chap-passwords.xml revision 9595176505d5e2b9c835ca24ba7f4ed010f9e061
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! CCPL HEADER START
a35224ef1ee8c02d389ffeeb676b4de432294fb6Phill Cunnington ! This work is licensed under the Creative Commons
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! To view a copy of this license, visit
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! http://creativecommons.org/licenses/by-nc-nd/3.0/
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! or send a letter to Creative Commons, 444 Castro Street,
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! Suite 900, Mountain View, California, 94041, USA.
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! You can also obtain a copy of the license at
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! See the License for the specific language governing permissions
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! and limitations under the License.
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! If applicable, add the following below this CCPL HEADER, with the fields
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! enclosed by brackets "[]" replaced with your own identifying information:
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! Portions Copyright [yyyy] [name of copyright owner]
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! CCPL HEADER END
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major ! Copyright 2011-2012 ForgeRock AS
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major xmlns:xinclude='http://www.w3.org/2001/XInclude'>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <para>OpenIDM provides password management features that help you enforce
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major password policies, limit the number of passwords users must remember, and
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major let users reset and change their passwords.</para>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <para>A password policy is a set of rules defining what sequence of
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major characters constitutes an acceptable password. Acceptable passwords generally
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major are too complex for users or automated programs to generate or guess.</para>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <para>Password policies set requirements for password length, character sets
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major that passwords must contain, dictionary words and other values that passwords
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major must not contain. Password policies also require that users not reuse old
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major passwords, and that users change their passwords on a regular basis.</para>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <para>OpenIDM can enforce password policy rules by applying validation rules
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major to attributes of managed user objects. Suppose you want to rule out use of
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major the following user passwords.</para>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <itemizedlist>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <listitem><para><literal>password</literal></para></listitem>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <listitem><para><literal>123456</literal></para></listitem>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <listitem><para><literal>12345678</literal></para></listitem>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <listitem><para><literal>qwerty</literal></para></listitem>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <listitem><para><literal>abc123</literal></para></listitem>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major </itemizedlist>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <para>You could include the following configuration in
bf48db3deadd0c664202d879926139b7df9d94f1Peter Major <filename>openidm/conf/managed.json</filename> to validate passwords.</para>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major "objects" : [
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major "name" : "user",
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major "properties" : [
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major "name" : "password",
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major "encryption" : {
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major "key" : "openidm-sym-default"
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major "onValidate" : {
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major}</programlisting>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <para>The corresponding script,
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <filename>openidm/script/password-validator.js</filename>, returns
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <literal>true</literal> if the password is valid. For example, the following
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major script checks that the password is not one of those listed above.</para>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Majorconst dictionary = ['password','123456','12345678', 'qwerty', 'abc123'];
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Majorfunction isValidPassword() {
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major var cleartextObject = openidm.decrypt(object);
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major for (var i = 0; i < dictionary.length; i++) {
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major if (cleartextObject.password == dictionary[i]) {
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major throw "Password Policy Violation Exception";
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter MajorisValidPassword();</programlisting>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <para>To try this script with the default example, update
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <filename>openidm/conf/managed.json</filename> as shown above, change the
a35224ef1ee8c02d389ffeeb676b4de432294fb6Phill Cunnington sample user's password in
a35224ef1ee8c02d389ffeeb676b4de432294fb6Phill Cunnington <filename>openidm/samples/sample1/data/xmlConnectorData.xml</filename> to
a35224ef1ee8c02d389ffeeb676b4de432294fb6Phill Cunnington something invalid such as <literal>123456</literal>, and add a mapping for
a35224ef1ee8c02d389ffeeb676b4de432294fb6Phill Cunnington the password property to <filename>openidm/conf/sync.json</filename>:</para>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major <programlisting>
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major"properties" : [
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major "source" : "description",
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major "target" : "description"
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major "source" : "firstname",
a329900f13c59aa829b6b857a5e96119d249880cPhill Cunnington "target" : "givenName"
a329900f13c59aa829b6b857a5e96119d249880cPhill Cunnington "source" : "email",
9d652bb883e4c215dbdcab006aaf1941c3f412baRich Riley "target" : "email"
9d652bb883e4c215dbdcab006aaf1941c3f412baRich Riley "source" : "lastname",
9d652bb883e4c215dbdcab006aaf1941c3f412baRich Riley "target" : "familyName"
9d652bb883e4c215dbdcab006aaf1941c3f412baRich Riley "source" : "name",
73db2ddb960cafd7ffb6daf89eb697910d36c56dJames Phillpotts "target" : "userName"
73db2ddb960cafd7ffb6daf89eb697910d36c56dJames Phillpotts "source" : "password",
60880aadbbac7a2c9b573e9b92dcf49d3baae87fRich Riley "target" : "password"
60880aadbbac7a2c9b573e9b92dcf49d3baae87fRich Riley },</emphasis>
60880aadbbac7a2c9b573e9b92dcf49d3baae87fRich Riley "source" : "name",
80ca0b9f5ad61b2335af25d4dcf25a04ebfcbc91Peter Major "target" : "_id"
-storepass `cat keystore.pin`
<screen>$ unzip ~/Downloads/opendj-accountchange-handler-<?eval ${opendjPasswordPluginVersion}?>-SNAPSHOT.zip
-storepass `cat keystore.pin`
Owner: CN=localhost.localdomain, O=OpenDJ Self-Signed Certificate
Issuer: CN=localhost.localdomain, O=OpenDJ Self-Signed Certificate