Topic
  • 9 replies
  • Latest Post - ‏2014-08-19T19:43:35Z by bmatteso
andresmgs
andresmgs
46 Posts

Pinned topic ISAM - Password change using TDS 6.3 custom policy rules

‏2014-08-12T17:16:51Z | isam ldap password policy rules tds

Hello everyone.

I am using the "Custom Password Policy Plug-in" for TDS version 6.3 in order to give Security Access Manager for Web the capability to restrict the use of userID in their own password.

This is the link for the TDS custom password policy plug-in: http://www-304.ibm.com/software/brandcatalog/ismlibrary/details?catalog.label=1TW10TD0B#tab-details

However, I have been testing the policy but it doesn't seems to be working. This is installed in AIX

According to LDAP's start server prompt logs, it seems ike the custom library was successfully loaded. I also set the LDAP entry to attach the plug-in.

But using WebSEAL's /pkmspasswd form, it seems like I can still set a user's password with its own uid in it.

Any idea or suggestion to solve this?

Thanks in advance.

Regards, Andres.

  • bmatteso
    bmatteso
    108 Posts

    Re: ISAM - Password change using TDS 6.3 custom policy rules

    ‏2014-08-12T17:41:39Z  

    Hi,

    How is your password policy configured on your server?  According to the docs on this, these are just additional password policy attributes that get added to your existing ones, so you'd still have to configure password policy the normal, albeit with new attributes to configure.  We can check how it's configured with:

    idsldapsearch -L -D <admin_dn> -w <password> -b cn=pwdpolicy,cn=ibmpolicies -s sub objectclass=pwdpolicy

    If pwdCheckSyntax isn't set to a non-zero value, I doubt any of these extra attributes take effect.

    Regards.

  • andresmgs
    andresmgs
    46 Posts

    Re: ISAM - Password change using TDS 6.3 custom policy rules

    ‏2014-08-12T17:53:51Z  
    • bmatteso
    • ‏2014-08-12T17:41:39Z

    Hi,

    How is your password policy configured on your server?  According to the docs on this, these are just additional password policy attributes that get added to your existing ones, so you'd still have to configure password policy the normal, albeit with new attributes to configure.  We can check how it's configured with:

    idsldapsearch -L -D <admin_dn> -w <password> -b cn=pwdpolicy,cn=ibmpolicies -s sub objectclass=pwdpolicy

    If pwdCheckSyntax isn't set to a non-zero value, I doubt any of these extra attributes take effect.

    Regards.

    Hi BMatteso, thank you for your quick answer.

    After reading your post, I changed the pwdCheckSyntax to '2' and then I restarted the instance. The pwdUserId is still not working.

    This is the outcome of the ldapsearch command, note that the custom policy for pwdUserId is not listed here. That is because it is set using other attribute in the LDAP.

    ./idsldapsearch -L -D cn=root -w ***** -b cn=pwdpolicy,cn=ibmpolicies -s sub objectclass=pwdpolicy
    dn: cn=pwdpolicy,cn=ibmpolicies
    objectclass: container
    objectclass: pwdPolicy
    objectclass: ibm-pwdPolicyExt
    objectclass: ibm-pwdGroupAndIndividualPolicies
    objectclass: top
    cn: pwdPolicy
    pwdAttribute: userPassword
    pwdGraceLoginLimit: 0
    pwdLockoutDuration: 0
    pwdFailureCountInterval: 0
    passwordMaxRepeatedChars: 0
    passwordMaxConsecutiveRepeatedChars: 0
    pwdMaxAge: 0
    pwdMinAge: 0
    pwdExpireWarning: 0
    pwdMinLength: 0
    passwordMinAlphaChars: 0
    passwordMinOtherChars: 0
    passwordMinDiffChars: 0
    pwdLockout: false
    pwdSafeModify: false
    ibm-pwdGroupAndIndividualEnabled: false
    pwdMaxFailure: 0
    ibm-pwdPolicy: true
    ibm-pwdPolicyStartTime: 20140808184851Z
    pwdAllowUserChange: true
    pwdCheckSyntax: 2
    pwdInHistory: 13
    pwdMustChange: true

    Looking forrward to your comments.

    Regards, Andres

  • bmatteso
    bmatteso
    108 Posts

    Re: ISAM - Password change using TDS 6.3 custom policy rules

    ‏2014-08-12T18:06:18Z  
    • andresmgs
    • ‏2014-08-12T17:53:51Z

    Hi BMatteso, thank you for your quick answer.

    After reading your post, I changed the pwdCheckSyntax to '2' and then I restarted the instance. The pwdUserId is still not working.

    This is the outcome of the ldapsearch command, note that the custom policy for pwdUserId is not listed here. That is because it is set using other attribute in the LDAP.

    ./idsldapsearch -L -D cn=root -w ***** -b cn=pwdpolicy,cn=ibmpolicies -s sub objectclass=pwdpolicy
    dn: cn=pwdpolicy,cn=ibmpolicies
    objectclass: container
    objectclass: pwdPolicy
    objectclass: ibm-pwdPolicyExt
    objectclass: ibm-pwdGroupAndIndividualPolicies
    objectclass: top
    cn: pwdPolicy
    pwdAttribute: userPassword
    pwdGraceLoginLimit: 0
    pwdLockoutDuration: 0
    pwdFailureCountInterval: 0
    passwordMaxRepeatedChars: 0
    passwordMaxConsecutiveRepeatedChars: 0
    pwdMaxAge: 0
    pwdMinAge: 0
    pwdExpireWarning: 0
    pwdMinLength: 0
    passwordMinAlphaChars: 0
    passwordMinOtherChars: 0
    passwordMinDiffChars: 0
    pwdLockout: false
    pwdSafeModify: false
    ibm-pwdGroupAndIndividualEnabled: false
    pwdMaxFailure: 0
    ibm-pwdPolicy: true
    ibm-pwdPolicyStartTime: 20140808184851Z
    pwdAllowUserChange: true
    pwdCheckSyntax: 2
    pwdInHistory: 13
    pwdMustChange: true

    Looking forrward to your comments.

    Regards, Andres

     

    Don't know anything about this custom plugin, but only other thing I can think of to check is the stanza you added for the plugin config in the ibmslapd.conf file.  Please paste that here.

    Regards,

    Ben

  • andresmgs
    andresmgs
    46 Posts

    Re: ISAM - Password change using TDS 6.3 custom policy rules

    ‏2014-08-12T20:01:56Z  
    • bmatteso
    • ‏2014-08-12T18:06:18Z

     

    Don't know anything about this custom plugin, but only other thing I can think of to check is the stanza you added for the plugin config in the ibmslapd.conf file.  Please paste that here.

    Regards,

    Ben

    According to the pligun installation doc, I just need to set a property in an entry using ldapmodify

    This is the command:

    ldapmodify -D cn=root -w *****
       dn: CN=DIRECTORY,CN=RDBM BACKENDS,CN=IBM DIRECTORY,CN=SCHEMAS,CN=CONFIGURATION
       changetype: modify
       add: ibm-slapdPlugin
       ibm-slapdPlugin: preoperationlibcustppolicy_aix.a customPwdPolicyInit pwdNoUserId=true

    Where libcustppolicy_aix.a is the plug-in library (I put that file in the /lib64 folder) and pwdNoUserId=true is the policy configuration itself.

    Attached to this post is the README file with the instructions.

    Any idea you might have willl be greatly appreciated.

    Regards, Andres.

    Attachments

  • bmatteso
    bmatteso
    108 Posts

    Re: ISAM - Password change using TDS 6.3 custom policy rules

    ‏2014-08-12T20:55:06Z  
    • andresmgs
    • ‏2014-08-12T20:01:56Z

    According to the pligun installation doc, I just need to set a property in an entry using ldapmodify

    This is the command:

    ldapmodify -D cn=root -w *****
       dn: CN=DIRECTORY,CN=RDBM BACKENDS,CN=IBM DIRECTORY,CN=SCHEMAS,CN=CONFIGURATION
       changetype: modify
       add: ibm-slapdPlugin
       ibm-slapdPlugin: preoperationlibcustppolicy_aix.a customPwdPolicyInit pwdNoUserId=true

    Where libcustppolicy_aix.a is the plug-in library (I put that file in the /lib64 folder) and pwdNoUserId=true is the policy configuration itself.

    Attached to this post is the README file with the instructions.

    Any idea you might have willl be greatly appreciated.

    Regards, Andres.

    Seems fine.  I would have preferred to see the stanza from ibmslapd.conf itself, but will assume the modify worked properly.

    Last thing I can think of to check would be to make sure that password policy applies to this user:

    idsldapexop -D cn=root -w ******* -op effectpwdpolicy -d <DN>

    where <DN> is the user you're testing.

  • andresmgs
    andresmgs
    46 Posts

    Re: ISAM - Password change using TDS 6.3 custom policy rules

    ‏2014-08-12T21:17:56Z  
    • bmatteso
    • ‏2014-08-12T20:55:06Z

    Seems fine.  I would have preferred to see the stanza from ibmslapd.conf itself, but will assume the modify worked properly.

    Last thing I can think of to check would be to make sure that password policy applies to this user:

    idsldapexop -D cn=root -w ******* -op effectpwdpolicy -d <DN>

    where <DN> is the user you're testing.

    Thank you Ben. This is the output from that command:

    ./idsldapexop -D cn=root -w Ld4pAdM1n -op effectpwdpolicy -d cn=testuser,ou=usuarios,dc=bbva

    The effective password policy is calculated based on the following entries:
    cn=pwdpolicy,cn=ibmpolicies

    The effective password policy is:
    ibm-pwdPolicyStartTime=20140808184851Z
    pwdInHistory=13
    pwdCheckSyntax=2
    pwdGraceLoginLimit=0
    pwdLockoutDuration=0
    pwdMaxFailure=0
    pwdFailureCountInterval=0
    passwordMaxRepeatedChars=0
    passwordMaxConsecutiveRepeatedChars=0
    pwdMaxAge=0
    pwdMinAge=0
    pwdExpireWarning=0
    pwdMinLength=0
    passwordMinAlphaChars=0
    passwordMinOtherChars=0
    passwordMinDiffChars=0
    ibm-pwdPolicy=true
    pwdLockout=false
    pwdAllowUserChange=true
    pwdMustChange=true
    pwdSafeModify=false
    ibm-pwdGroupAndIndividualEnabled=false

    As you can see, the value for pwdNoUserId is not here. Perhaps I need to create that attribute? It is really odd because there are some other policy extensions like pwdMinSpecialChars or pwdMinUppercaseChars that are configured using that plugin.

    The plug-in states that it is for TDS version 6.3 and I am using 6.3.0.17 so I guess it is not related to compatilibity issues. Should I create a PMR to handle this?

    Please let me know as soon as you can your thoughts.

    Regards, Andres.

  • bmatteso
    bmatteso
    108 Posts

    Re: ISAM - Password change using TDS 6.3 custom policy rules

    ‏2014-08-12T21:31:26Z  
    • andresmgs
    • ‏2014-08-12T21:17:56Z

    Thank you Ben. This is the output from that command:

    ./idsldapexop -D cn=root -w Ld4pAdM1n -op effectpwdpolicy -d cn=testuser,ou=usuarios,dc=bbva

    The effective password policy is calculated based on the following entries:
    cn=pwdpolicy,cn=ibmpolicies

    The effective password policy is:
    ibm-pwdPolicyStartTime=20140808184851Z
    pwdInHistory=13
    pwdCheckSyntax=2
    pwdGraceLoginLimit=0
    pwdLockoutDuration=0
    pwdMaxFailure=0
    pwdFailureCountInterval=0
    passwordMaxRepeatedChars=0
    passwordMaxConsecutiveRepeatedChars=0
    pwdMaxAge=0
    pwdMinAge=0
    pwdExpireWarning=0
    pwdMinLength=0
    passwordMinAlphaChars=0
    passwordMinOtherChars=0
    passwordMinDiffChars=0
    ibm-pwdPolicy=true
    pwdLockout=false
    pwdAllowUserChange=true
    pwdMustChange=true
    pwdSafeModify=false
    ibm-pwdGroupAndIndividualEnabled=false

    As you can see, the value for pwdNoUserId is not here. Perhaps I need to create that attribute? It is really odd because there are some other policy extensions like pwdMinSpecialChars or pwdMinUppercaseChars that are configured using that plugin.

    The plug-in states that it is for TDS version 6.3 and I am using 6.3.0.17 so I guess it is not related to compatilibity issues. Should I create a PMR to handle this?

    Please let me know as soon as you can your thoughts.

    Regards, Andres.

    Hi,

    I don't think you can create a pmr; this plugin is documented as "not supported".

    I suspect that "pwdNoUserId" isn't going to be implemented as an attribute, so won't help to create it.  I think these are just rules, not attributes.  If they were attributes, there would be directions for adding them to the schema, but I didn't see that in the directions.

    Did you try changing the user's password directly in LDAP?

    Ben

  • andresmgs
    andresmgs
    46 Posts

    Re: ISAM - Password change using TDS 6.3 custom policy rules

    ‏2014-08-19T19:24:12Z  
    • bmatteso
    • ‏2014-08-12T21:31:26Z

    Hi,

    I don't think you can create a pmr; this plugin is documented as "not supported".

    I suspect that "pwdNoUserId" isn't going to be implemented as an attribute, so won't help to create it.  I think these are just rules, not attributes.  If they were attributes, there would be directions for adding them to the schema, but I didn't see that in the directions.

    Did you try changing the user's password directly in LDAP?

    Ben

    Hello again Ben.

    I have been testing the password change using LDAP's own procedure (via IDSWebApp) and the password change indeed applies the "pwdUserId" policy.

    However, using SAM's "pkmspasswd" module it is not applied.

    Any idea or advice regarding this odd behavior?

    It is really strange for me, as SAM accepts the use of the "password history" policy and that rule is also managed from LDAP and not from SAM.

    Regards, Andres.

  • bmatteso
    bmatteso
    108 Posts

    Re: ISAM - Password change using TDS 6.3 custom policy rules

    ‏2014-08-19T19:43:35Z  
    • andresmgs
    • ‏2014-08-19T19:24:12Z

    Hello again Ben.

    I have been testing the password change using LDAP's own procedure (via IDSWebApp) and the password change indeed applies the "pwdUserId" policy.

    However, using SAM's "pkmspasswd" module it is not applied.

    Any idea or advice regarding this odd behavior?

    It is really strange for me, as SAM accepts the use of the "password history" policy and that rule is also managed from LDAP and not from SAM.

    Regards, Andres.

    Sorry, I don't know.  Probably need to get someone who knows ISAM better to answer that.