Wiki source code of Configuration d'une politique de mots de passe
Last modified by jhurst on 2024/04/02 14:26
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | This document describes the configuration of a password policy for DigDash Enterprise. | ||
| 2 | |||
| 3 | The password policy configuration is separated in two parts: | ||
| 4 | |||
| 5 | * The strategies of **protection**, **life cycle**, and a part of the password **quality** are defined directly in the LDAP server natively supported by DigDash Enterprise (OpenLDAP 2.0+) | ||
| 6 | * The password **quality** rules (syntax) are defined in a configuration file in DigDash Enterprise. | ||
| 7 | |||
| 8 | For the LDAP configuration part, we recommend the use of the software **Apache Directory Studio**. | ||
| 9 | |||
| 10 | {{ddtoc/}} | ||
| 11 | |||
| 12 | = Accessing LDAP Password Policy = | ||
| 13 | |||
| 14 | The password policy in LDAP is enabled through an LDAP interceptor (enabled by default). To configure it you can connect to the DigDash Enterprise LDAP with **Apache Directory Studio**, with an LDAP administrator user. | ||
| 15 | |||
| 16 | Once connected, expand the following nodes (see screenshot for more details): | ||
| 17 | |||
| 18 | ou=config | ||
| 19 | |||
| 20 | ads-directoryServiceId=default | ||
| 21 | |||
| 22 | ou=interceptors | ||
| 23 | |||
| 24 | ads-interceptorId=authenticationInterceptor | ||
| 25 | |||
| 26 | ou=passwordPolicies | ||
| 27 | |||
| 28 | ads-pwdId=default | ||
| 29 | |||
| 30 | [[image:password_policy_config_en_html_80a5c082d8dd5d70.png||queryString="width=544&height=372" height="372" width="544"]] | ||
| 31 | |||
| 32 | |||
| 33 | == Main attributes description == | ||
| 34 | |||
| 35 | The following table describes the main attributes used to configure the password policy in OpenLDAP: | ||
| 36 | |||
| 37 | |||
| 38 | |**Function**|**Attribute**|**Type**|**Default value**|**Description** | ||
| 39 | |(% rowspan="5" %)**Protection**|(% colspan="4" %)Password protection against attacks. Lock the password after a certain number of unsuccessful attempts to log in occur. | ||
| 40 | |ads-pwdlockout|Boolean|TRUE|((( | ||
| 41 | **TRUE**: Enable password lock | ||
| 42 | |||
| 43 | **FALSE**: disable password lock | ||
| 44 | ))) | ||
| 45 | |ads-pwdlockoutduration|Integer (seconds)|0|((( | ||
| 46 | Defines the duration of the password lock. | ||
| 47 | |||
| 48 | **0**: infinite duration: An LDAP admin must unlock the password of the account. | ||
| 49 | ))) | ||
| 50 | |ads-pwdfailurecountinterval|Integer (seconds)|30|Defines the delay before the unsuccessful log in attempts counter is reset. | ||
| 51 | |ads-pwdmaxfailure|Integer|5|If the password lock is enabled (ads-pwdlockout = TRUE), this attribute defines the number of log in failures that will lock the password. | ||
| 52 | |(% rowspan="6" %)**Quality**|(% colspan="4" %)((( | ||
| 53 | Password quality rules | ||
| 54 | |||
| 55 | //Note: By default DigDash Enterprise stores hashed passwords in LDAP. So LDAP does not know the original password entered by the user, and so can not check the its quality.// | ||
| 56 | |||
| 57 | //This check is done directly within DigDash Enterprise (see following chapter in this document).// | ||
| 58 | |||
| 59 | //The following attributes are documented for the case when the default behaviour would be modified. However, some of them are used (eg. history).// | ||
| 60 | ))) | ||
| 61 | |ads-pwdcheckquality|Integer|1|((( | ||
| 62 | Type of password quality: | ||
| 63 | |||
| 64 | **0**: Password quality is not checked | ||
| 65 | |||
| 66 | **1**: Password quality is checked when it is possible (not hashed). If the password is hashed, or in a form impossible to check, the password is accepted. | ||
| 67 | |||
| 68 | **2**: Password quality is always checked. If the password is hashed, or in a form impossible to check, the password is rejected. | ||
| 69 | |||
| 70 | //Note: Password quality check is done directly within DigDash Enterprise. You must leave this attribute to 0 or 1.// | ||
| 71 | ))) | ||
| 72 | |ads-pwdinhistory|Integer|5|LDAP can keep a history of previous passwords for a user. This attribute defines the number of history entries. | ||
| 73 | |ads-pwdminage|Integer (seconds)|0|If the password history is enabled this attribute defines the minimal delay between two successive password changes. | ||
| 74 | |ads-pwdminlength|Integer (characters)|1|((( | ||
| 75 | This attribute defines the minimum length of the password in characters. | ||
| 76 | |||
| 77 | //Note: Password quality check is done directly within DigDash Enterprise. You must leave this attribute to 1// | ||
| 78 | ))) | ||
| 79 | |ads-pwdmaxlength|Integer (characters)|0|((( | ||
| 80 | This attribute defines the maximum length of the password in characters. | ||
| 81 | |||
| 82 | //Note: Password quality check is done directly within DigDash Enterprise. You must leave this attribute to 0.// | ||
| 83 | ))) | ||
| 84 | |(% rowspan="9" %)**Life Cycle**|(% colspan="4" %)Password life cycle management. | ||
| 85 | |ads-pwdallowuserchange|Boolean|TRUE|((( | ||
| 86 | **TRUE**: The user can change its own password. | ||
| 87 | |||
| 88 | **FALSE**: The user can not change its own password. | ||
| 89 | ))) | ||
| 90 | |ads-pwdexpirewarning|Integer (seconds)|600|Defines if the LDAP server should answer with a warning when a password is about to expire in the specified delay. | ||
| 91 | |ads-pwdgraceauthnlimit|Integer|5|((( | ||
| 92 | When the password expires, this attribute defines the number of times the password is still usable before its definitive expiration. | ||
| 93 | |||
| 94 | //Note: DigDash Enterprise consumes one token of this counter to change the password. You should add 1 to the specified value regarding the real number of grace limit you want to specify: If ads-pwdgraceauthnlimit = 6, it means there are 5 logins allowed before expiration of the password. The warning messages take this offset into account.// | ||
| 95 | ))) | ||
| 96 | |ads-pwdgraceexpire|Integer (seconds)|0|((( | ||
| 97 | When the password expires, this attribute defines the remaining period of time when the password is still usable before its definitive expiration.. | ||
| 98 | |||
| 99 | **0**: no grace period | ||
| 100 | ))) | ||
| 101 | |ads-pwdmaxage|Integer (seconds)|0|((( | ||
| 102 | Maximum age of the password before expiration. | ||
| 103 | |||
| 104 | **0**: password never expires | ||
| 105 | ))) | ||
| 106 | |ads-pwdmaxidle|Integer (seconds)|0|Maximum idle time duration of the password. The password expires when this time is over. | ||
| 107 | |ads-pwdmustchange|Boolean|FALSE|**TRUE**: The password must be changed | ||
| 108 | |ads-pwdsafemodify|Boolean|FALSE|((( | ||
| 109 | For password change. | ||
| 110 | |||
| 111 | **TRUE**: The user must enter his previous password to change it. | ||
| 112 | |||
| 113 | **FALSE**: The user does not have to enter his previous password to change it. | ||
| 114 | |||
| 115 | //Note: DigDash Enterprise already forces the user to enter its previous password to change it. This parameter must be set to FALSE.// | ||
| 116 | ))) | ||
| 117 | |(% rowspan="4" %)**Other**|(% colspan="4" %)Other advanced functions and/or not supported. | ||
| 118 | |ads-pwdmindelay|Integer|0|Not supported | ||
| 119 | |ads-pwdmaxdelay|Integer|0|Not supported | ||
| 120 | |ads-pwdattribute|String|userPassword|((( | ||
| 121 | Name of the attribute where the password is stored in LDAP. | ||
| 122 | |||
| 123 | //Note: Changing this parameter is not recommened in DigDash Enterprise.// | ||
| 124 | ))) | ||
| 125 | |||
| 126 | (% class="box infomessage" %) | ||
| 127 | ((( | ||
| 128 | //Note: Changes of the password policy parameters are applied on the new passwords. Existing passwords keep the password policy that was in place when they were created.// | ||
| 129 | ))) | ||
| 130 | |||
| 131 | (% class="box warningmessage" %) | ||
| 132 | ((( | ||
| 133 | //Important: Version 2018R2 introduces the support for more secure SHA hashing algorithms than default SHA-1 for LDAP. Using one of the “salted” SHA algorithm (eg. SSHA…) can interfere with some feature of the password policy, like the password history constraint (ads-pwdinhistory). Actually, the salt is based on a random number to ensure that compromising one password would not compromise all stored hashed passwords. It also helps to limit effectiveness of brute-force dictionary attacks on the hashes. But that random number prevents LDAP from comparing a new password to the old ones in the password history. If this feature is mandatory, then we recommend using a not salted SHA algorithm like SHA-512 and a strong password.// | ||
| 134 | ))) | ||
| 135 | |||
| 136 | = Password Quality Configuration (Digdash Enterprise specific) = | ||
| 137 | |||
| 138 | By default DigDash Enterprise stores hashed passwords in LDAP. So LDAP does not know the original password entered by the user, and so can not check the its quality. | ||
| 139 | |||
| 140 | This check is done directly within DigDash Enterprise. | ||
| 141 | |||
| 142 | This chapter describes how to specify constraint on password within DigDash Enterprise. | ||
| 143 | |||
| 144 | Password quality rules are defined in the **passwordpolicyrepository.xml** file. | ||
| 145 | |||
| 146 | A default file is delivered with DigDash Enterprise, but does not define any constraint on user passwords. The default configuration file is located in the ddenterpriseapi web application folder but it is not recommended to directly modify it at this location, unless loosing the modification in a future DigDash Enterprise upgrade. | ||
| 147 | |||
| 148 | To modify the password quality rules the simplest procedure is: | ||
| 149 | |||
| 150 | 1. **Copy** the default file located at the following place: | ||
| 151 | <DDE Install>/apache-tomcat/webapps/**ddenterpriseapi**/WEB-INF/ classes/resources/config/**passwordpolicyrepository.xml | ||
| 152 | **to the following place: | ||
| 153 | <user>/Application Data/Enterprise Server/ddenterpriseapi/config/** passwordpolicyrepository.xml** | ||
| 154 | 1. **Modify** the copy with a text editor | ||
| 155 | 1. **Restart** the Tomcat server after the modification. | ||
| 156 | |||
| 157 | == File format of **passwordpolicyrepository.xml** == | ||
| 158 | |||
| 159 | The default file contains the following XML: | ||
| 160 | |||
| 161 | {{code language="XML"}} | ||
| 162 | <PasswordPolicyRepository> | ||
| 163 | <Rules> | ||
| 164 | <Profil>administrator</Profil> | ||
| 165 | <Pattern>.*</Pattern> | ||
| 166 | <MustHaveUpperCase>false</MustHaveUpperCase> | ||
| 167 | <MustHaveLowerCase>false</MustHaveLowerCase> | ||
| 168 | <MustHaveNumeric>false</MustHaveNumeric> | ||
| 169 | <MustHaveSpecialChar>false</MustHaveSpecialChar> | ||
| 170 | <MustNotContainID>false</MustNotContainID> | ||
| 171 | </Rules> | ||
| 172 | <Rules> | ||
| 173 | <Profil>user</Profil> | ||
| 174 | <Pattern>.*</Pattern> | ||
| 175 | <MustHaveUpperCase>false</MustHaveUpperCase> | ||
| 176 | <MustHaveLowerCase>false</MustHaveLowerCase> | ||
| 177 | <MustHaveNumeric>false</MustHaveNumeric> | ||
| 178 | <MustHaveSpecialChar>false</MustHaveSpecialChar> | ||
| 179 | <MustNotContainID>false</MustNotContainID> | ||
| 180 | </Rules> | ||
| 181 | </PasswordPolicyRepository> | ||
| 182 | {{/code}} | ||
| 183 | |||
| 184 | |||
| 185 | It defines two rules, one for the DigDash Enterprise administrator profile (admin...), and the other for the profile of the other users. The two rules have the same syntax. | ||
| 186 | |||
| 187 | These two profiles will allow to specify a different password quality for the administrators and the regular users. | ||
| 188 | |||
| 189 | == Rule parameters == | ||
| 190 | |||
| 191 | |**Parameter**|**Type**|**Default value**|**Description** | ||
| 192 | |Profil|String|((( | ||
| 193 | administrator | ||
| 194 | |||
| 195 | user | ||
| 196 | )))|((( | ||
| 197 | Name of the user profile concerned by this rule: | ||
| 198 | |||
| 199 | **administrator**: the rule applies to the DigDash Enterprise administrators (admin...) | ||
| 200 | |||
| 201 | **user**: the rule applies to all other regular DigDash Enterprise users. | ||
| 202 | |||
| 203 | //Note: At this time no other value will be accepted by DigDash Enterprise.// | ||
| 204 | ))) | ||
| 205 | |Pattern|String (regular expression)|.*|((( | ||
| 206 | Optional regular expression to allow a more complex password syntax constraint, in addition to the other parameters (See next chapter). | ||
| 207 | |||
| 208 | **.***: any syntax allowed. | ||
| 209 | |||
| 210 | If the password doe not comply to the regular expression, it is rejected whatever its compliance with the other parameter of the rule. | ||
| 211 | ))) | ||
| 212 | |MustHaveUpperCase|Boolean|false|((( | ||
| 213 | **true**: password must contain at least one upper-case letter. | ||
| 214 | |||
| 215 | **false**: password may contain upper-case letters or not. | ||
| 216 | ))) | ||
| 217 | |MustHaveLowerCase|Boolean|false|((( | ||
| 218 | **true**: password must contain at least one lower-case letter. | ||
| 219 | |||
| 220 | **false**: password may contain lower-case letters or not. | ||
| 221 | ))) | ||
| 222 | |MustHaveNumeric|Boolean|false|((( | ||
| 223 | **true**: password must contain at least one digit. | ||
| 224 | |||
| 225 | **false**: password may contain digits or not. | ||
| 226 | ))) | ||
| 227 | |MustHaveSpecialChar|Boolean|false|((( | ||
| 228 | **true**: password must contain at least one character which is not a letter or a digit. | ||
| 229 | |||
| 230 | **false**: password may contain only letters and/or digits. | ||
| 231 | ))) | ||
| 232 | |MustNotContainID|Boolean|false|((( | ||
| 233 | **true**: password must not contain the identifier of the user. | ||
| 234 | |||
| 235 | **false**: password may contain the identifier of the user. | ||
| 236 | ))) | ||
| 237 | |||
| 238 | == Advance grammar with the Pattern parameter (regular expressions) == | ||
| 239 | |||
| 240 | The **Pattern** parameter is used to specify complex constraints on passwords by using regular expressions syntax. | ||
| 241 | |||
| 242 | This document is not a reference on regular expressions. We will give only some examples of expression that can be useful in frequent cases. | ||
| 243 | |||
| 244 | For a reference on regular expression, we are using **Java Regex** when checking the pattern. | ||
| 245 | |||
| 246 | Examples: | ||
| 247 | |||
| 248 | * All strings: **.*** | ||
| 249 | * Specify a minimum string length: **.{8,}** | ||
| 250 | * Specify a minimum and maximum string length: **.{8,20}** | ||
| 251 | * Forbid spaces and tabs: **(?=\S+$).*** | ||
| 252 | * At least one digit: **(?=.*[0-9]).*** | ||
| 253 | * At least one lower-case letter: **(?=.*[a-z]).*** | ||
| 254 | * At least one upper-case letter: **(?=.*[A-Z]).*** | ||
| 255 | * At least one special character: **(?=.*[@#$%^&+=_\-]).*** | ||
| 256 | |||
| 257 | It is possible to group these expressions in one regular expression, for instance: | ||
| 258 | |||
| 259 | **((?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=])(?=\S+$).{8,})** | ||
| 260 | |||
| 261 | (Note the parenthesis surrounding the combined expression) | ||
| 262 | |||
| 263 | (% class="box infomessage" %) | ||
| 264 | ((( | ||
| 265 | //Note: Password quality check starts with the pattern validation. If the password does not match the pattern constraints the other simple parameters ("Must...") will not be checked.// | ||
| 266 | ))) |