Password attribute constraints seemingly not enforced

By: Nicolas Debernardi user 04 May 2020 at 2:18 p.m. CDT

2 Responses
Nicolas Debernardi gravatar
Hi, I am trying to constraint the password options allowed to users, by using the parameters in the userPassword attribute form (/identity/attribute/updateAttribute.htm?inum=AAEE), in particular Minimum Length. After chosing a minimum length of 12: - I've changed the password of a user to a short 5 character password, while being logged in as an admin. I could log in successfully with said user, with the short password. - I've changed the password of a user to a short 5 character password, while being logged in as a normal user. I could log in successfully with said user, with the short password. Is this feature supposed to be used as I intend? Thanks in advance, nicolas
Debian 9.0
closed

Answers

By Michael Schwartz Account Admin 04 May 2020 at 2:49 p.m. CDT

Copy
Michael Schwartz gravatar
Gluu is not an IDM platform. Admins can change the password to whatever they want. There are other platforms, like Evolveum Midpoint, that target identity management features (IDM = add, edit, delete user info plus associated workflows to synchronize the data).

By Nicolas Debernardi user 05 May 2020 at 4:12 a.m. CDT

Copy
Nicolas Debernardi gravatar
Thanks Michael, Indeed, I've seen the recommendations, and we'll be managing IDM in another platform. In the mean time, I'd love to start using gluu in a minimal setup. I was wondering whether the Attribute restrictions were effectively applying to userPassword, and this [thread](https://support.gluu.org/customization/8042/password-restriction-settings/) was hinting that it would. Is the feature simply not applying in the case of the password? Thanks a lot, nicolas

Post an answer