Wiki source code of Configuration d'une politique de mots de passe

Last modified by jhurst on 2020/10/29 13:32

version	line-number	content
3.1	1	This document describes the configuration of a password policy for DigDash Enterprise.
1.1	2
3.1	3	The password policy configuration is separated in two parts:
1.1	4
3.1	5	* The strategies of protection, life cycle, and a part of the password quality are defined directly in the LDAP server natively supported by DigDash Enterprise (OpenLDAP 2.0+)
	6	* The password quality rules (syntax) are defined in a configuration file in DigDash Enterprise.
1.1	7
3.1	8	For the LDAP configuration part, we recommend the use of the software Apache Directory Studio.
1.1	9
3.1	10	{{ddtoc/}}
1.1	11
3.1	12	= Accessing LDAP Password Policy =
1.1	13
3.1	14	The password policy in LDAP is enabled through an LDAP interceptor (enabled by default). To configure it you can connect to the DigDash Enterprise LDAP with Apache Directory Studio, with an LDAP administrator user.
1.1	15
3.1	16	Once connected, expand the following nodes (see screenshot for more details):
1.1	17
	18	* ou=config
3.1	19	* ads-directoryServiceId=default
	20	* ou=interceptors
	21	* ads-interceptorId=authenticationInterceptor
	22	* ou=passwordPolicies
	23	* ads-pwdId=default
1.1	24
3.1	25	[[image:password_policy_config_en_html_80a5c082d8dd5d70.png\|\|queryString="width=544&height=372" height="372" width="544"]]
	26
1.1	27
3.1	28	== Main attributes description ==
1.1	29
3.1	30	The following table describes the main attributes used to configure the password policy in Apache Directory Server:
1.1	31
	32
3.1	33	\|Function\|Attribute\|Type\|Default value\|Description
	34	\|(% rowspan="5" %)Protection\|(% colspan="4" %)Password protection against attacks. Lock the password after a certain number of unsuccessful attempts to log in occur.
	35	\|ads-pwdlockout\|Boolean\|TRUE\|(((
	36	TRUE: Enable password lock
	37
	38	FALSE: disable password lock
1.1	39	)))
3.1	40	\|ads-pwdlockoutduration\|Integer (seconds)\|0\|(((
	41	Defines the duration of the password lock.
1.1	42
3.1	43	0: infinite duration: An LDAP admin must unlock the password of the account.
1.1	44	)))
3.1	45	\|ads-pwdfailurecountinterval\|Integer (seconds)\|30\|Defines the delay before the unsuccessful log in attempts counter is reset.
	46	\|ads-pwdmaxfailure\|Integer\|5\|If the password lock is enabled (ads-pwdlockout = TRUE), this attribute defines the number of log in failures that will lock the password.
	47	\|(% rowspan="6" %)Quality\|(% colspan="4" %)(((
	48	Password quality rules
1.1	49
3.1	50	//Note: By default DigDash Enterprise stores hashed passwords in LDAP. So LDAP does not know the original password entered by the user, and so can not check the its quality.//
1.1	51
3.1	52	//This check is done directly within DigDash Enterprise (see following chapter in this document).//
1.1	53
3.1	54	//The following attributes are documented for the case when the default behaviour would be modified. However, some of them are used (eg. history).//
1.1	55	)))
3.1	56	\|ads-pwdcheckquality\|Integer\|1\|(((
	57	Type of password quality:
1.1	58
3.1	59	0: Password quality is not checked
1.1	60
3.1	61	1: Password quality is checked when it is possible (not hashed). If the password is hashed, or in a form impossible to check, the password is accepted.
1.1	62
3.1	63	2: Password quality is always checked. If the password is hashed, or in a form impossible to check, the password is rejected.
1.1	64
3.1	65	//Note: Password quality check is done directly within DigDash Enterprise. You must leave this attribute to 0 or 1.//
1.1	66	)))
3.1	67	\|ads-pwdinhistory\|Integer\|5\|LDAP can keep a history of previous passwords for a user. This attribute defines the number of history entries.
	68	\|ads-pwdminage\|Integer (seconds)\|0\|If the password history is enabled this attribute defines the minimal delay between two successive password changes.
	69	\|ads-pwdminlength\|Integer (characters)\|1\|(((
	70	This attribute defines the minimum length of the password in characters.
1.1	71
3.1	72	//Note: Password quality check is done directly within DigDash Enterprise. You must leave this attribute to 1//
1.1	73	)))
3.1	74	\|ads-pwdmaxlength\|Integer (characters)\|0\|(((
	75	This attribute defines the maximum length of the password in characters.
1.1	76
3.1	77	//Note: Password quality check is done directly within DigDash Enterprise. You must leave this attribute to 0.//
1.1	78	)))
3.1	79	\|(% rowspan="9" %)Life Cycle\|(% colspan="4" %)Password life cycle management.
	80	\|ads-pwdallowuserchange\|Boolean\|TRUE\|(((
	81	TRUE: The user can change its own password.
1.1	82
3.1	83	FALSE: The user can not change its own password.
1.1	84	)))
3.1	85	\|ads-pwdexpirewarning\|Integer (seconds)\|600\|Defines if the LDAP server should answer with a warning when a password is about to expire in the specified delay.
	86	\|ads-pwdgraceauthnlimit\|Integer\|5\|(((
	87	When the password expires, this attribute defines the number of times the password is still usable before its definitive expiration.
1.1	88
3.1	89	//Note: DigDash Enterprise consumes one token of this counter to change the password. You should add 1 to the specified value regarding the real number of grace limit you want to specify: If ads-pwdgraceauthnlimit = 6, it means there are 5 logins allowed before expiration of the password. The warning messages take this offset into account.//
1.1	90	)))
3.1	91	\|ads-pwdgraceexpire\|Integer (seconds)\|0\|(((
	92	When the password expires, this attribute defines the remaining period of time when the password is still usable before its definitive expiration..
1.1	93
3.1	94	0: no grace period
1.1	95	)))
3.1	96	\|ads-pwdmaxage\|Integer (seconds)\|0\|(((
	97	Maximum age of the password before expiration.
1.1	98
3.1	99	0: password never expires
1.1	100	)))
3.1	101	\|ads-pwdmaxidle\|Integer (seconds)\|0\|Maximum idle time duration of the password. The password expires when this time is over.
	102	\|ads-pwdmustchange\|Boolean\|FALSE\|TRUE: The password must be changed
	103	\|ads-pwdsafemodify\|Boolean\|FALSE\|(((
	104	For password change.
1.1	105
3.1	106	TRUE: The user must enter his previous password to change it.
1.1	107
3.1	108	FALSE: The user does not have to enter his previous password to change it.
1.1	109
3.1	110	//Note: DigDash Enterprise already forces the user to enter its previous password to change it. This parameter must be set to FALSE.//
1.1	111	)))
3.1	112	\|(% rowspan="4" %)Other\|(% colspan="4" %)Other advanced functions and/or not supported.
	113	\|ads-pwdmindelay\|Integer\|0\|Not supported
	114	\|ads-pwdmaxdelay\|Integer\|0\|Not supported
	115	\|ads-pwdattribute\|String\|userPassword\|(((
	116	Name of the attribute where the password is stored in LDAP.
1.1	117
3.1	118	//Note: Changing this parameter is not recommened in DigDash Enterprise.//
1.1	119	)))
	120
	121	(% class="box infomessage" %)
	122	(((
3.1	123	//Note: Changes of the password policy parameters are applied on the new passwords. Existing passwords keep the password policy that was in place when they were created.//
1.1	124	)))
	125
3.1	126	= Password Quality Configuration (Digdash Enterprise specific) =
1.1	127
3.1	128	By default DigDash Enterprise stores hashed passwords in LDAP. So LDAP does not know the original password entered by the user, and so can not check the its quality.
1.1	129
3.1	130	This check is done directly within DigDash Enterprise.
1.1	131
3.1	132	This chapter describes how to specify constraint on password within DigDash Enterprise.
1.1	133
3.1	134	Password quality rules are defined in the passwordpolicyrepository.xml file.
1.1	135
3.1	136	A default file is delivered with DigDash Enterprise, but does not define any constraint on user passwords. The default configuration file is located in the ddenterpriseapi web application folder but it is not recommended to directly modify it at this location, unless loosing the modification in a future DigDash Enterprise upgrade.
1.1	137
3.1	138	To modify the password quality rules the simplest procedure is:
1.1	139
3.1	140	1. Copy the default file located at the following place:
	141	<DDE Install>/apache-tomcat/webapps/ddenterpriseapi/WEB-INF/ classes/resources/config/**passwordpolicyrepository.xml
	142	**to the following place:
	143	<user>/Application Data/Enterprise Server/ddenterpriseapi/config/ passwordpolicyrepository.xml
	144	1. Modify the copy with a text editor
	145	1. Restart the Tomcat server after the modification.
1.1	146
3.1	147	== File format of passwordpolicyrepository.xml ==
1.1	148
3.1	149	The default file contains the following XML:
	150
1.1	151	{{code language="XML"}}
	152	<PasswordPolicyRepository>
	153	<Rules>
	154	<Profil>administrator</Profil>
	155	<Pattern>.*</Pattern>
	156	<MustHaveUpperCase>false</MustHaveUpperCase>
	157	<MustHaveLowerCase>false</MustHaveLowerCase>
	158	<MustHaveNumeric>false</MustHaveNumeric>
	159	<MustHaveSpecialChar>false</MustHaveSpecialChar>
	160	<MustNotContainID>false</MustNotContainID>
	161	</Rules>
	162	<Rules>
	163	<Profil>user</Profil>
	164	<Pattern>.*</Pattern>
3.1	165	<MustHaveUpperCase>false</MustHaveUpperCase>
1.1	166	<MustHaveLowerCase>false</MustHaveLowerCase>
	167	<MustHaveNumeric>false</MustHaveNumeric>
	168	<MustHaveSpecialChar>false</MustHaveSpecialChar>
	169	<MustNotContainID>false</MustNotContainID>
	170	</Rules>
	171	</PasswordPolicyRepository>
	172	{{/code}}
	173
	174
3.1	175	It defines two rules, one for the DigDash Enterprise administrator profile (admin...), and the other for the profile of the other users. The two rules have the same syntax.
1.1	176
3.1	177	These two profiles will allow to specify a different password quality for the administrators and the regular users.
1.1	178
3.1	179	== Rule parameters ==
1.1	180
3.1	181	\|Parameter\|Type\|Default value\|Description
	182	\|Profil\|String\|(((
1.1	183	administrator
	184
	185	user
	186	)))\|(((
3.1	187	Name of the user profile concerned by this rule:
1.1	188
3.1	189	administrator: the rule applies to the DigDash Enterprise administrators (admin...)
1.1	190
3.1	191	user: the rule applies to all other regular DigDash Enterprise users.
1.1	192
3.1	193	//Note: At this time no other value will be accepted by DigDash Enterprise.//
1.1	194	)))
3.1	195	\|Pattern\|String (regular expression)\|.*\|(((
	196	Optional regular expression to allow a more complex password syntax constraint, in addition to the other parameters (See next chapter).
1.1	197
3.1	198	.*: any syntax allowed.
1.1	199
3.1	200	If the password doe not comply to the regular expression, it is rejected whatever its compliance with the other parameter of the rule.
1.1	201	)))
3.1	202	\|MustHaveUpperCase\|Boolean\|false\|(((
	203	true: password must contain at least one upper-case letter.
1.1	204
3.1	205	false: password may contain upper-case letters or not.
1.1	206	)))
3.1	207	\|MustHaveLowerCase\|Boolean\|false\|(((
	208	true: password must contain at least one lower-case letter.
1.1	209
3.1	210	false: password may contain lower-case letters or not.
1.1	211	)))
3.1	212	\|MustHaveNumeric\|Boolean\|false\|(((
	213	true: password must contain at least one digit.
1.1	214
3.1	215	false: password may contain digits or not.
1.1	216	)))
3.1	217	\|MustHaveSpecialChar\|Boolean\|false\|(((
	218	true: password must contain at least one character which is not a letter or a digit.
1.1	219
3.1	220	false: password may contain only letters and/or digits.
1.1	221	)))
3.1	222	\|MustNotContainID\|Boolean\|false\|(((
	223	true: password must not contain the identifier of the user.
1.1	224
3.1	225	false: password may contain the identifier of the user.
1.1	226	)))
	227
3.1	228	== Advance grammar with the Pattern parameter (regular expressions) ==
1.1	229
3.1	230	The Pattern parameter is used to specify complex constraints on passwords by using regular expressions syntax.
1.1	231
3.1	232	This document is not a reference on regular expressions. We will give only some examples of expression that can be useful in frequent cases.
1.1	233
3.1	234	For a reference on regular expression, we are using Java Regex when checking the pattern.
1.1	235
3.1	236	Examples:
1.1	237
3.1	238	* All strings: .*
	239	* Specify a minimum string length: .{8,}
	240	* Specify a minimum and maximum string length: .{8,20}
	241	* Forbid spaces and tabs: (?=\S+$).*
	242	* At least one digit: *(?=.[0-9]).***
	243	* At least one lower-case letter: *(?=.[a-z]).***
	244	* At least one upper-case letter: *(?=.[A-Z]).***
	245	* At least one special character: *(?=.[@#$%^&+=_\-]).***
1.1	246
3.1	247	It is possible to group these expressions in one regular expression, for instance:
1.1	248
	249	*((?=.[0-9])(?=.[a-z])(?=.[A-Z])(?=.[@#$%^&+=])(?=\S+$).{8,})*
	250
3.1	251	(Note the parenthesis surrounding the combined expression)
1.1	252
	253	(% class="box infomessage" %)
	254	(((
3.1	255	//Note: Password quality check starts with the pattern validation. If the password does not match the pattern constraints the other simple parameters ("Must...") will not be checked.//
1.1	256	)))
	257
3.1	258	== Error Messages ==
1.1	259
3.1	260	Parameters Pattern, MustHaveUpperCase, MustHaveLowerCase, MustHaveNumeric, MustHaveSpecialChar and MustNotContainID can specify an optional attribute msg that will be displayed if the corresponding rule is not respected when the user enter a new password.
1.1	261
3.1	262	Example:
1.1	263
3.1	264	{{code cssClass="XML" language="XML"}}
1.1	265	<PasswordPolicyRepository>
3.1	266	<Rules>
	267	<Profil>administrator</Profil>
	268	<Pattern msg="At least 8 characters">.{8,}</Pattern>
	269	<MustHaveUpperCase msg="At least one uppercase character">true</MustHaveUpperCase>
	270	<MustHaveLowerCase msg="At least one lowercase character">true</MustHaveLowerCase>
	271	<MustHaveNumeric msg="At least one number character">true</MustHaveNumeric>
	272	<MustHaveSpecialChar msg="At least one special character">true</MustHaveSpecialChar>
	273	<MustNotContainID msg="Can not contain your user ID">true</MustNotContainID>
	274	</Rules>
1.1	275	</PasswordPolicyRepository>
	276	{{/code}}
	277
	278

Wiki source code of Configuration d'une politique de mots de passe

Sommaire