Thank you. I will file a bug.
On Wed, May 14, 2014 at 12:05 PM, Kiran Ayyagari <[email protected]>wrote: > On Wed, May 14, 2014 at 11:16 AM, Sathya Skr 75 <[email protected] > >wrote: > > > Thanks for the info. As an amateur ldap user, it does not seem right that > > administrators are allowed to override system constraints. I am comparing > > this to a database table with a not-null constrainnt. The constraint > should > > hold for all data regardless of the role of the logged in user because > you > > are affecting data integrity. Perhaps this is not the right analogy and I > > just need to understand ldaps better.. > > > yep, they are totally different, one is access control based decision > making the other is schema/structure designing > > > > > On the validators. I had done exactly what you said- placed the jar into > > the lib directory, modified the configuration to point to my Validator > > implementation and then restarted the server. I have logs at entry of the > > method. These do not get printed and there is no exception raised. The > > method or class does not seem to be invoked at all. > > > > can you file a bug? I will take a look at it > > > Thanks. > > > > — > > Sent from Mailbox > > > > On Wed, May 14, 2014 at 3:05 AM, Kiran Ayyagari <[email protected]> > > wrote: > > > > > On Wed, May 14, 2014 at 12:56 AM, Sathya S <[email protected]> > > wrote: > > >> Thank you Kiran. > > >> > > >> Is this a change that has been recently introduced? I actually > > downgraded > > >> the server versions and found that this same configurations works fine > > till > > >> 2.0.0-M14 but is broken (or modified) in 2.0.0-M15. > > >> > > >> yes, this was modified, earlier the policy was enforced for _all_ > users, > > > which is not > > > the correct thing (admins are gods right ;) > > >> Another question - what is the purpose of the ads-pwdValidator class? > I > > >> wanted to impose additional checks on the password (alphanumeric + > > special > > >> characters) and as it didnt seem to be supported by ApacheDS, I > thought > > >> extending the validator class may be the right approach. But I find > that > > >> the class does not get called in at all. So curious to know the > purpose > > of > > >> the ads-pwdValidator class and when it gets called in. > > >> > > > yes, this is created for the same purpose, which version are you using? > > > did you add the jar to lib folder (or to the classpath, if you are > > running > > > the server using apacheds.sh script) > > > provide us any error logs if present > > >> > > >> Thanks. > > >> > > >> > > >> On Tue, May 13, 2014 at 8:19 PM, Kiran Ayyagari <[email protected] > > >> >wrote: > > >> > > >> > The configuration is correct. > > >> > > > >> > Make sure that you are not adding this entry as an administrator, > > >> password > > >> > policy is not > > >> > enforced when an administrator adds or modifies a password > > >> > > > >> > > > >> > On Tue, May 13, 2014 at 3:52 PM, Sathya S <[email protected]> > > >> wrote: > > >> > > > >> > > Hi, > > >> > > > > >> > > I am trying to set up a password policy on my ApacheDS instance to > > >> enable > > >> > > minimum length check. I changed the minimum length from default of > > 5 to > > >> > 7. > > >> > > This is my password policy ldif: > > >> > > > > >> > > *dn: > > >> > > > > >> > > > > >> > > > >> > > > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config* > > >> > > *objectClass: top* > > >> > > *objectClass: ads-base* > > >> > > *objectClass: ads-passwordPolicy* > > >> > > *ads-pwdId: default* > > >> > > *ads-pwdSafeModify: FALSE* > > >> > > *ads-pwdMaxAge: 0* > > >> > > *ads-pwdFailureCountInterval: 30* > > >> > > *ads-pwdAttribute: userPassword* > > >> > > *ads-pwdMaxFailure: 5* > > >> > > *ads-pwdLockout: TRUE* > > >> > > *ads-pwdMustChange: FALSE* > > >> > > *ads-pwdLockoutDuration: 0* > > >> > > *ads-pwdMinLength: 5* > > >> > > *ads-pwdInHistory: 5* > > >> > > *ads-pwdExpireWarning: 600* > > >> > > *ads-pwdMinAge: 0* > > >> > > *ads-pwdAllowUserChange: TRUE* > > >> > > *ads-pwdGraceAuthNLimit: 5* > > >> > > *ads-pwdCheckQuality: 1* > > >> > > *ads-pwdMaxLength: 0 * > > >> > > *ads-pwdGraceExpire: 0* > > >> > > *ads-pwdMinDelay: 0* > > >> > > *ads-pwdMaxDelay: 0* > > >> > > *ads-pwdMaxIdle: 0* > > >> > > *ads-pwdValidator: > > >> > > > > >> > > > > >> > > > >> > > > org.apache.directory.server.core.api.authn.ppolicy.DefaultPasswordValidator* > > >> > > *ads-enabled: TRUE* > > >> > > > > >> > > I then import a user into the server using Apache Directory > Studio. > > >> > Despite > > >> > > the password not meeting the min length criteria, the user gets > > added > > >> > > successfully: > > >> > > > > >> > > *#!RESULT OK* > > >> > > *#!CONNECTION ldap://localhost:10389* > > >> > > *#!DATE 2014-05-13T10:19:54.095* > > >> > > *dn: uid=SHolmes,ou=people,dc=example,dc=com* > > >> > > *changetype: add* > > >> > > *mail: [email protected] <[email protected]>* > > >> > > *uid: SHolmes* > > >> > > *userPassword: pass* > > >> > > *givenname: Sherlock* > > >> > > *description: SHolmes* > > >> > > *objectclass: person* > > >> > > *objectclass: organizationalPerson* > > >> > > *objectclass: inetOrgPerson* > > >> > > *objectclass: top* > > >> > > *sn: Holmes* > > >> > > *cn: SHolmes* > > >> > > > > >> > > Could you pl help me in understanding what I am doing wrong? > > >> > > > > >> > > Thanks. > > >> > > > > >> > > > >> > > > >> > > > >> > -- > > >> > Kiran Ayyagari > > >> > http://keydap.com > > >> > > > >> > > > -- > > > Kiran Ayyagari > > > http://keydap.com > > > > > > -- > Kiran Ayyagari > http://keydap.com >
