Password Policy LDAPException

By: Neil Murray user 10 Nov 2015 at 10:57 a.m. CST

3 Responses
Neil Murray gravatar
I've added a password policy to OpenDJ using the dsconfig tool as described here (http://opendj.forgerock.org/opendj-server/doc/bootstrap/admin-guide/#configure-pwp ). If a user or admin updates a users password which fails to validate (a dictionary word) then an LDAP exception is thrown and the oxTrust UI sends the user back to the home page with 'System Error. Please try again or contact a Gluu administrator for help.' In /opt/tomcat/logs/oxtrust.log we see the following: 2015-11-10 16:53:21,593 ERROR [org.gluu.site.ldap.OperationsFacade] Entry can't be modified LDAPException(resultCode=19 (constraint violation), errorMessage='The provided password value was rejected by a password validator: The provided password contained a word from the server's dictionary', diagnosticMessage='The provided password value was rejected by a password validator: The provided password contained a word from the server's dictionary') at com.unboundid.ldap.sdk.LDAPConnection.modify(LDAPConnection.java:2761) at com.unboundid.ldap.sdk.AbstractConnectionPool.modify(AbstractConnectionPool.java:1302) at org.gluu.site.ldap.OperationsFacade.modifyEntry(OperationsFacade.java:375) at org.gluu.site.ldap.OperationsFacade.updateEntry(OperationsFacade.java:362) at org.gluu.site.ldap.persistence.LdapEntryManager.merge(LdapEntryManager.java:194) at org.gluu.site.ldap.persistence.AbstractEntryManager.merge(AbstractEntryManager.java:278) at org.gluu.site.ldap.persistence.AbstractEntryManager.merge(AbstractEntryManager.java:293) at org.gluu.oxtrust.ldap.service.PersonService.updatePerson(PersonService.java:94) <snip> Is is possible to have the UI report the LDAP exception back to the user rather than aborting the update with an error?
None
closed

Answers

By Michael Schwartz Account Admin 10 Nov 2015 at 11:28 a.m. CST

Copy
Michael Schwartz gravatar
1) First of all, my advices is don't use password policies in opendj. I would implement some kind of workflow for password management, where the Gluu Server is a consumer of identity. 2) You can submit a patch to oxAuth or oxTrust I guess... or perhaps engage Gluu to add this feature. In general, we have been against making the Gluu Server and IDM tool. And password management is a traditional IDM feature.

By Neil Murray user 10 Nov 2015 at 4:37 p.m. CST

Copy
Neil Murray gravatar
Thanks Michael for the response and advice. I have an application which supports SAML, and using Gluu Server with OpenDJ + Shibboleth seems a great fit. However, my customer wants to be able to support some specific password policies when a user attempts to update their password Could you unpack option #1 for me a little? Can this workflow be implemented in Gluu Server? Could this be achieved using interception scripts?

By Michael Schwartz Account Admin 10 Nov 2015 at 10:47 p.m. CST

Copy
Michael Schwartz gravatar
Actually, I was thinking that you write some kind of external web application for password management, which either writes to LDAP, or uses the SCIM API's to update the password. Note if you use SCIM, you should wait for SCIM 2.0, which will be available in the next release of the Gluu Server (2.4 is coming out next week). Your idea to write a custom authentication script to support password reset could actually work. For example, you could create a custom user attributes to store a json object with password metadata: age, hashes of old passwords, or a flag to force password reset on the next login. You could present the password reset page as an optional step 2. If you did better validation, you wouldn't need to use the OpenDJ password policies. If this customer has any budget, Gluu may be able to take this on as an open source feature for a bounty.

Post an answer