On Sat, May 17, 2014 at 7:18 PM, Sathya S <[email protected]> wrote:
> I am continuing on my experiments with getting password policies > functioning on ApacheDS and I am trying to enable password expiry and a > warning before the expiry. > > This is what I have configured on the server: > > dn: > > ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc > eptor,ou=interceptors,ads-directoryServiceId=default,ou=config > ads-pwdminlength: 7 > ads-pwdinhistory: 5 > ads-pwdid: default > ads-pwdcheckquality: 1 > ads-pwdlockout: TRUE > ads-pwdlockoutduration: 0 > > *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180* > ... > > My understanding of this is that a user's password is valid for 5 minutes > after which authentication would fail. After 3 minutes up to 5 minutes, he > would be able to login, but would receive a warning about impending expiry. > Is that correct? > > yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as well, otherwise bind operation always accepts the expired password > I restarted the server after making the above change. > > I have the below Java code to authenticate the user: > > Hashtable<String, String> env = new Hashtable<String, > String>(); > env.put(Context.INITIAL_CONTEXT_FACTORY, > "com.sun.jndi.ldap.LdapCtxFactory"); > env.put(Context.PROVIDER_URL, "ldap://localhost:10389";); > // > env.put(Context.SECURITY_AUTHENTICATION, "simple"); > env.put(Context.SECURITY_PRINCIPAL, > "uid=Sathya,ou=people,dc=example,dc=com"); > env.put(Context.SECURITY_CREDENTIALS, "helloworld"); > > // Create the initial context > > DirContext ctx = new InitialDirContext(env); > > I created this user account almost an hour ago but the authentication still > goes through successfully. Anything I am missing here? > > Thanks. > -- Kiran Ayyagari http://keydap.com
