samples/multiplepasswords/README.md

25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle/*
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle * The contents of this file are subject to the terms of the Common Development and
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle * Distribution License (the License). You may not use this file except in compliance with the
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle * License.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle *
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle * specific language governing permission and limitations under the License.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle *
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle * When distributing Covered Software, include this CDDL Header Notice in each file and include
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle * Header, with the fields enclosed by brackets [] replaced by your own identifying
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle * information: "Portions copyright [year] [name of copyright owner]".
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle *
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle * Copyright 2015 ForgeRock AS.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle */
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleSample Multiple Passwords
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle=======================================================
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleThis sample shows you how to set up multiple passwords for OpenIDM's managed users internal repository and how to sync
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienlethem each to different LDAP targets.  The following scenario is assumed:
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   The OpenIDM managed/user repository is the source system.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   There are two LDAP servers, ldap and ldap2.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   There are two additional password fields on the managed user, each mapped to one of the two LDAP servers.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   The two LDAP servers have different requirements for password policy and encryption.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   Both LDAP servers have a requirement for a password history policy, but with differing history size.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   The value of a managed user's "password" field will be used for the additional passwords unless the CREATE, UPDATE,
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    or PATCH requests on the managed user explicitly contain a value for these additional passwords.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleThis sample also shows how to extend the password history policy (found the OpenIDM Integrator's Guide section 14.1.1)
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienleto apply to multiple password fields.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleThe sample includes the following customized configuration files:
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   conf/provisioner.openicf-ldap.json: configures the LDAP connection.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   conf/provisioner.openicf-ldap2.json: configures the second LDAP connection.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   conf/sync.json describes how accounts in the directory server map to managed users in OpenIDM.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   conf/managed.json contains the updated schema for managed users which includes the additional password fields.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleThis sample includes the following scripts:
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   script/onCreate-onUpdate-sync.js Performs custom mapping logic, specifically the mapping of the pre-hashed password
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    value, and the setting of the target object DN on create events.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   script/storeFields.groovy An onValidate script that stores the pre-hashed values of fields in the context chain for
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    use when mapping.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   script/onCreate-user-custom.js an onCreate script used for the password history policy.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   script/onUpdate-user-custom.js an onUpdate script used for the password history policy.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   script/pwpolicy.js an additional policy script for enforcing the password history policy.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   script/set-additional-passwords.js populates the values of the additional password fields with the value of
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    the main "password" field if the additional fields are not included in the request content.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleThe managed.json configuration for this sample has the following modifications:
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   An onValidate script that will be used to store the pre-hashed value of the "ldapPassword" field.  This value will
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    stored in the ManagedObectContext in the Context chain of the request.  During the sync event, the value can be
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    pulled out of the context chain and used to map the target object.  This is necessary because the hashed fields of a
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    managed object are already hashed in the object itself by the time it reaches the sync process.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   A new field "ldapPassword" that will be mapped to the accounts in the system/ldap/accounts target.  This field
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    includes the normal policies associated with the "password" field of a managed user with a new requirement that it
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    must contain two capital letters instead of the normal one letter requirement.  This field will also use hashing
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    instead of encryption.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   A new field "ldap2Password" that will be mapped to the accounts in the system/ldap2/accounts target.  This field
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    includes the normal policies associated with the "password" field of a managed user with a new requirement that it
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    must contain two numbers instead of the normal one number requirement.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   A new password history policy for each of the two mapped password fields: ldapPassword, ldap2Password.  See below
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    for a description of the changes required for the password history policy.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleThe sync.json configuration for this sample has the following modifications:
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   A mapping from OpenIDM's managed users to system/ldap/account (ou=People).  This mapping specifies an "onCreate"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    and an "onUpdate" script that will pull the pre-hashed value (if it is present) out of the context chain and use it
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    to set the "userPassword" on the target object.  Note: this mapping does not contain an explicit mapping for
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    "ldapPassword" to "userPassword" in the properties sections because it is done in the script.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   A mapping from OpenIDM's managed users to system/ldap2/account (ou=Customers).  This mapping contains the
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    "ldap2Password" to "userPassword" mapping in the properties section with the normal property mappings.  Since this
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    password is encrypted (as opposed to hashed) a transform script is defined with uses openidm.decrypt() to set the
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    value on the target object.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleThe router.json configuration for this sample has the following modifications:
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle*   A scripted filter on managed/user and policy/managed/user that populates the values of the additional password
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    fields with the value of the main "password" field if the additional fields are not included in the request content.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienlePassword History Policy
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle-----------------------
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleThis sample includes a custom policy for enforcing a password history policy on password fields.  For this sample we
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienleonly care about keeping a history of passwords, but it should be noted that this policy can be applied to any field, not
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienlejust passwords.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleIn order to set up the password history policy, the following configuration changes and additions have been made to this
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienlesample:
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle1.  A new "fieldHistory" property has been added to managed users.  The value of this field is a map of field names to
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    a list of historical values for that field.  These lists of values will be used by the new policy to determine if a
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    new value has previously been used.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle2.  A new script/onCreate-user-custom.js has been added which, on a create event, does the normal onCreate logic for
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    managed user and additionally stores the initial value of each of the fields to keep history of.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    This script is passed the following configurable properties:
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    *  historyFields:  a list of the fields to store history on.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    *  historySize:  the number of historical fields to store.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle3.  A new script/onUpdate-user-custom.js has been added which, on an update event, compares the old and new values of
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    the historical fields to determine if they have changed.  If a new value is detected, it will be stored in the list
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    of historical values for that field.  The script also contains logic to deal with the comparison of encrypted and/or
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    hashed field values.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    Similarly to the onCreate script, this script is passed the following configurable properties:
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    *  historyFields:  a list of the fields to store history on.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    *  historySize:  the number of historical fields to store.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle4.  A new script/pwpolicy.js script has been added which contains the additional policy definition for the new
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    historical password policy.  This script will compare the new field value with the values contained in the list of
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    historical values for each field.  The policy.json configuration has been modified to include this script in its
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    "additionalFiles" list, so that the policy service will load the new policy definition.  This new policy can take,
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    as a passed-in parameter, a "historyLength" which indicates the number of historical values to enforce the policy
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    on.  This number must not exceed the "historySize" specified in the onCreate/onUpdate scripts.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle5.  The policy configuration has been added to the "ldapPassword" and "ldap2Password" fields in the managed user's
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    schema.  For the purposes of this sample the "historySize" has been set to 2 for "ldapPassword" and 4 for
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    "ldap2Password".
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleSetup OpenDJ
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle------------
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle1.  Extract OpenDJ to a folder called opendj.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost2.  Run the following command to initialize OpenDJ and import the LDIF data for the sample.
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost        $ opendj/setup --cli \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost          --hostname localhost \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost          --ldapPort 1389 \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost          --rootUserDN "cn=Directory Manager" \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost          --rootUserPassword password \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost          --adminConnectorPort 4444 \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost          --baseDN dc=com \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost          --ldifFile /path/to/openidm/samples/multiplepasswords/data/Example.ldif \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost          --acceptLicense \
c778db2859a5f59aa80244e248847d38b8d5df84Lana Frost          --no-prompt
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleAfter you import the data you will see two different organizational units. These will represent the two different ldap
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienletarget systems that our mappings will each point to.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleRun The Sample In OpenIDM
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle-------------------------
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle1.  Launch OpenIDM with the sample configuration as follows.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        $ /path/to/openidm/startup.sh -p samples/multiplepasswords
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle2.  Create a user in OpenIDM only specifying the main "password" field. The additional password fields ("ldapPassword"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle    and "ldap2Password") will be populated with the value for "password" due to the scripted filter described above.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        $ curl --header "Content-Type: application/json" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --header "X-OpenIDM-Username: openidm-admin" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --header "X-OpenIDM-Password: openidm-admin" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --request PUT \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --data '{
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "userName": "jdoe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "givenName": "John",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "sn" : "Doe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "displayName" : "John Doe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "mail" : "john.doe@example.com",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "password" : "Passw0rd"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        }' \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        http://localhost:8080/openidm/managed/user/jdoe
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "code": 403,
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "detail": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                "failedPolicyRequirements": [
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "policyRequirements": [
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                            {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                                "params": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                                    "numCaps": 2
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                                },
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                                "policyRequirement": "AT_LEAST_X_CAPITAL_LETTERS"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                            }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        ],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "property": "ldapPassword"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    },
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "policyRequirements": [
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                            {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                                "params": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                                    "numNums": 2
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                                },
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                                "policyRequirement": "AT_LEAST_X_NUMBERS"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                            }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        ],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "property": "ldap2Password"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                ],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                "result": false
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            },
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "message": "Policy validation failed",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "reason": "Forbidden"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleNotice that the request failed with a policy failure on the two new password fields.  This can be fixed by updating the
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle"password" field to one that passes both of the new requirements, or by updating the individual passwords to
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienlespecifically pass their individual requirements.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle3.  Create a user in OpenIDM with updated "ldapPassword" and "ldap2Password" to pass the policy requirements.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        $ curl --header "Content-Type: application/json" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --header "X-OpenIDM-Username: openidm-admin" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --header "X-OpenIDM-Password: openidm-admin" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --request PUT \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --data '{
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "userName": "jdoe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "givenName": "John",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "sn" : "Doe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "displayName" : "John Doe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "mail" : "john.doe@example.com",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "password" : "Passw0rd",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "ldapPassword" : "PPassw0rd",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "ldap2Password" : "Passw00rd"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        }' \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        http://localhost:8080/openidm/managed/user/jdoe
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "_id": "jdoe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "_rev": "1",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "accountStatus": "active",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "displayName": "John Doe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "effectiveAssignments": [],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "effectiveRoles": null,
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "givenName": "John",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "ldap2Password": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                "$crypto": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "type": "x-simple-encryption",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "value": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "cipher": "AES/CBC/PKCS5Padding",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "data": "MwLCAjwWtbtSAOW1vKK7jg==",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "iv": "v/QcvOhnjFcX2RljqFkFbA==",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "key": "openidm-sym-default"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            },
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "ldapPassword": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                "$crypto": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "type": "salted-hash",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "value": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "algorithm": "SHA-256",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "data": "UnnZ4AxLueq7vCtDSnTOUn5i/xwJw5CoIYg/BLjtVTWYkw38QbCPENLQtwkOKAbp"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            },
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "mail": "john.doe@example.com",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "roles": [],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "sn": "Doe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "userName": "jdoe"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleThe user should now be created and synced.  From the response of the create we can see that the two new password fields
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienlewere encrypted/hashed as expected.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle4.  Request all identifiers in OpenDJ, verifying that jdoe was created in both target accounts.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        $ curl -k -u "openidm-admin:openidm-admin" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        "https://localhost:8443/openidm/system/ldap/account?_queryId=query-all-ids&_prettyPrint=true"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle          "result" : [ {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "_id" : "uid=jdoe,ou=People,dc=example,dc=com",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "dn" : "uid=jdoe,ou=People,dc=example,dc=com"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle          }, {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "_id" : "uid=jdoe,ou=Customers,dc=example,dc=com",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "dn" : "uid=jdoe,ou=Customers,dc=example,dc=com"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle          } ],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle          "resultCount" : 6,
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle          "pagedResultsCookie" : null,
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle          "totalPagedResultsPolicy" : "NONE",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle          "totalPagedResults" : -1,
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle          "remainingPagedResults" : -1
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle5.  Issue an ldap search using the newly set passwords to verify that they were correctly mapped to the target accounts
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienlein OpenDJ.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        $ ./bin/ldapsearch -D uid=jdoe,ou=People,dc=example,dc=com -w PPassw0rd -p 1389 -b dc=example,dc=com uid=jdoe
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        $ ./bin/ldapsearch -D uid=jdoe,ou=Customers,dc=example,dc=com -w Passw00rd -p 1389 -b dc=example,dc=com uid=jdoe
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle6.  Patch the managed user to change the "ldapPassword" field.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        $ curl --header "Content-Type: application/json" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        -u "openidm-admin:openidm-admin" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --header "If-Match: *" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --request PATCH \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --data '[ {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "operation" : "replace",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "field" : "ldapPassword",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "value" : "TTestw0rd"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         } ]' \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         "http://localhost:8080/openidm/managed/user/jdoe"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "_id": "jdoe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "_rev": "2",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "accountStatus": "active",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "displayName": "John Doe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "effectiveAssignments": [],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "effectiveRoles": [],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "givenName": "John",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "ldap2Password": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                "$crypto": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "type": "x-simple-encryption",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "value": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "cipher": "AES/CBC/PKCS5Padding",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "data": "i0UR3pKjjoOvdZSzRZAFaA==",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "iv": "QApXszsbOwalEvWKcCXExg==",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "key": "openidm-sym-default"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            },
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "ldapPassword": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                "$crypto": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "type": "salted-hash",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "value": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "algorithm": "SHA-256",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "data": "hI7mLTIuxOlLvUyR5oG9wCHUW9OhJm6nCfimhNcP9FXLlNMMkZSzoxLP70Ulqvap"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            },
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "mail": "john.doe@example.com",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "roles": [],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "sn": "Doe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "userName": "jdoe"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle7.  Issue an ldap search using the newly patched password to verify that it was correctly mapped to the target account
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienlein OpenDJ.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        $ ./bin/ldapsearch -D uid=jdoe,ou=People,dc=example,dc=com -w TTestw0rd -p 1389 -b dc=example,dc=com uid=jdoe
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
ffa9adb062bec7f6d43e5cbe1fce088801e6c2faChad Kienle8.  Now to show the password history policy in action, issue the following PATCH requests to fill the "ldapPassword"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienlefield history.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
ffa9adb062bec7f6d43e5cbe1fce088801e6c2faChad Kienle        $ curl --header "Content-Type: application/json" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        -u "openidm-admin:openidm-admin" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --header "If-Match: *" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --request PATCH \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --data '[ {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "operation" : "replace",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "field" : "ldapPassword",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "value" : "TTestw0rd1"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         } ]' \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         "http://localhost:8080/openidm/managed/user/jdoe"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
ffa9adb062bec7f6d43e5cbe1fce088801e6c2faChad Kienle        $ curl --header "Content-Type: application/json" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        -u "openidm-admin:openidm-admin" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --header "If-Match: *" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --request PATCH \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --data '[ {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "operation" : "replace",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "field" : "ldapPassword",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "value" : "TTestw0rd2"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         } ]' \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         "http://localhost:8080/openidm/managed/user/jdoe"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
ffa9adb062bec7f6d43e5cbe1fce088801e6c2faChad Kienle        $ curl --header "Content-Type: application/json" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        -u "openidm-admin:openidm-admin" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --header "If-Match: *" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --request PATCH \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --data '[ {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "operation" : "replace",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "field" : "ldapPassword",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "value" : "TTestw0rd3"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         } ]' \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         "http://localhost:8080/openidm/managed/user/jdoe"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleThe user should now have a history of "ldapPassword" field values containing: "TTestw0rd3", "TTestw0rd2", "TTestw0rd1",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienleand "TTestw0rd".
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
ffa9adb062bec7f6d43e5cbe1fce088801e6c2faChad Kienle9)  The history size for the "ldapPassword" policy is set to 2, so attempt to issue a PATCH request to change the
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienlepassword to a value that will fail the policy: "TTestw0rd2".
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        $ curl --header "Content-Type: application/json" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        -u "openidm-admin:openidm-admin" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --header "If-Match: *" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --request PATCH \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --data '[ {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "operation" : "replace",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "field" : "ldapPassword",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "value" : "TTestw0rd2"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         } ]' \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         "http://localhost:8080/openidm/managed/user/jdoe"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "code": 403,
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "detail": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                "failedPolicyRequirements": [
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "policyRequirements": [
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                            {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                                "policyRequirement": "IS_NEW"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                            }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        ],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "property": "ldapPassword"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                ],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                "result": false
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            },
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "message": "Failed policy validation",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "reason": "Forbidden"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleAs we can see the request failed due to the is-new password policy.
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
ffa9adb062bec7f6d43e5cbe1fce088801e6c2faChad Kienle10)  Issue a PATCH request that contains a value that was not used in the last two updates: "TTestw0rd".
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        $ curl --header "Content-Type: application/json" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        -u "openidm-admin:openidm-admin" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --header "If-Match: *" \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --request PATCH \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        --data '[ {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "operation" : "replace",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "field" : "ldapPassword",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "value" : "TTestw0rd"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         } ]' \
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle         "http://localhost:8080/openidm/managed/user/jdoe"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "_id": "jdoe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "_rev": "2",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "accountStatus": "active",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "displayName": "John Doe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "effectiveAssignments": [],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "effectiveRoles": [],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "givenName": "John",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "ldap2Password": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                "$crypto": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "type": "x-simple-encryption",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "value": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "cipher": "AES/CBC/PKCS5Padding",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "data": "i0UR3pKjjoOvdZSzRZAFaA==",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "iv": "QApXszsbOwalEvWKcCXExg==",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "key": "openidm-sym-default"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            },
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "ldapPassword": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                "$crypto": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "type": "salted-hash",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    "value": {
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "algorithm": "SHA-256",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                        "data": "3aKcsaJ8jJ5nuSLF6rz8Ndf+gaHXMMnGY2lmFEBTdsJnP+gRVVWziRHBzXYlN4v2"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                    }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle                }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            },
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "mail": "john.doe@example.com",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "roles": [],
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "sn": "Doe",
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle            "userName": "jdoe"
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle        }
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienle
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad KienleThe request succeeded because the password supplied was not one that was used in that last two updates (as configured in
25b1abfbb74fea0ddfcf186f7be3ef5f8c095790Chad Kienlethe policy configuration for the "ldapPassword" field).