Dienstag, 30. Oktober 2012

ApacheDS Default PasswordPolicies

I installed ApacheDS 2.0 on my Windows7 system, cause I decided to use ApacheDS as LDAP for my portal.

 I always had problems when I was adding a new user to the LDAP and the user had a non plain text password. In my case the password was encrypted with SHA. Here is the error message I received from the LDAP.

Fraction of LDAP Error message
... cannot verify the quality of the non-cleartext passwords ...

According to ApacheDS https://issues.apache.org/jira/browse/DIRSERVER-1543 the problem is that the attribute pwdCheckQuality is set to 2 by default.The attribute pwdCheckQuality has to be set to 0 to disable the plain text check.

Here are instructions on how the default value of pwdCheckQuality can be set to 0. 
  1. Install an ApacheDS client and login as root. I installed the Eclipse plugin.
  2. Navigate to DN: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
  3. Change the attribute ads-pwdcheckquality from 2 to 0
  4. Restart the ApacheDS server
This worked for me. Now I can add new users with passwords that are not plain text.
Leave a comment if you have questions.

By the way. Solution B would be to sent the passwords in plain Text and let ApacheDS do the encryption and other password policies.


Complete LDAP Error message
Error while creating entry
 - [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUES
  javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 17
    Add Request :
Entry
    dn[n]: uid=tobi,ou=users,ou=system
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: tlsKeyInfo
    objectClass: pwdPolicy
    uid: tobi
    privateKeyFormat: PKCS#8
    sn: administrator
    publicKey: '0x30 0x5C 0x30 0x0D 0x06 0x09 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x01 0x01 0x05 ...'
    publicKeyFormat: X.509
    userPassword: '0x7B 0x53 0x48 0x41 0x7D 0x35 0x65 0x6E 0x36 0x47 0x36 0x4D 0x65 0x7A 0x52 0x72 ...'
    cn: system administrator
    keyAlgorithm: RSA
    pwdCheckQuality: 0
    privateKey: '0x30 0x82 0x01 0x55 0x02 0x01 0x00 0x30 0x0D 0x06 0x09 0x2A 0x86 0x48 0x86 0xF7 ...'
    userCertificate: '0x30 0x82 0x01 0x73 0x30 0x82 0x01 0x1D 0x02 0x06 0x01 0x3A 0x9D 0x9D 0x85 0x0B ...'
    displayName: Directory Superuser
: cannot verify the quality of the non-cleartext passwords]; remaining name 'uid=tobi,ou=users,ou=system'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Unknown Source)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(Unknown Source)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Unknown Source)
    at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$4.run(JNDIConnectionWrapper.java:658)
    at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
    at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1203)
    at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.createEntry(JNDIConnectionWrapper.java:704)
    at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.createEntry(CreateEntryRunnable.java:226)
    at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.run(CreateEntryRunnable.java:117)
    at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:113)
    at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)

   [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 17
    Add Request :
Entry
    dn[n]: uid=tobi,ou=users,ou=system
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: tlsKeyInfo
    objectClass: pwdPolicy
    uid: tobi
    privateKeyFormat: PKCS#8
    sn: administrator
    publicKey: '0x30 0x5C 0x30 0x0D 0x06 0x09 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x01 0x01 0x05 ...'
    publicKeyFormat: X.509
    userPassword: '0x7B 0x53 0x48 0x41 0x7D 0x35 0x65 0x6E 0x36 0x47 0x36 0x4D 0x65 0x7A 0x52 0x72 ...'
    cn: system administrator
    keyAlgorithm: RSA
    pwdCheckQuality: 0
    privateKey: '0x30 0x82 0x01 0x55 0x02 0x01 0x00 0x30 0x0D 0x06 0x09 0x2A 0x86 0x48 0x86 0xF7 ...'
    userCertificate: '0x30 0x82 0x01 0x73 0x30 0x82 0x01 0x1D 0x02 0x06 0x01 0x3A 0x9D 0x9D 0x85 0x0B ...'
    displayName: Directory Superuser
: cannot verify the quality of the non-cleartext passwords]
Eingestellt von um
Labels: , , , ,

1 Kommentar:

  1. talhakabakus2. Dezember 2012 um 13:35

    Thanks for sharing but this trick didn't work for me. Also while trying to add ads-pwdcheckquality attribute, I'm getting a warning like this:http://img23.imageshack.us/img23/3593/apachedspassworderr.png

    AntwortenLöschen

Abonnieren Kommentare zum Post (Atom)