Last modified by jhurst on 2021/04/21 10:01
Show last authors
1 This document describes the configuration of a password policy for DigDash Enterprise.
2
3 The password policy configuration is separated in two parts:
4
5 * The strategies of **protection**, **life cycle**, and a part of the password **quality** are defined directly in the LDAP server natively supported by DigDash Enterprise (OpenLDAP 2.0+)
6 * The password **quality** rules (syntax) are defined in a configuration file in DigDash Enterprise.
7
8 For the LDAP configuration part, we recommend the use of the software **Apache Directory Studio**.
9
10 {{ddtoc/}}
11
12 = Accessing LDAP Password Policy =
13
14 The password policy in LDAP is enabled through an LDAP interceptor (enabled by default). To configure it you can connect to the DigDash Enterprise LDAP with **Apache Directory Studio**, with an LDAP administrator user.
15
16 Once connected, expand the following nodes (see screenshot for more details):
17
18 * ou=config
19 * ads-directoryServiceId=default
20 * ou=interceptors
21 * ads-interceptorId=authenticationInterceptor
22 * ou=passwordPolicies
23 * ads-pwdId=default
24
25 [[image:password_policy_config_en_html_80a5c082d8dd5d70.png||queryString="width=544&height=372" height="372" width="544"]]
26
27
28 == Main attributes description ==
29
30 The following table describes the main attributes used to configure the password policy in Apache Directory Server:
31
32
33 |**Function**|**Attribute**|**Type**|**Default value**|**Description**
34 |(% rowspan="5" %)**Protection**|(% colspan="4" %)Password protection against attacks. Lock the password after a certain number of unsuccessful attempts to log in occur.
35 |ads-pwdlockout|Boolean|TRUE|(((
36 **TRUE**: Enable password lock
37
38 **FALSE**: disable password lock
39 )))
40 |ads-pwdlockoutduration|Integer (seconds)|0|(((
41 Defines the duration of the password lock.
42
43 **0**: infinite duration: An LDAP admin must unlock the password of the account.
44 )))
45 |ads-pwdfailurecountinterval|Integer (seconds)|30|Defines the delay before the unsuccessful log in attempts counter is reset.
46 |ads-pwdmaxfailure|Integer|5|If the password lock is enabled (ads-pwdlockout = TRUE), this attribute defines the number of log in failures that will lock the password.
47 |(% rowspan="6" %)**Quality**|(% colspan="4" %)(((
48 Password quality rules
49
50 //Note: By default DigDash Enterprise stores hashed passwords in LDAP. So LDAP does not know the original password entered by the user, and so can not check the its quality.//
51
52 //This check is done directly within DigDash Enterprise (see following chapter in this document).//
53
54 //The following attributes are documented for the case when the default behaviour would be modified. However, some of them are used (eg. history).//
55 )))
56 |ads-pwdcheckquality|Integer|1|(((
57 Type of password quality:
58
59 **0**: Password quality is not checked
60
61 **1**: Password quality is checked when it is possible (not hashed). If the password is hashed, or in a form impossible to check, the password is accepted.
62
63 **2**: Password quality is always checked. If the password is hashed, or in a form impossible to check, the password is rejected.
64
65 //Note: Password quality check is done directly within DigDash Enterprise. You must leave this attribute to 0 or 1.//
66 )))
67 |ads-pwdinhistory|Integer|5|LDAP can keep a history of previous passwords for a user. This attribute defines the number of history entries.
68 |ads-pwdminage|Integer (seconds)|0|If the password history is enabled this attribute defines the minimal delay between two successive password changes.
69 |ads-pwdminlength|Integer (characters)|1|(((
70 This attribute defines the minimum length of the password in characters.
71
72 //Note: Password quality check is done directly within DigDash Enterprise. You must leave this attribute to 1//
73 )))
74 |ads-pwdmaxlength|Integer (characters)|0|(((
75 This attribute defines the maximum length of the password in characters.
76
77 //Note: Password quality check is done directly within DigDash Enterprise. You must leave this attribute to 0.//
78 )))
79 |(% rowspan="9" %)**Life Cycle**|(% colspan="4" %)Password life cycle management.
80 |ads-pwdallowuserchange|Boolean|TRUE|(((
81 **TRUE**: The user can change its own password.
82
83 **FALSE**: The user can not change its own password.
84 )))
85 |ads-pwdexpirewarning|Integer (seconds)|600|Defines if the LDAP server should answer with a warning when a password is about to expire in the specified delay.
86 |ads-pwdgraceauthnlimit|Integer|5|(((
87 When the password expires, this attribute defines the number of times the password is still usable before its definitive expiration.
88
89 //Note: DigDash Enterprise consumes one token of this counter to change the password. You should add 1 to the specified value regarding the real number of grace limit you want to specify: If ads-pwdgraceauthnlimit = 6, it means there are 5 logins allowed before expiration of the password. The warning messages take this offset into account.//
90 )))
91 |ads-pwdgraceexpire|Integer (seconds)|0|(((
92 When the password expires, this attribute defines the remaining period of time when the password is still usable before its definitive expiration..
93
94 **0**: no grace period
95 )))
96 |ads-pwdmaxage|Integer (seconds)|0|(((
97 Maximum age of the password before expiration.
98
99 **0**: password never expires
100 )))
101 |ads-pwdmaxidle|Integer (seconds)|0|Maximum idle time duration of the password. The password expires when this time is over.
102 |ads-pwdmustchange|Boolean|FALSE|**TRUE**: The password must be changed
103 |ads-pwdsafemodify|Boolean|FALSE|(((
104 For password change.
105
106 **TRUE**: The user must enter his previous password to change it.
107
108 **FALSE**: The user does not have to enter his previous password to change it.
109
110 //Note: DigDash Enterprise already forces the user to enter its previous password to change it. This parameter must be set to FALSE.//
111 )))
112 |(% rowspan="4" %)**Other**|(% colspan="4" %)Other advanced functions and/or not supported.
113 |ads-pwdmindelay|Integer|0|Not supported
114 |ads-pwdmaxdelay|Integer|0|Not supported
115 |ads-pwdattribute|String|userPassword|(((
116 Name of the attribute where the password is stored in LDAP.
117
118 //Note: Changing this parameter is not recommened in DigDash Enterprise.//
119 )))
120
121 (% class="box infomessage" %)
122 (((
123 //Note: Changes of the password policy parameters are applied on the new passwords. Existing passwords keep the password policy that was in place when they were created.//
124 )))
125
126 = Password Quality Configuration (Digdash Enterprise specific) =
127
128 By default DigDash Enterprise stores hashed passwords in LDAP. So LDAP does not know the original password entered by the user, and so can not check the its quality.
129
130 This check is done directly within DigDash Enterprise.
131
132 This chapter describes how to specify constraint on password within DigDash Enterprise.
133
134 Password quality rules are defined in the **passwordpolicyrepository.xml** file.
135
136 A default file is delivered with DigDash Enterprise, but does not define any constraint on user passwords. The default configuration file is located in the ddenterpriseapi web application folder but it is not recommended to directly modify it at this location, unless loosing the modification in a future DigDash Enterprise upgrade.
137
138 To modify the password quality rules the simplest procedure is:
139
140 1. **Copy** the default file located at the following place:
141 <DDE Install>/apache-tomcat/webapps/**ddenterpriseapi**/WEB-INF/ classes/resources/config/**passwordpolicyrepository.xml
142 **to the following place:
143 <user>/Application Data/Enterprise Server/ddenterpriseapi/config/**  passwordpolicyrepository.xml**
144 1. **Modify** the copy with a text editor
145 1. **Restart** the Tomcat server after the modification.
146
147 == File format of **passwordpolicyrepository.xml** ==
148
149 The default file contains the following XML:
150
151 {{code language="XML"}}
152 <PasswordPolicyRepository>
153 <Rules>
154 <Profil>administrator</Profil>
155 <Pattern>.*</Pattern>
156 <MustHaveUpperCase>false</MustHaveUpperCase>
157 <MustHaveLowerCase>false</MustHaveLowerCase>
158 <MustHaveNumeric>false</MustHaveNumeric>
159 <MustHaveSpecialChar>false</MustHaveSpecialChar>
160 <MustNotContainID>false</MustNotContainID>
161 </Rules>
162 <Rules>
163 <Profil>user</Profil>
164 <Pattern>.*</Pattern>
165 <MustHaveUpperCase>false</MustHaveUpperCase>
166 <MustHaveLowerCase>false</MustHaveLowerCase>
167 <MustHaveNumeric>false</MustHaveNumeric>
168 <MustHaveSpecialChar>false</MustHaveSpecialChar>
169 <MustNotContainID>false</MustNotContainID>
170 </Rules>
171 </PasswordPolicyRepository>
172 {{/code}}
173
174
175 It defines two rules, one for the DigDash Enterprise administrator profile (admin...), and the other for the profile of the other users. The two rules have the same syntax.
176
177 These two profiles will allow to specify a different password quality for the administrators and the regular users.
178
179 == Rule parameters ==
180
181 |**Parameter**|**Type**|**Default value**|**Description**
182 |Profil|String|(((
183 administrator
184
185 user
186 )))|(((
187 Name of the user profile concerned by this rule:
188
189 **administrator**: the rule applies to the DigDash Enterprise administrators (admin...)
190
191 **user**: the rule applies to all other regular DigDash Enterprise users.
192
193 //Note: At this time no other value will be accepted by DigDash Enterprise.//
194 )))
195 |Pattern|String (regular expression)|.*|(((
196 Optional regular expression to allow a more complex password syntax constraint, in addition to the other parameters (See next chapter).
197
198 **.***: any syntax allowed.
199
200 If the password doe not comply to the regular expression, it is rejected whatever its compliance with the other parameter of the rule.
201 )))
202 |MustHaveUpperCase|Boolean|false|(((
203 **true**: password must contain at least one upper-case letter.
204
205 **false**: password may contain upper-case letters or not.
206 )))
207 |MustHaveLowerCase|Boolean|false|(((
208 **true**: password must contain at least one lower-case letter.
209
210 **false**: password may contain lower-case letters or not.
211 )))
212 |MustHaveNumeric|Boolean|false|(((
213 **true**: password must contain at least one digit.
214
215 **false**: password may contain digits or not.
216 )))
217 |MustHaveSpecialChar|Boolean|false|(((
218 **true**: password must contain at least one character which is not a letter or a digit.
219
220 **false**: password may contain only letters and/or digits.
221 )))
222 |MustNotContainID|Boolean|false|(((
223 **true**: password must not contain the identifier of the user.
224
225 **false**: password may contain the identifier of the user.
226 )))
227
228 == Advance grammar with the Pattern parameter (regular expressions) ==
229
230 The **Pattern** parameter is used to specify complex constraints on passwords by using regular expressions syntax.
231
232 This document is not a reference on regular expressions. We will give only some examples of expression that can be useful in frequent cases.
233
234 For a reference on regular expression, we are using **Java Regex** when checking the pattern.
235
236 Examples:
237
238 * All strings: **.***
239 * Specify a minimum string length: **.{8,}**
240 * Specify a minimum and maximum string length: **.{8,20}**
241 * Forbid spaces and tabs: **(?=\S+$).***
242 * At least one digit: **(?=.*[0-9]).***
243 * At least one lower-case letter: **(?=.*[a-z]).***
244 * At least one upper-case letter: **(?=.*[A-Z]).***
245 * At least one special character: **(?=.*[@#$%^&+=_\-]).***
246
247 It is possible to group these expressions in one regular expression, for instance:
248
249 **((?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=])(?=\S+$).{8,})**
250
251 (Note the parenthesis surrounding the combined expression)
252
253 (% class="box infomessage" %)
254 (((
255 //Note: Password quality check starts with the pattern validation. If the password does not match the pattern constraints the other simple parameters ("Must...") will not be checked.//
256 )))
257
258 == Error Messages ==
259
260 Parameters **Pattern**, **MustHaveUpperCase**, **MustHaveLowerCase**, **MustHaveNumeric**, **MustHaveSpecialChar **and **MustNotContainID** can specify an optional attribute **msg** that will be displayed if the corresponding rule is not respected when the user enter a new password.
261
262 Example:
263
264 {{code cssClass="XML" language="XML"}}
265 <PasswordPolicyRepository>
266    <Rules>
267        <Profil>administrator</Profil>
268        <Pattern msg="At least 8 characters">.{8,}</Pattern>
269        <MustHaveUpperCase msg="At least one uppercase character">true</MustHaveUpperCase>
270        <MustHaveLowerCase msg="At least one lowercase character">true</MustHaveLowerCase>
271        <MustHaveNumeric msg="At least one number character">true</MustHaveNumeric>
272        <MustHaveSpecialChar msg="At least one special character">true</MustHaveSpecialChar>
273        <MustNotContainID msg="Can not contain your user ID">true</MustNotContainID>
274    </Rules>
275 </PasswordPolicyRepository>
276 {{/code}}
277
278