Hi there,
We are using OpenLDAP 2.4.16 with ppolicy, to authenticate users for a JEE application. Authentication works great (with JNDI), and we are receiving ppolicy response controls without problem. In that way, the user knows when the password is about to expired, when the password have been reseted, etc. Now we want to offer users to change passwords from the application.
Before starting this, I have been testing password changing with phpLDAPAdmin. The fact is that I could only change a user password with clear text. I guess that this behaviour happens because we have pwdCheckQulity setting in 2 in our default password policy. So, when the client (phpLDAPAdmin) tries to modify the password enconding it, the server (OpenLDAP) cannot check the min length of the password, as it is encoded, and then fails. I am guessing too, that phpLDAPAdmin is performing a simple modify operation to change the password, as it is stored in clear text. On the other hand, I could change passwords with ldappasswd withouth problem, and they are stored with SSHA. I know that this command uses RFC 3062.
So, I am wondering which is the best way to change the password from a Java application. I guess that, if I have pwdCheckQulity setting in 2, the password should travel in clear text, so that ppolicy can check its min lenght for example. But I would like it to be stored encoded. How could I do that?. Do I have to use RFC 3062?. Do you know any Java implementation of the client side for that RFC?.
Thanks very much,
tizo
On Tue, Jun 9, 2009 at 12:12 PM, tizo tizone@gmail.com wrote:
Hi there,
We are using OpenLDAP 2.4.16 with ppolicy, to authenticate users for a JEE application. Authentication works great (with JNDI), and we are receiving ppolicy response controls without problem. In that way, the user knows when the password is about to expired, when the password have been reseted, etc. Now we want to offer users to change passwords from the application.
Before starting this, I have been testing password changing with phpLDAPAdmin. The fact is that I could only change a user password with clear text. I guess that this behaviour happens because we have pwdCheckQulity setting in 2 in our default password policy. So, when the client (phpLDAPAdmin) tries to modify the password enconding it, the server (OpenLDAP) cannot check the min length of the password, as it is encoded, and then fails. I am guessing too, that phpLDAPAdmin is performing a simple modify operation to change the password, as it is stored in clear text. On the other hand, I could change passwords with ldappasswd withouth problem, and they are stored with SSHA. I know that this command uses RFC 3062.
So, I am wondering which is the best way to change the password from a Java application. I guess that, if I have pwdCheckQulity setting in 2, the password should travel in clear text, so that ppolicy can check its min lenght for example. But I would like it to be stored encoded. How could I do that?. Do I have to use RFC 3062?. Do you know any Java implementation of the client side for that RFC?.
Thanks very much,
tizo
Ok. I search everywhere in Internet, but I couldn't find a Java library that implements RFC 3062. So I develop a very simple class that implements a ExtendedRequest for that RFC, to be used with JNDI. I am attaching it here as someone might be interested, but it is not a complete class (it only works when the old password and new password are used).
I found that using BerEncoder to create a sequence with the corrects tags, was very difficult; there are not much examples around there for extended LDAP operations, with values for the requests. For that I guess that the class could be of interest for someone.
Thanks,
tizo
just check whether this will help. I am using fedoara directory server instead of opendlap.
http://www.karylstein.com/phpLdapPasswd#dl
Regards Gejo Paul
openldap-technical@openldap.org