On Wed, May 14, 2014 at 11:16 AM, Sathya Skr 75 <[email protected]>wrote:
> Thanks for the info. As an amateur ldap user, it does not seem right that > administrators are allowed to override system constraints. I am comparing > this to a database table with a not-null constrainnt. The constraint should > hold for all data regardless of the role of the logged in user because you > are affecting data integrity. Perhaps this is not the right analogy and I > just need to understand ldaps better.. > yep, they are totally different, one is access control based decision making the other is schema/structure designing > > On the validators. I had done exactly what you said- placed the jar into > the lib directory, modified the configuration to point to my Validator > implementation and then restarted the server. I have logs at entry of the > method. These do not get printed and there is no exception raised. The > method or class does not seem to be invoked at all. > > can you file a bug? I will take a look at it > Thanks. > > — > Sent from Mailbox > > On Wed, May 14, 2014 at 3:05 AM, Kiran Ayyagari <[email protected]> > wrote: > > > On Wed, May 14, 2014 at 12:56 AM, Sathya S <[email protected]> > wrote: > >> Thank you Kiran. > >> > >> Is this a change that has been recently introduced? I actually > downgraded > >> the server versions and found that this same configurations works fine > till > >> 2.0.0-M14 but is broken (or modified) in 2.0.0-M15. > >> > >> yes, this was modified, earlier the policy was enforced for _all_ users, > > which is not > > the correct thing (admins are gods right ;) > >> Another question - what is the purpose of the ads-pwdValidator class? I > >> wanted to impose additional checks on the password (alphanumeric + > special > >> characters) and as it didnt seem to be supported by ApacheDS, I thought > >> extending the validator class may be the right approach. But I find that > >> the class does not get called in at all. So curious to know the purpose > of > >> the ads-pwdValidator class and when it gets called in. > >> > > yes, this is created for the same purpose, which version are you using? > > did you add the jar to lib folder (or to the classpath, if you are > running > > the server using apacheds.sh script) > > provide us any error logs if present > >> > >> Thanks. > >> > >> > >> On Tue, May 13, 2014 at 8:19 PM, Kiran Ayyagari <[email protected] > >> >wrote: > >> > >> > The configuration is correct. > >> > > >> > Make sure that you are not adding this entry as an administrator, > >> password > >> > policy is not > >> > enforced when an administrator adds or modifies a password > >> > > >> > > >> > On Tue, May 13, 2014 at 3:52 PM, Sathya S <[email protected]> > >> wrote: > >> > > >> > > Hi, > >> > > > >> > > I am trying to set up a password policy on my ApacheDS instance to > >> enable > >> > > minimum length check. I changed the minimum length from default of > 5 to > >> > 7. > >> > > This is my password policy ldif: > >> > > > >> > > *dn: > >> > > > >> > > > >> > > >> > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config* > >> > > *objectClass: top* > >> > > *objectClass: ads-base* > >> > > *objectClass: ads-passwordPolicy* > >> > > *ads-pwdId: default* > >> > > *ads-pwdSafeModify: FALSE* > >> > > *ads-pwdMaxAge: 0* > >> > > *ads-pwdFailureCountInterval: 30* > >> > > *ads-pwdAttribute: userPassword* > >> > > *ads-pwdMaxFailure: 5* > >> > > *ads-pwdLockout: TRUE* > >> > > *ads-pwdMustChange: FALSE* > >> > > *ads-pwdLockoutDuration: 0* > >> > > *ads-pwdMinLength: 5* > >> > > *ads-pwdInHistory: 5* > >> > > *ads-pwdExpireWarning: 600* > >> > > *ads-pwdMinAge: 0* > >> > > *ads-pwdAllowUserChange: TRUE* > >> > > *ads-pwdGraceAuthNLimit: 5* > >> > > *ads-pwdCheckQuality: 1* > >> > > *ads-pwdMaxLength: 0 * > >> > > *ads-pwdGraceExpire: 0* > >> > > *ads-pwdMinDelay: 0* > >> > > *ads-pwdMaxDelay: 0* > >> > > *ads-pwdMaxIdle: 0* > >> > > *ads-pwdValidator: > >> > > > >> > > > >> > > >> > org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator* > >> > > *ads-enabled: TRUE* > >> > > > >> > > I then import a user into the server using Apache Directory Studio. > >> > Despite > >> > > the password not meeting the min length criteria, the user gets > added > >> > > successfully: > >> > > > >> > > *#!RESULT OK* > >> > > *#!CONNECTION ldap://localhost:10389* > >> > > *#!DATE 2014-05-13T10:19:54.095* > >> > > *dn: uid=SHolmes,ou=people,dc=example,dc=com* > >> > > *changetype: add* > >> > > *mail: [email protected] <[email protected]>* > >> > > *uid: SHolmes* > >> > > *userPassword: pass* > >> > > *givenname: Sherlock* > >> > > *description: SHolmes* > >> > > *objectclass: person* > >> > > *objectclass: organizationalPerson* > >> > > *objectclass: inetOrgPerson* > >> > > *objectclass: top* > >> > > *sn: Holmes* > >> > > *cn: SHolmes* > >> > > > >> > > Could you pl help me in understanding what I am doing wrong? > >> > > > >> > > Thanks. > >> > > > >> > > >> > > >> > > >> > -- > >> > Kiran Ayyagari > >> > http://keydap.com > >> > > >> > > -- > > Kiran Ayyagari > > http://keydap.com > -- Kiran Ayyagari http://keydap.com
