Last modified by Aurelie Bertrand on 2026/01/12 16:46
Show last authors
1 {{ddtoc/}}
2
3 ----
4
5 This document describes how to set up a password policy.
6
7 The password policy is set in two places:
8
9 * The **protection** and **lifecycle** policies, and some of the password **quality** constraints are defined directly in the LDAP supported as standard (OpenLDAP 2.0+).
10 * The password **quality** rules (syntax) are defined in a DigDash Enterprise configuration file.
11
12 We recommend using **Apache Directory Studio** for LDAP configuration.
13
14 = Accessing the LDAP password policy =
15
16 The password policy in LDAP uses an LDAP interceptor. To configure it, you need to connect to LDAP using **Apache Directory Studio**, with an LDAP admin user.
17
18 Once connected, unfold the following nodes (see screenshot for more details):
19
20 * ou=config
21 ** ads-directoryServiceId=default
22 *** or=interceptors
23 **** ads-interceptorId=authenticationInterceptor
24 ***** or=passwordPolicies
25 ****** ads-pwdId=default
26
27 [[image:password_policy_config_fr_html_afcf25c35c161b74.png||queryString="width=544&height=372" height="372" width="544"]]
28
29 == Description of main attributes ==
30
31 The following table describes the main attributes that can be used to configure a password policy in Apache Directory Server :
32
33 |**Function**|**Attribute**|**Type**|**Default value**|**Description**
34 |(% rowspan="5" %)**Protection**|(% colspan="4" %)Password protection in the event of attacks. Locks the password after a certain number of failed connection attempts.
35 |ads-pwdlockout|Boolean|TRUE|(((
36 **TRUE**: Enables the password lockout function
37
38 **FALSE**: Disables the password lockout function
39 )))
40 |ads-pwdlockoutduration|Integer (seconds)|0|(((
41 Determines the lockout time in the event of unsuccessful password entry attempts.
42
43 **0**: infinite lockout: an LDAP administrator will have to unlock the password.
44 )))
45 |ads-pwdfailurecountinterval|Integer (seconds)|30|Determines the time taken to purge the counter of unsuccessful attempts.
46 |ads-pwdmaxfailure|Integer|5|If the password lockout function is enabled (ads-pwdlockout = TRUE), this attribute determines the number of successive failures that will lock the password.
47 |(% rowspan="6" %)**Quality**|(% colspan="4" %)(((
48 Password quality rules
49
50 //Note: By default DigDash Enterprise stores passwords in LDAP in a "hashed" format. As a result, LDAP does not have the original password entered by the user and cannot check its quality.//
51
52 //This control is carried out directly in DigDash (see next chapter in this document).//
53
54 //The following attributes are documented in case this default behaviour is changed. Some of them are used anyway (e.g. history).//
55 )))
56 |ads-pwdcheckquality|Integer|1|(((
57 Type of password quality :
58
59 **0 **: Password quality is not checked.
60
61 **1 **: Quality is checked if possible (not hashed). If the password is hashed, or in a form that cannot be evaluated, the password is accepted.
62
63 **2 **: Quality is always checked. If the password is hashed or in a form that cannot be evaluated, the password is rejected.
64
65 //Note: Password quality control is performed in DigDash Enterprise. The value of this attribute should be left at 0 or 1.//
66 )))
67 |ads-pwdinhistory|Integer|5|LDAP can keep a history of the passwords used for a user. This attribute determines the number of entries in this history.
68 |ads-pwdminage|Integer (seconds)|0|If the password history is active, this attribute determines the minimum delay between 2 password changes.
69 |ads-pwdminlength|Integer (characters)|1|(((
70 This attribute determines the minimum length of the password in characters.
71
72 //Note: Password quality control is performed in DigDash Enterprise. The value of this attribute should be left at 1.//
73 )))
74 |ads-pwdmaxlength|Integer (characters)|0|(((
75 This attribute determines the maximum length of the password in characters.
76
77 //Note: Password quality control is performed in DigDash Enterprise. The value of this attribute should be left at 0.//
78 )))
79 |(% rowspan="9" %)**Lifecycle**|(% colspan="4" %)Password life cycle management.
80 |ads-pwdallowuserchange|Boolean|TRUE|(((
81 **TRUE **: The user can change their password.
82
83 **FALSE **: The user cannot change their password.
84 )))
85 |ads-pwdexpirewarning|Integer (seconds)|600|Determines whether the LDAP server should send a warning if a password expiry occurs within the specified time.
86 |ads-pwdgraceauthnlimit|Integer|5|(((
87 If the password expires, this attribute determines the number of times the user will still be able to use it before it finally expires.
88
89 //Note: DigDash Enteprise consumes a token from this counter to change the password. You should therefore add 1 to this value to reflect the actual number of attempts you wish to allow: if ads-pwdgraceauthnlimit = 6, this corresponds to 5 actual attempts by the user. Warning messages take this offset into account.//
90 )))
91 |ads-pwdgraceexpire|Integer (seconds)|0|(((
92 If the password expires, this attribute determines how long the user will still be able to use this password before it expires.
93
94 **0**: no delay
95 )))
96 |ads-pwdmaxage|Integer (seconds)|0|(((
97 Length of time before the password expires.
98
99 **0**: the password never expires.
100 )))
101 |ads-pwdmaxidle|Integer (seconds)|0|Maximum inactivity time for the password. Once this time has elapsed, the password expires.
102 |ads-pwdmustchange|Boolean|FALSE|**TRUE **: the password must be changed.
103 |ads-pwdsafemodify|Boolean|FALSE|(((
104 To change the password.
105
106 **TRUE **: The user must enter their current password before the change is made.
107
108 **FALSE **: User does not need to enter current password before change.
109
110 //Note: DigDash Enterprise already forces the current password to be entered before it is changed. This setting should remain FALSE.//
111 )))
112 |(% rowspan="4" %)**Other**|(% colspan="4" %)Other advanced and/or unsupported features
113 |ads-pwdmindelay|Integer|0|Not supported
114 |ads-pwdmaxdelay|Integer|0|Not supported
115 |ads-pwdattribute|String|userPassword|(((
116 Name of the attribute where the password is stored in the LDAP.
117
118 //Note: Changing this parameter is not recommended in DigDash Enterprise.//
119 )))
120
121 (% class="box infomessage" %)
122 (((
123 //NB: Changes to LDAP password policy settings are only applied to new passwords. Existing passwords retain the password policy they had when they were created.//
124 )))
125
126 = Configuring password quality (specific to Digdash Enterprise) =
127
128 By default, DigDash Enterprise stores user passwords in a "hashed" form in LDAP. As a result, LDAP does not have the original password entered by the user and cannot check its quality. This control is performed directly in DigDash Enterprise.
129
130 This chapter describes how to configure password constraints.
131
132 Password quality rules are defined in the **passwordpolicyrepository.xml** file.
133
134 A default file is provided and is located in the ddenterpriseapi web application but it is not advisable to change it in this location unless the changes will be lost the next time the tool is upgraded.
135
136 To change the default rules, the simplest procedure is :
137
138 1. Copy the default file located at the following location:
139 **<DD Install>/apache-tomcat/webapps/ddenterpriseapi/WEB-INF/ classes/resources/config/passwordpolicyrepository.xml**
140 to the following location:
141 **<user>/Application Data/Enterprise Server/ddenterpriseapi/config/passwordpolicyrepository.xml**
142 1. Edit the copy with a text editor
143 1. Modify the error messages linked to the rules to keep the error messages consistent
144 1. Restart the Tomcat server after modification.
145
146 == Format of the **passwordpolicyrepository.xml** file ==
147
148 The default file contains the following XML:
149
150 {{code cssClass="notranslate" language="XML"}}
151 <PasswordPolicyRepository>
152 <Rules>
153 <Profil>administrator</Profil>
154 <Description messageId="$ui.PWDPolicy.administratorDesc"></Description>
155 <Pattern>.{12,}</Pattern>
156 <MustHaveUpperCase>true</MustHaveUpperCase>
157 <MustHaveLowerCase>true</MustHaveLowerCase>
158 <MustHaveNumeric>true</MustHaveNumeric>
159 <MustHaveSpecialChar>true</MustHaveSpecialChar>
160 <MustNotContainID>true</MustNotContainID>
161 <MustNotContainDisplayName>false</MustNotContainDisplayName>
162 </Rules>
163 <Rules>
164 <Profil>supervisor</Profil>
165 <Description messageId="$ui.PWDPolicy.supervisorDesc"></Description>
166 <Pattern>.{12,}</Pattern>
167 <MustHaveUpperCase>true</MustHaveUpperCase>
168 <MustHaveLowerCase>true</MustHaveLowerCase>
169 <MustHaveNumeric>true</MustHaveNumeric>
170 <MustHaveSpecialChar>true</MustHaveSpecialChar>
171 <MustNotContainID>true</MustNotContainID>
172 <MustNotContainDisplayName>false</MustNotContainDisplayName>
173 </Rules>
174 <Rules>
175 <Profil>user</Profil>
176 <Description messageId="$ui.PWDPolicy.userDesc"></Description>
177 <Pattern>.{8,}</Pattern>
178 <MustHaveUpperCase>true</MustHaveUpperCase>
179 <MustHaveLowerCase>true</MustHaveLowerCase>
180 <MustHaveNumeric>true</MustHaveNumeric>
181 <MustHaveSpecialChar>true</MustHaveSpecialChar>
182 <MustNotContainID>true</MustNotContainID>
183 <MustNotContainDisplayName>false</MustNotContainDisplayName>
184 </Rules>
185 </PasswordPolicyRepository>
186 {{/code}}
187
188 It defines three rules, one for the profile of DigDash administrators (admin, etc.), one for the supervisor and one for the profile of other users. All three rules have the same syntax.
189
190 These three profiles allow you to specify a different password quality for administrators and users.
191
192 If the rules for a profile are changed, the profile description message must be modified to return a consistent error. For example, if **Pattern **is changed to .{12,} for user (to change the minimum password size to 12 instead of 8), the entries in //ui.PWDPolicy.userDesc //must be modified to specify the new minimum password length.
193
194 == Rule parameters ==
195
196 |**Parameter**|**Type**|**Default value**|**Description**
197 |Profile|String|(((
198 administrator
199
200 user
201 )))|(((
202 Name of the profile affected by this rule:
203
204 **administrator **: the rule concerns DigDash administrators (admin, etc.)
205
206 **user **: the rule concerns all other users
207
208 //Note: For the moment, no other value will be taken into account by DigDash Enterprise.//
209 )))
210 |Pattern|String (regular expression)|.*|(((
211 Optional regular expression used to specify a more complex password syntax, in addition to the other parameters (see next paragraph).
212
213 **.***: any syntax is allowed.
214
215 If the password does not match the regular expression, the password is rejected regardless of how well it matches the other rule parameters.
216
217 By default Pattern is only used to define a minimum password size.
218 )))
219 |MustHaveUpperCase|Boolean|false|(((
220 **true **: the password must contain at least one uppercase character.
221
222 **false **: the password may not contain any uppercase characters.
223 )))
224 |MustHaveLowerCase|Boolean|false|(((
225 **true **: the password must contain at least one lowercase character.
226
227 **false **: the password may not contain any lowercase characters.
228 )))
229 |MustHaveNumeric|Boolean|false|(((
230 **true **: the password must contain at least one number.
231
232 **false **: the password may not contain any digits.
233 )))
234 |MustHaveSpecialChar|Boolean|false|(((
235 **true **: the password must contain at least one character that is not a letter or a number.
236
237 **false **: the password may not contain any characters that are not letters or numbers.
238 )))
239 |MustNotContainID|Boolean|false|(((
240 **true **: the password must not contain the user ID.
241
242 **false **: the password can contain the user ID.
243 )))
244
245 == Advanced grammar via the Pattern parameter (regular expressions) ==
246
247 The **Pattern** rule parameter can be used to define more advanced constraints on passwords using the syntax of regular expressions.
248
249 This document is not a reference on regular expressions. We only give a few examples of expressions that may be useful for more frequent use cases.
250
251 For reference, **Java Regex** syntax is used when checking the Pattern.
252
253 Examples:
254
255 * Any string: **.***
256 * Specify a minimum length: **.{8,}**
257 * Specify a minimum and maximum length: **.{8,20}**
258 * Prohibit spaces and tabs: **(?=\S+$).***
259 * At least one numeric character: **(?=.*[0-9]).***
260 * At least one lowercase character: **(?=.*[a-z]).***
261 * At least one uppercase character: **(?=.*[A-Z]).***
262 * At least one special character: **(?=.*[@#$%^&+=_\-]).***
263
264 These expressions can be grouped together in the same regular expression, for example :
265
266 **((?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=])(?=\S+$).{8,})**
267
268 (Note the brackets around the combination)
269
270 (% class="box infomessage" %)
271 (((
272 //NB: Password verification begins with pattern validation. If the password does not meet the constraints of the regular expression, the other simple parameters of the rule ("Must...") will not be checked.//
273 )))
274
275 (% class="wikigeneratedid" id="H" %)
276