Really, CrackLib is a toolset that I'm guessing they want to use to *prevent* the use of passwords that are too easy. Personally, I would have suggested that they think this out a lot more. The reason I say that is that once you build an app like this, you often times want to extend it to be used for additional systems. AD has the ability to enforce password complexity while other systems may not. If this was just for AD, I'd say they should use the AD functionality and look for the complexity that AD requires. If for more systems, as it likely will be eventually then more planning should be put into this before the first piece of code is written.
If you need a reference to JNDI, here's a starter. http://java.sun.com/products/jndi/tutorial/TOC.html CrackLib reference: http://www.users.dircon.co.uk/~crypto/download/cracklib,2.7.txt (I don't know what version they plan to use, but..) *** What is CrackLib *** CrackLib is a library containing a C function (well, lots of functions really, but you only need to use one of them) which may be used in a "passwd"-like program. The idea is simple: try to prevent users from choosing passwords that could be guessed by "Crack" by filtering them out, at source. CrackLib is an offshoot of the the version 5 "Crack" software, and contains a considerable number of ideas nicked from the new software. Etc. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 08, 2004 12:06 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] java to AD? and cracklib? Specifics please! I just talked a couple of different guys through some Java-related AD provisioning stuff over on Microsoft.public.adsi.general. These problems are all solvable. I tend to think that using JNDI for AD is a bit of a pain, but not nearly as painful as starting a religious wars with developers. JNDI can be made to work though. The main issues are that they'll probably need to use SSL for encryption because they probably don't have the bits required to support the MS proprietary Kerb-based encryption protocol. Thus you'll need certs for your DCs. I'd be interested to hear if anyone else's LDAP stack supports those features. Additionally, they'll need to know the special tricks for manipulating passwords programmatically via LDAP. There are some kb articles and it isn't really that hard. You just don't have the SetPassword and ChangePassword ADSI functions to hide the complexity. I can't imagine a good justification for allowing them to use a hacking library for this, but I don't understand what you mean by check passwords. That sounds a lot like allowing them to compromise your DCs which sounds to me like something you don't want to have anything to do with. Joe K. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Tuesday, December 07, 2004 8:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] java to AD? and cracklib? Hi, Another department here is trying to get set up a web based password change site but is having trouble getting java to talk securely with AD. Also, they are wanting to use cracklib to check passwords. I am not a programmer at all so I am wondering if anyone could point me to some resources regarding these topics? Thanks, - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
