subtree level of my users. Doesn't work.
>>>> I've tried creating a simple pwdPolicy object but it cannot be saved because there's no structural objectclass associate with it.
>>>>
>>> no, this won't work, just create another policy under the above mentioned DN with a name like ads-pwdId=custom and for enforcing this for a specific user:
>>> add 'pwdPolicySubEntry' attribute with the value set to the custom
>>> pwdpolicy entry's DN
>>>
>>> Note that the default password policy(ads-pwdId=default) is applicable for all other user entries which doesn't have a 'pwdPolicySubEntry'
>>> attribute specified.
>>>
>>>> Even if the functionality isn't fully implemented, I'd like to structure the directory correctly. Your help is most appreciated.
>>>>
>>> please let us know if you have any other questions
>>>
>>> HTH
>>>
>>> --
>>> Kiran Ayyagari
>>>
>>
>>
>>
>> --
>> Kiran Ayyagari
>>
>
>
>
> --
> Kiran Ayyagari
>
--
Kiran Ayyagari
Re: [ApacheDS] looking for simple config for password policy enforcement.
Posted by Kiran Ayyagari <ka...@apache.org>.
Have fixed this, please verify with the latest trunk source and let us know.
Thanks for reporting
On Tue, Oct 4, 2011 at 11:13 AM, Kiran Ayyagari <ka...@apache.org> wrote:
> I have found the issue and filed a report[1]
> Will let you know after committing the fix(approx. 2 hours).
> Appreciate your patience
>
> [1] https://issues.apache.org/jira/browse/DIRSERVER-1665
>
> On Tue, Oct 4, 2011 at 10:00 AM, Kiran Ayyagari <ka...@apache.org> wrote:
>> am currently looking at this issue, will let you know as soon as I find
>>
>> On Tue, Oct 4, 2011 at 9:39 AM, <Ca...@ibs-ag.com> wrote:
>>> Hi,
>>> 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK
>>> 2.) Import LDIF of my own JDBM partition. - OK
>>> 3.) Import LDIF root DSE for my new partition - OK
>>> 4.) Import LDIF for my own password policy - OK
>>> 5.) Import LDIF user in my new partition with pwdPolicySubEntry set for policy in step 4. - OK
>>> 6.) Try and modify any attribute of user imported in step 5 and the exception below is thrown.
>>>
>>> Any ideas?
>>>
>>> // step 5 result
>>> #!RESULT OK
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-10-04T09:30:33.945
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: add
>>> employeeNumber: jsmith
>>> initials: w
>>> sn: Smith
>>> objectClass: inetOrgPerson
>>> objectClass: organizationalPerson
>>> objectClass: person
>>> objectClass: top
>>> mail: null@locahost
>>> givenName: John
>>> uid: 1286309809117
>>> pwdPolicySubEntry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>>> cn: Smith, John
>>> displayName: Smith, John
>>> userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9
>>>
>>> // step 6, change givenName
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-10-04T09:30:47.177
>>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message ID : 14 Modify Request Object : 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] Operation : replace Modification givenName: John2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2: ERR_333 Unexpected exception.]
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> replace: givenName
>>> givenName: John2
>>>
>>>
>>> // ldif of my password policy
>>> dn: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>>> objectclass: top
>>> objectclass: ads-base
>>> objectclass: ads-passwordPolicy
>>> ads-pwdattribute: userPassword
>>> ads-pwdid: cproext
>>> ads-enabled: TRUE
>>> ads-pwdallowuserchange: TRUE
>>> ads-pwdcheckquality: 1
>>> ads-pwdexpirewarning: 600
>>> ads-pwdfailurecountinterval: 30
>>> ads-pwdgraceauthnlimit: 5
>>> ads-pwdgraceexpire: 0
>>> ads-pwdinhistory: 5
>>> ads-pwdlockout: TRUE
>>> ads-pwdlockoutduration: 0
>>> ads-pwdmaxage: 0
>>> ads-pwdmaxdelay: 0
>>> ads-pwdmaxfailure: 5
>>> ads-pwdmaxidle: 0
>>> ads-pwdmaxlength: 0
>>> ads-pwdminage: 0
>>> ads-pwdmindelay: 0
>>> ads-pwdminlength: 5
>>> ads-pwdmustchange: FALSE
>>> ads-pwdsafemodify: FALSE
>>>
>>> Thank you!!
>>>
>>>
>>> -----Original Message-----
>>> From: Carlo.Accorsi@ibs-ag.com [mailto:Carlo.Accorsi@ibs-ag.com]
>>> Sent: Friday, September 30, 2011 5:05 PM
>>> To: users@directory.apache.org
>>> Subject: RE: [ApacheDS] looking for simple config for password policy enforcement.
>>>
>>> Hi, and thank you for your response.
>>>
>>> I've been able to create a second policy all along, however I kept running into the same problem when trying to add the 'pwdPolicySubentry' to an existing user.
>>> Is it possible to modify the pwdPolicySubentry attribute on an existing user?
>>> The schema browser shows that the attribute has a read-only flag, ( NO-USER-MODIFICATION )
>>>
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:16:01.784
>>> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 31 Modify Request Object : 'uid=1286309809116,ou=users,ou=int,o=cpro' Modification[0] Operation : add Modification pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b131069: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ]
>>> dn: uid=1286309809116,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> add: pwdPolicySubentry
>>> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf ig
>>>
>>>
>>> Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, however,
>>>
>>> #!RESULT OK
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:31:17.973
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: add
>>> sn: Accorsi
>>> objectClass: organizationalPerson
>>> objectClass: person
>>> objectClass: inetOrgPerson
>>> objectClass: top
>>> mail: null
>>> givenName: Carlo
>>> uid: 1286309809117
>>> cn: Accorsi, Carlo
>>> displayName: Accorsi, Carlo
>>> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf ig
>>> userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09
>>>
>>> Now when any type of modification is made to the entry a LOOP_DETECT exception is thrown.
>>>
>>> #!RESULT ERROR
>>> #!CONNECTION ldap://localhost:10389
>>> #!DATE 2011-09-30T16:45:33.245
>>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message ID : 21 Modify Request Object : 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] Operation : replace Modification givenName: Carlo2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad: ERR_333 Unexpected exception.]
>>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>>> changetype: modify
>>> replace: givenName
>>> givenName: Carlo2
>>>
>>> Thinking this was because there were two policies, I decided to delete the default password policy. Not smart, now the uid=admin,ou=system user can no longer bind..
>>>
>>> I'm starting over but can you see anything I'm missing?
>>>
>>> I know my ads-pwdcheckquality = 2 in my new policy.
>>>
>>> Thanks,
>>> Carlo Accorsi
>>>
>>> -----Original Message-----
>>> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
>>> Sent: Friday, September 30, 2011 3:39 PM
>>> To: users@directory.apache.org
>>> Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.
>>>
>>> On Fri, Sep 30, 2011 at 12:23 PM, <Ca...@ibs-ag.com> wrote:
>>>> I would like to apply and enforce two different password policies to two different sub trees (that share the same root).
>>>>
>>>> I see where the policies (I think ) are supposed to go.
>>>> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int
>>>> erceptors,ads-directoryServiceId=default,ou=config
>>>>
>>> correct place
>>>> The question is how does this policy then get linked or applied to a user?
>>>>
>>>> In other directory servers, the pwdPolicy schema defines the policy object and all the supporting attributes (min/max pw length, etc).
>>>> Then the pwdPolicySubentry attribute (on the user object) refers to the DN of the policy object and this is how it's enforced.
>>>>
>>>> I can't seem to make the connection in ApacheDS how this occurs?
>>>> I've tried creating ads-passwordPolicy object at the subtree level of my users. Doesn't work.
>>>> I've tried creating a simple pwdPolicy object but it cannot be saved because there's no structural objectclass associate with it.
>>>>
>>> no, this won't work, just create another policy under the above mentioned DN with a name like ads-pwdId=custom and for enforcing this for a specific user:
>>> add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpolicy entry's DN
>>>
>>> Note that the default password policy(ads-pwdId=default) is applicable for all other user entries which doesn't have a 'pwdPolicySubEntry'
>>> attribute specified.
>>>
>>>> Even if the functionality isn't fully implemented, I'd like to structure the directory correctly. Your help is most appreciated.
>>>>
>>> please let us know if you have any other questions
>>>
>>> HTH
>>>
>>> --
>>> Kiran Ayyagari
>>>
>>
>>
>>
>> --
>> Kiran Ayyagari
>>
>
>
>
> --
> Kiran Ayyagari
>
--
Kiran Ayyagari
Re: [ApacheDS] looking for simple config for password policy enforcement.
Posted by Kiran Ayyagari <ka...@apache.org>.
I have found the issue and filed a report[1]
Will let you know after committing the fix(approx. 2 hours).
Appreciate your patience
[1] https://issues.apache.org/jira/browse/DIRSERVER-1665
On Tue, Oct 4, 2011 at 10:00 AM, Kiran Ayyagari <ka...@apache.org> wrote:
> am currently looking at this issue, will let you know as soon as I find
>
> On Tue, Oct 4, 2011 at 9:39 AM, <Ca...@ibs-ag.com> wrote:
>> Hi,
>> 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK
>> 2.) Import LDIF of my own JDBM partition. - OK
>> 3.) Import LDIF root DSE for my new partition - OK
>> 4.) Import LDIF for my own password policy - OK
>> 5.) Import LDIF user in my new partition with pwdPolicySubEntry set for policy in step 4. - OK
>> 6.) Try and modify any attribute of user imported in step 5 and the exception below is thrown.
>>
>> Any ideas?
>>
>> // step 5 result
>> #!RESULT OK
>> #!CONNECTION ldap://localhost:10389
>> #!DATE 2011-10-04T09:30:33.945
>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>> changetype: add
>> employeeNumber: jsmith
>> initials: w
>> sn: Smith
>> objectClass: inetOrgPerson
>> objectClass: organizationalPerson
>> objectClass: person
>> objectClass: top
>> mail: null@locahost
>> givenName: John
>> uid: 1286309809117
>> pwdPolicySubEntry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> cn: Smith, John
>> displayName: Smith, John
>> userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9
>>
>> // step 6, change givenName
>> #!RESULT ERROR
>> #!CONNECTION ldap://localhost:10389
>> #!DATE 2011-10-04T09:30:47.177
>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message ID : 14 Modify Request Object : 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] Operation : replace Modification givenName: John2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2: ERR_333 Unexpected exception.]
>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>> changetype: modify
>> replace: givenName
>> givenName: John2
>>
>>
>> // ldif of my password policy
>> dn: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
>> objectclass: top
>> objectclass: ads-base
>> objectclass: ads-passwordPolicy
>> ads-pwdattribute: userPassword
>> ads-pwdid: cproext
>> ads-enabled: TRUE
>> ads-pwdallowuserchange: TRUE
>> ads-pwdcheckquality: 1
>> ads-pwdexpirewarning: 600
>> ads-pwdfailurecountinterval: 30
>> ads-pwdgraceauthnlimit: 5
>> ads-pwdgraceexpire: 0
>> ads-pwdinhistory: 5
>> ads-pwdlockout: TRUE
>> ads-pwdlockoutduration: 0
>> ads-pwdmaxage: 0
>> ads-pwdmaxdelay: 0
>> ads-pwdmaxfailure: 5
>> ads-pwdmaxidle: 0
>> ads-pwdmaxlength: 0
>> ads-pwdminage: 0
>> ads-pwdmindelay: 0
>> ads-pwdminlength: 5
>> ads-pwdmustchange: FALSE
>> ads-pwdsafemodify: FALSE
>>
>> Thank you!!
>>
>>
>> -----Original Message-----
>> From: Carlo.Accorsi@ibs-ag.com [mailto:Carlo.Accorsi@ibs-ag.com]
>> Sent: Friday, September 30, 2011 5:05 PM
>> To: users@directory.apache.org
>> Subject: RE: [ApacheDS] looking for simple config for password policy enforcement.
>>
>> Hi, and thank you for your response.
>>
>> I've been able to create a second policy all along, however I kept running into the same problem when trying to add the 'pwdPolicySubentry' to an existing user.
>> Is it possible to modify the pwdPolicySubentry attribute on an existing user?
>> The schema browser shows that the attribute has a read-only flag, ( NO-USER-MODIFICATION )
>>
>> #!RESULT ERROR
>> #!CONNECTION ldap://localhost:10389
>> #!DATE 2011-09-30T16:16:01.784
>> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 31 Modify Request Object : 'uid=1286309809116,ou=users,ou=int,o=cpro' Modification[0] Operation : add Modification pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b131069: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ]
>> dn: uid=1286309809116,ou=users,ou=int,o=cpro
>> changetype: modify
>> add: pwdPolicySubentry
>> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf ig
>>
>>
>> Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, however,
>>
>> #!RESULT OK
>> #!CONNECTION ldap://localhost:10389
>> #!DATE 2011-09-30T16:31:17.973
>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>> changetype: add
>> sn: Accorsi
>> objectClass: organizationalPerson
>> objectClass: person
>> objectClass: inetOrgPerson
>> objectClass: top
>> mail: null
>> givenName: Carlo
>> uid: 1286309809117
>> cn: Accorsi, Carlo
>> displayName: Accorsi, Carlo
>> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf ig
>> userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09
>>
>> Now when any type of modification is made to the entry a LOOP_DETECT exception is thrown.
>>
>> #!RESULT ERROR
>> #!CONNECTION ldap://localhost:10389
>> #!DATE 2011-09-30T16:45:33.245
>> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message ID : 21 Modify Request Object : 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] Operation : replace Modification givenName: Carlo2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad: ERR_333 Unexpected exception.]
>> dn: uid=1286309809117,ou=users,ou=int,o=cpro
>> changetype: modify
>> replace: givenName
>> givenName: Carlo2
>>
>> Thinking this was because there were two policies, I decided to delete the default password policy. Not smart, now the uid=admin,ou=system user can no longer bind..
>>
>> I'm starting over but can you see anything I'm missing?
>>
>> I know my ads-pwdcheckquality = 2 in my new policy.
>>
>> Thanks,
>> Carlo Accorsi
>>
>> -----Original Message-----
>> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
>> Sent: Friday, September 30, 2011 3:39 PM
>> To: users@directory.apache.org
>> Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.
>>
>> On Fri, Sep 30, 2011 at 12:23 PM, <Ca...@ibs-ag.com> wrote:
>>> I would like to apply and enforce two different password policies to two different sub trees (that share the same root).
>>>
>>> I see where the policies (I think ) are supposed to go.
>>> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int
>>> erceptors,ads-directoryServiceId=default,ou=config
>>>
>> correct place
>>> The question is how does this policy then get linked or applied to a user?
>>>
>>> In other directory servers, the pwdPolicy schema defines the policy object and all the supporting attributes (min/max pw length, etc).
>>> Then the pwdPolicySubentry attribute (on the user object) refers to the DN of the policy object and this is how it's enforced.
>>>
>>> I can't seem to make the connection in ApacheDS how this occurs?
>>> I've tried creating ads-passwordPolicy object at the subtree level of my users. Doesn't work.
>>> I've tried creating a simple pwdPolicy object but it cannot be saved because there's no structural objectclass associate with it.
>>>
>> no, this won't work, just create another policy under the above mentioned DN with a name like ads-pwdId=custom and for enforcing this for a specific user:
>> add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpolicy entry's DN
>>
>> Note that the default password policy(ads-pwdId=default) is applicable for all other user entries which doesn't have a 'pwdPolicySubEntry'
>> attribute specified.
>>
>>> Even if the functionality isn't fully implemented, I'd like to structure the directory correctly. Your help is most appreciated.
>>>
>> please let us know if you have any other questions
>>
>> HTH
>>
>> --
>> Kiran Ayyagari
>>
>
>
>
> --
> Kiran Ayyagari
>
--
Kiran Ayyagari
Re: [ApacheDS] looking for simple config for password policy enforcement.
Posted by Kiran Ayyagari <ka...@apache.org>.
am currently looking at this issue, will let you know as soon as I find
On Tue, Oct 4, 2011 at 9:39 AM, <Ca...@ibs-ag.com> wrote:
> Hi,
> 1.) Installed clean Apache DS 2.0.0-M3 with default instance - OK
> 2.) Import LDIF of my own JDBM partition. - OK
> 3.) Import LDIF root DSE for my new partition - OK
> 4.) Import LDIF for my own password policy - OK
> 5.) Import LDIF user in my new partition with pwdPolicySubEntry set for policy in step 4. - OK
> 6.) Try and modify any attribute of user imported in step 5 and the exception below is thrown.
>
> Any ideas?
>
> // step 5 result
> #!RESULT OK
> #!CONNECTION ldap://localhost:10389
> #!DATE 2011-10-04T09:30:33.945
> dn: uid=1286309809117,ou=users,ou=int,o=cpro
> changetype: add
> employeeNumber: jsmith
> initials: w
> sn: Smith
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> mail: null@locahost
> givenName: John
> uid: 1286309809117
> pwdPolicySubEntry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> cn: Smith, John
> displayName: Smith, John
> userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y6Y1hzdmJ2dTg9
>
> // step 6, change givenName
> #!RESULT ERROR
> #!CONNECTION ldap://localhost:10389
> #!DATE 2011-10-04T09:30:47.177
> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message ID : 14 Modify Request Object : 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] Operation : replace Modification givenName: John2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@86392ad2: ERR_333 Unexpected exception.]
> dn: uid=1286309809117,ou=users,ou=int,o=cpro
> changetype: modify
> replace: givenName
> givenName: John2
>
>
> // ldif of my password policy
> dn: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
> objectclass: top
> objectclass: ads-base
> objectclass: ads-passwordPolicy
> ads-pwdattribute: userPassword
> ads-pwdid: cproext
> ads-enabled: TRUE
> ads-pwdallowuserchange: TRUE
> ads-pwdcheckquality: 1
> ads-pwdexpirewarning: 600
> ads-pwdfailurecountinterval: 30
> ads-pwdgraceauthnlimit: 5
> ads-pwdgraceexpire: 0
> ads-pwdinhistory: 5
> ads-pwdlockout: TRUE
> ads-pwdlockoutduration: 0
> ads-pwdmaxage: 0
> ads-pwdmaxdelay: 0
> ads-pwdmaxfailure: 5
> ads-pwdmaxidle: 0
> ads-pwdmaxlength: 0
> ads-pwdminage: 0
> ads-pwdmindelay: 0
> ads-pwdminlength: 5
> ads-pwdmustchange: FALSE
> ads-pwdsafemodify: FALSE
>
> Thank you!!
>
>
> -----Original Message-----
> From: Carlo.Accorsi@ibs-ag.com [mailto:Carlo.Accorsi@ibs-ag.com]
> Sent: Friday, September 30, 2011 5:05 PM
> To: users@directory.apache.org
> Subject: RE: [ApacheDS] looking for simple config for password policy enforcement.
>
> Hi, and thank you for your response.
>
> I've been able to create a second policy all along, however I kept running into the same problem when trying to add the 'pwdPolicySubentry' to an existing user.
> Is it possible to modify the pwdPolicySubentry attribute on an existing user?
> The schema browser shows that the attribute has a read-only flag, ( NO-USER-MODIFICATION )
>
> #!RESULT ERROR
> #!CONNECTION ldap://localhost:10389
> #!DATE 2011-09-30T16:16:01.784
> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 31 Modify Request Object : 'uid=1286309809116,ou=users,ou=int,o=cpro' Modification[0] Operation : add Modification pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@4b131069: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC The pwdPolicy subentry in effect for this object EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ]
> dn: uid=1286309809116,ou=users,ou=int,o=cpro
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf ig
>
>
> Anyway, I then tried a NEW user and set pwdPolicySubentry and this worked, however,
>
> #!RESULT OK
> #!CONNECTION ldap://localhost:10389
> #!DATE 2011-09-30T16:31:17.973
> dn: uid=1286309809117,ou=users,ou=int,o=cpro
> changetype: add
> sn: Accorsi
> objectClass: organizationalPerson
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: top
> mail: null
> givenName: Carlo
> uid: 1286309809117
> cn: Accorsi, Carlo
> displayName: Accorsi, Carlo
> pwdPolicySubentry: ads-pwdId=cproext,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=conf ig
> userPassword:: e1NIQX1ackowRjlOK0FreEdVbXd2YlRXS2RVL0XVdk09
>
> Now when any type of modification is made to the entry a LOOP_DETECT exception is thrown.
>
> #!RESULT ERROR
> #!CONNECTION ldap://localhost:10389
> #!DATE 2011-09-30T16:45:33.245
> #!ERROR [LDAP: error code 54 - LOOP_DETECT: failed for MessageType : MODIFY_REQUEST Message ID : 21 Modify Request Object : 'uid=1286309809117,ou=users,ou=int,o=cpro' Modification[0] Operation : replace Modification givenName: Carlo2 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@902ef1ad: ERR_333 Unexpected exception.]
> dn: uid=1286309809117,ou=users,ou=int,o=cpro
> changetype: modify
> replace: givenName
> givenName: Carlo2
>
> Thinking this was because there were two policies, I decided to delete the default password policy. Not smart, now the uid=admin,ou=system user can no longer bind..
>
> I'm starting over but can you see anything I'm missing?
>
> I know my ads-pwdcheckquality = 2 in my new policy.
>
> Thanks,
> Carlo Accorsi
>
> -----Original Message-----
> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
> Sent: Friday, September 30, 2011 3:39 PM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] looking for simple config for password policy enforcement.
>
> On Fri, Sep 30, 2011 at 12:23 PM, <Ca...@ibs-ag.com> wrote:
>> I would like to apply and enforce two different password policies to two different sub trees (that share the same root).
>>
>> I see where the policies (I think ) are supposed to go.
>> ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=int
>> erceptors,ads-directoryServiceId=default,ou=config
>>
> correct place
>> The question is how does this policy then get linked or applied to a user?
>>
>> In other directory servers, the pwdPolicy schema defines the policy object and all the supporting attributes (min/max pw length, etc).
>> Then the pwdPolicySubentry attribute (on the user object) refers to the DN of the policy object and this is how it's enforced.
>>
>> I can't seem to make the connection in ApacheDS how this occurs?
>> I've tried creating ads-passwordPolicy object at the subtree level of my users. Doesn't work.
>> I've tried creating a simple pwdPolicy object but it cannot be saved because there's no structural objectclass associate with it.
>>
> no, this won't work, just create another policy under the above mentioned DN with a name like ads-pwdId=custom and for enforcing this for a specific user:
> add 'pwdPolicySubEntry' attribute with the value set to the custom pwdpolicy entry's DN
>
> Note that the default password policy(ads-pwdId=default) is applicable for all other user entries which doesn't have a 'pwdPolicySubEntry'
> attribute specified.
>
>> Even if the functionality isn't fully implemented, I'd like to structure the directory correctly. Your help is most appreciated.
>>
> please let us know if you have any other questions
>
> HTH
>
> --
> Kiran Ayyagari
>
--
Kiran Ayyagari