[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password change and ppolicy

On Tue, Jun 9, 2009 at 12:12 PM, tizo <tizone@gmail.com> wrote:
Hi there,

We are using OpenLDAP 2.4.16 with ppolicy, to authenticate users for a JEE application. Authentication works great (with JNDI), and we are receiving ppolicy response controls without problem. In that way, the user knows when the password is about to expired, when the password have been reseted, etc. Now we want to offer users to change passwords from the application.

Before starting this, I have been testing password changing with phpLDAPAdmin. The fact is that I could only change a user password with clear text. I guess that this behaviour happens because we have pwdCheckQulity setting in 2 in our default password policy. So, when the client (phpLDAPAdmin) tries to modify the password enconding it, the server (OpenLDAP) cannot check the min length of the password, as it is encoded, and then fails. I am guessing too, that phpLDAPAdmin is performing a simple modify operation to change the password, as it is stored in clear text. On the other hand, I could change passwords with ldappasswd withouth problem, and they are stored with SSHA. I know that this command uses RFC 3062.

So, I am wondering which is the best way to change the password from a Java application. I guess that, if I have pwdCheckQulity setting in 2, the password should travel in clear text, so that ppolicy can check its min lenght for example. But I would like it to be stored encoded. How could I do that?. Do I have to use RFC 3062?. Do you know any Java implementation of the client side for that RFC?.

Thanks very much,


Ok. I search everywhere in Internet, but I couldn't find a Java library that implements RFC 3062. So I develop a very simple class that implements a ExtendedRequest for that RFC, to be used with JNDI. I am attaching it here as someone might be interested, but it is not a complete class (it only works when the old password and new password are used).

I found that using BerEncoder to create a sequence with the corrects tags, was very difficult; there are not much examples around there for extended LDAP operations, with values for the requests. For that I guess that the class could be of interest for someone.



package uy.gub.fnr.ldap;

import com.sun.jndi.ldap.Ber;
import com.sun.jndi.ldap.BerEncoder;
import javax.naming.NamingException;
import javax.naming.ldap.ExtendedRequest;
import javax.naming.ldap.ExtendedResponse;
import org.apache.log4j.Logger;

public class PasswordModifyRequest implements ExtendedRequest {

    public static final String OID = "";

    private static Logger logger = Logger.getLogger(PasswordModifyRequest.class.getName());

    private String user;
    private String oldPassword;
    private String newPassword;

    public PasswordModifyRequest (String user, String oldPassword, String newPassword) {
        this.user = user;
        this.oldPassword = oldPassword;
        this.newPassword = newPassword;

    public String getID() {
        return PasswordModifyRequest.OID;

    public byte[] getEncodedValue() {
        BerEncoder encoder = new BerEncoder();

        // Start the sequence.
        encoder.beginSeq(Ber.ASN_SEQUENCE | Ber.ASN_CONSTRUCTOR);

        // Add the data and finish the sequence.
        try {
            encoder.encodeString(user, Ber.ASN_CONTEXT | 0, true);
            encoder.encodeString(oldPassword, Ber.ASN_CONTEXT | 1, true);
            encoder.encodeString(oldPassword, Ber.ASN_CONTEXT | 2, true);
        } catch (Exception e) {
            logger.warn("Encoding exception", e);
            return null;

        return encoder.getTrimmedBuf();

    public ExtendedResponse createExtendedResponse(String id, byte[] berValue, int offset,
            int length) throws NamingException {
        return null;