Topic
9 replies Latest Post - ‏2014-08-19T19:43:35Z by bmatteso
andresmgs
andresmgs
46 Posts
ACCEPTED ANSWER

Pinned topic ISAM - Password change using TDS 6.3 custom policy rules

‏2014-08-12T17:16:51Z |

Hello everyone.

I am using the "Custom Password Policy Plug-in" for TDS version 6.3 in order to give Security Access Manager for Web the capability to restrict the use of userID in their own password.

This is the link for the TDS custom password policy plug-in: http://www-304.ibm.com/software/brandcatalog/ismlibrary/details?catalog.label=1TW10TD0B#tab-details

However, I have been testing the policy but it doesn't seems to be working. This is installed in AIX

According to LDAP's start server prompt logs, it seems ike the custom library was successfully loaded. I also set the LDAP entry to attach the plug-in.

But using WebSEAL's /pkmspasswd form, it seems like I can still set a user's password with its own uid in it.

Any idea or suggestion to solve this?

Thanks in advance.

Regards, Andres.

  • bmatteso
    bmatteso
    108 Posts
    ACCEPTED ANSWER

    Re: ISAM - Password change using TDS 6.3 custom policy rules

    ‏2014-08-12T17:41:39Z  in response to andresmgs

    Hi,

    How is your password policy configured on your server?  According to the docs on this, these are just additional password policy attributes that get added to your existing ones, so you'd still have to configure password policy the normal, albeit with new attributes to configure.  We can check how it's configured with:

    idsldapsearch -L -D <admin_dn> -w <password> -b cn=pwdpolicy,cn=ibmpolicies -s sub objectclass=pwdpolicy

    If pwdCheckSyntax isn't set to a non-zero value, I doubt any of these extra attributes take effect.

    Regards.

    • andresmgs
      andresmgs
      46 Posts
      ACCEPTED ANSWER

      Re: ISAM - Password change using TDS 6.3 custom policy rules

      ‏2014-08-12T17:53:51Z  in response to bmatteso

      Hi BMatteso, thank you for your quick answer.

      After reading your post, I changed the pwdCheckSyntax to '2' and then I restarted the instance. The pwdUserId is still not working.

      This is the outcome of the ldapsearch command, note that the custom policy for pwdUserId is not listed here. That is because it is set using other attribute in the LDAP.

      ./idsldapsearch -L -D cn=root -w ***** -b cn=pwdpolicy,cn=ibmpolicies -s sub objectclass=pwdpolicy
      dn: cn=pwdpolicy,cn=ibmpolicies
      objectclass: container
      objectclass: pwdPolicy
      objectclass: ibm-pwdPolicyExt
      objectclass: ibm-pwdGroupAndIndividualPolicies
      objectclass: top
      cn: pwdPolicy
      pwdAttribute: userPassword
      pwdGraceLoginLimit: 0
      pwdLockoutDuration: 0
      pwdFailureCountInterval: 0
      passwordMaxRepeatedChars: 0
      passwordMaxConsecutiveRepeatedChars: 0
      pwdMaxAge: 0
      pwdMinAge: 0
      pwdExpireWarning: 0
      pwdMinLength: 0
      passwordMinAlphaChars: 0
      passwordMinOtherChars: 0
      passwordMinDiffChars: 0
      pwdLockout: false
      pwdSafeModify: false
      ibm-pwdGroupAndIndividualEnabled: false
      pwdMaxFailure: 0
      ibm-pwdPolicy: true
      ibm-pwdPolicyStartTime: 20140808184851Z
      pwdAllowUserChange: true
      pwdCheckSyntax: 2
      pwdInHistory: 13
      pwdMustChange: true

      Looking forrward to your comments.

      Regards, Andres

      • bmatteso
        bmatteso
        108 Posts
        ACCEPTED ANSWER

        Re: ISAM - Password change using TDS 6.3 custom policy rules

        ‏2014-08-12T18:06:18Z  in response to andresmgs

         

        Don't know anything about this custom plugin, but only other thing I can think of to check is the stanza you added for the plugin config in the ibmslapd.conf file.  Please paste that here.

        Regards,

        Ben

        • andresmgs
          andresmgs
          46 Posts
          ACCEPTED ANSWER

          Re: ISAM - Password change using TDS 6.3 custom policy rules

          ‏2014-08-12T20:01:56Z  in response to bmatteso

          According to the pligun installation doc, I just need to set a property in an entry using ldapmodify

          This is the command:

          ldapmodify -D cn=root -w *****
             dn: CN=DIRECTORY,CN=RDBM BACKENDS,CN=IBM DIRECTORY,CN=SCHEMAS,CN=CONFIGURATION
             changetype: modify
             add: ibm-slapdPlugin
             ibm-slapdPlugin: preoperationlibcustppolicy_aix.a customPwdPolicyInit pwdNoUserId=true

          Where libcustppolicy_aix.a is the plug-in library (I put that file in the /lib64 folder) and pwdNoUserId=true is the policy configuration itself.

          Attached to this post is the README file with the instructions.

          Any idea you might have willl be greatly appreciated.

          Regards, Andres.

          Attachments

          • bmatteso
            bmatteso
            108 Posts
            ACCEPTED ANSWER

            Re: ISAM - Password change using TDS 6.3 custom policy rules

            ‏2014-08-12T20:55:06Z  in response to andresmgs

            Seems fine.  I would have preferred to see the stanza from ibmslapd.conf itself, but will assume the modify worked properly.

            Last thing I can think of to check would be to make sure that password policy applies to this user:

            idsldapexop -D cn=root -w ******* -op effectpwdpolicy -d <DN>

            where <DN> is the user you're testing.

            • andresmgs
              andresmgs
              46 Posts
              ACCEPTED ANSWER

              Re: ISAM - Password change using TDS 6.3 custom policy rules

              ‏2014-08-12T21:17:56Z  in response to bmatteso

              Thank you Ben. This is the output from that command:

              ./idsldapexop -D cn=root -w Ld4pAdM1n -op effectpwdpolicy -d cn=testuser,ou=usuarios,dc=bbva

              The effective password policy is calculated based on the following entries:
              cn=pwdpolicy,cn=ibmpolicies

              The effective password policy is:
              ibm-pwdPolicyStartTime=20140808184851Z
              pwdInHistory=13
              pwdCheckSyntax=2
              pwdGraceLoginLimit=0
              pwdLockoutDuration=0
              pwdMaxFailure=0
              pwdFailureCountInterval=0
              passwordMaxRepeatedChars=0
              passwordMaxConsecutiveRepeatedChars=0
              pwdMaxAge=0
              pwdMinAge=0
              pwdExpireWarning=0
              pwdMinLength=0
              passwordMinAlphaChars=0
              passwordMinOtherChars=0
              passwordMinDiffChars=0
              ibm-pwdPolicy=true
              pwdLockout=false
              pwdAllowUserChange=true
              pwdMustChange=true
              pwdSafeModify=false
              ibm-pwdGroupAndIndividualEnabled=false

              As you can see, the value for pwdNoUserId is not here. Perhaps I need to create that attribute? It is really odd because there are some other policy extensions like pwdMinSpecialChars or pwdMinUppercaseChars that are configured using that plugin.

              The plug-in states that it is for TDS version 6.3 and I am using 6.3.0.17 so I guess it is not related to compatilibity issues. Should I create a PMR to handle this?

              Please let me know as soon as you can your thoughts.

              Regards, Andres.

              • bmatteso
                bmatteso
                108 Posts
                ACCEPTED ANSWER

                Re: ISAM - Password change using TDS 6.3 custom policy rules

                ‏2014-08-12T21:31:26Z  in response to andresmgs

                Hi,

                I don't think you can create a pmr; this plugin is documented as "not supported".

                I suspect that "pwdNoUserId" isn't going to be implemented as an attribute, so won't help to create it.  I think these are just rules, not attributes.  If they were attributes, there would be directions for adding them to the schema, but I didn't see that in the directions.

                Did you try changing the user's password directly in LDAP?

                Ben

                • andresmgs
                  andresmgs
                  46 Posts
                  ACCEPTED ANSWER

                  Re: ISAM - Password change using TDS 6.3 custom policy rules

                  ‏2014-08-19T19:24:12Z  in response to bmatteso

                  Hello again Ben.

                  I have been testing the password change using LDAP's own procedure (via IDSWebApp) and the password change indeed applies the "pwdUserId" policy.

                  However, using SAM's "pkmspasswd" module it is not applied.

                  Any idea or advice regarding this odd behavior?

                  It is really strange for me, as SAM accepts the use of the "password history" policy and that rule is also managed from LDAP and not from SAM.

                  Regards, Andres.

                  • bmatteso
                    bmatteso
                    108 Posts
                    ACCEPTED ANSWER

                    Re: ISAM - Password change using TDS 6.3 custom policy rules

                    ‏2014-08-19T19:43:35Z  in response to andresmgs

                    Sorry, I don't know.  Probably need to get someone who knows ISAM better to answer that.