[Date Prev][Date Next]
password change and ppolicy
- To: firstname.lastname@example.org
- Subject: password change and ppolicy
- From: tizo <email@example.com>
- Date: Tue, 9 Jun 2009 12:12:50 -0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=KVLG+guzO8KktLtz24Z8d1j9W3kHiCWfN0VA2dczBp8=; b=oH5c1yRot6pVnxWGYq+647eQjvrTVcCDMxupPF117LAVIRIcTL0N7aj2meNUpU+bAI y3nGwSYDXtNTK0Cod7VVOL1bsV9myzaYidvUQmBJAnXLlhxu9xHSEarSHryC23M9G2dU cw8cK3I3fzZ62cBQhbJRl7Y1Foc2xoGlejxls=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=piitEww163Fx6kmvbNdZHDgweiHes9qMRbEVJbUXRntYMcj1r5AH1lt8IQakEJgx9A QmdBRZEBh+pFQlCSkylrCFeZ7W9SpeUFyN3fL4UAIvl4f8gi7OLbGuPt0QqbZfycpvdG 23Ft74BMDofRrQuhjkGth2F0CAEF1o4oT9Wh8=
We are using OpenLDAP 2.4.16 with ppolicy, to authenticate users for a JEE application. Authentication works great (with JNDI), and we are receiving ppolicy response controls without problem. In that way, the user knows when the password is about to expired, when the password have been reseted, etc. Now we want to offer users to change passwords from the application.
Before starting this, I have been testing password changing with phpLDAPAdmin. The fact is that I could only change a user password with clear text. I guess that this behaviour happens because we have pwdCheckQulity setting in 2 in our default password policy. So, when the client (phpLDAPAdmin) tries to modify the password enconding it, the server (OpenLDAP) cannot check the min length of the password, as it is encoded, and then fails. I am guessing too, that phpLDAPAdmin is performing a simple modify operation to change the password, as it is stored in clear text. On the other hand, I could change passwords with ldappasswd withouth problem, and they are stored with SSHA. I know that this command uses RFC 3062.
So, I am wondering which is the best way to change the password from a Java application. I guess that, if I have pwdCheckQulity setting in 2, the password should travel in clear text, so that ppolicy can check its min lenght for example. But I would like it to be stored encoded. How could I do that?. Do I have to use RFC 3062?. Do you know any Java implementation of the client side for that RFC?.
Thanks very much,