I set up users manually using Apache DS, I have to set the passwords in cleartext, the SHA values were rejected.
I am new to Apache DS, can anyone please tell me that how to change the password policy to verify non-cleartext passwords? Error in Apache DS:
javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST
Message ID : 16
Object : 'cn=boris,cn=External,cn=Users,cn=ExternalLDAP,ou=External,ou=system'
Operation : add
userPassword: '0x7B 0x53 0x48 0x41 0x7D 0x38 0x62 0x61 0x5A 0x7A 0x4A 0x72 0x7A 0x37 0x72 0x6D ...'
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@684bb6a3 ManageDsaITImpl Control
Type OID : '2.16.840.1.113722.214.171.124'
Criticality : 'false'
: cannot verify the quality of the non-cleartext passwords]; remaining name 'cn=boris,cn=External,cn=Users,cn=ExternalLDAP,ou=External,ou=system'
Edited by: roy on Aug 6, 2012 10:11 PM
I can't agree with your 'solution'. You don't install and configure a password policy just to downgrade its quality and bypass its features by sending hashed passwords. The solution is to send the password in the clear (over SSL of course) and let the password policy and indeed the entire LDAP server do its job.
you are right. This is a downgrade, because ApacheDS can't validate the password length or strength of hashed values for example.
In my case this doesn't matter, because my portal is doing the password policy as needed and sending the passwords as hashed values to ApacheDS. I could rewrite my portal or do this workaround.