ApacheDS Default PasswordPolicies

I installed ApacheDS 2.0 on my Windows7 system, cause I decided to use ApacheDS as LDAP for my portal.

I always had problems when I was adding a new user to the LDAP and the user had a non plain text password. In my case the password was encrypted with SHA. Here is the error message I received from the LDAP.

Fraction of LDAP Error message
... cannot verify the quality of the non-cleartext passwords ...

According to ApacheDS https://issues.apache.org/jira/browse/DIRSERVER-1543 the problem is that the attribute pwdCheckQuality is set to 2 by default.The attribute pwdCheckQuality has to be set to 0 to disable the plain text check.

Here are instructions on how the default value of pwdCheckQuality can be set to 0. 

1. Install an ApacheDS client and login as root. I installed the Eclipse plugin.
2. Navigate to DN: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
3. Change the attribute ads-pwdcheckquality from 2 to 0
4. Restart the ApacheDS server

This worked for me. Now I can add new users with passwords that are not plain text.
Leave a comment if you have questions.

By the way. Solution B would be to sent the passwords in plain Text and let ApacheDS do the encryption and other password policies.


Complete LDAP Error message
Error while creating entry
 - [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUES
  javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 17
    Add Request :
Entry
    dn[n]: uid=tobi,ou=users,ou=system
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: tlsKeyInfo
    objectClass: pwdPolicy
    uid: tobi
    privateKeyFormat: PKCS#8
    sn: administrator
    publicKey: '0x30 0x5C 0x30 0x0D 0x06 0x09 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x01 0x01 0x05 ...'
    publicKeyFormat: X.509
    userPassword: '0x7B 0x53 0x48 0x41 0x7D 0x35 0x65 0x6E 0x36 0x47 0x36 0x4D 0x65 0x7A 0x52 0x72 ...'
    cn: system administrator
    keyAlgorithm: RSA
    pwdCheckQuality: 0
    privateKey: '0x30 0x82 0x01 0x55 0x02 0x01 0x00 0x30 0x0D 0x06 0x09 0x2A 0x86 0x48 0x86 0xF7 ...'
    userCertificate: '0x30 0x82 0x01 0x73 0x30 0x82 0x01 0x1D 0x02 0x06 0x01 0x3A 0x9D 0x9D 0x85 0x0B ...'
    displayName: Directory Superuser
: cannot verify the quality of the non-cleartext passwords]; remaining name 'uid=tobi,ou=users,ou=system'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Unknown Source)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(Unknown Source)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Unknown Source)
    at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$4.run(JNDIConnectionWrapper.java:658)
    at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
    at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1203)
    at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.createEntry(JNDIConnectionWrapper.java:704)
    at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.createEntry(CreateEntryRunnable.java:226)
    at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.run(CreateEntryRunnable.java:117)
    at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:113)
    at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)

  [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 17
    Add Request :
Entry
    dn[n]: uid=tobi,ou=users,ou=system
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: tlsKeyInfo
    objectClass: pwdPolicy
    uid: tobi
    privateKeyFormat: PKCS#8
    sn: administrator
    publicKey: '0x30 0x5C 0x30 0x0D 0x06 0x09 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x01 0x01 0x05 ...'
    publicKeyFormat: X.509
    userPassword: '0x7B 0x53 0x48 0x41 0x7D 0x35 0x65 0x6E 0x36 0x47 0x36 0x4D 0x65 0x7A 0x52 0x72 ...'
    cn: system administrator
    keyAlgorithm: RSA
    pwdCheckQuality: 0
    privateKey: '0x30 0x82 0x01 0x55 0x02 0x01 0x00 0x30 0x0D 0x06 0x09 0x2A 0x86 0x48 0x86 0xF7 ...'
    userCertificate: '0x30 0x82 0x01 0x73 0x30 0x82 0x01 0x1D 0x02 0x06 0x01 0x3A 0x9D 0x9D 0x85 0x0B ...'
    displayName: Directory Superuser
: cannot verify the quality of the non-cleartext passwords]

WCC - Howto update SecurityGroup of Contribution Folder

Environment

This case has been tested in the following environment

• WebcenterContent 11.1.1.4
• Folders_g component

UseCase

UseCase is defined in the title. It is not allowed to update the metadata of the "Contribution Folder" by default. But we want to make changes anyways.

Solution

The following steps have to be done to be able to make updates

• open <mw_home>/Oracle_ECM1/ucm/idc/components/Folders_g/Folders_environment.cfg
• Set the parameter CollectionReadOnlyMarkedFolders to false
• Restart the UCM Server
• The SecurityGroup and other metadata of the "Contribution Folder" can be updated now
• Set the parameter CollectionReadOnlyMarkedFolders to true
• Restart UCM Server

 

Attention Oracle Bug:

After updating the "Contribution Folder" it is no longer possible to access the "Contribution Folder" with your Desktop Integration Suite.
This problem can be solved by ...

• Use SQLDeveloper to access the Collections table of the UCM. In my case DEV_OCS has to be accessed
• Updating the "Contribution Folder" did set the dParentCollectionID of "Contribution Folder" from -1 to null. Revert this automatic change and set the dParentCollectionID to -1 again. 
• Now accessing the "Contribution Folder" with Desktop Integration Suite should be possible again.

Contact me if you still have problems with this