> On May 31, 2017, at 4:17 PM, Brian Brooks (US) <[email protected]> > wrote: > > We need to implement in our application password quality checks like IETF > Password Policy for LDAP Directories draft, section 5.2.5 pwdCheckQuality, > https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7. > These would be applied during new user creation, password change, etc. We're > planning to use Fortress and ApacheDS.
This should work but I have not tested the combination of fortress w/ apacheds and pw policies. If you want to give it a go, we’ll do our best to support it. > Two questions: > 1. Is there a way to extend Fortress password policy validation with > pwdCheckQuality validations? Is this better done with an ApacheDS extension? No, on fortress validation for password quality checks. Not sure about using apacheds extension, that’s a good idea but would be a question for their user ML. Since it is useful, and broadly applicable, we will support your efforts, and make changes, as needed, assuming reasonable. > 2. When a user is assigned a password policy, where is the assignment stored > in the directory server? > For example, if I do the following > 2.1.Login to fotress-commander. > 2.2. Select a user. > 2.3. Set the user's "PW Policy". > 2.4. Click "Commit". > What happens? Where does fortress-commander store the It is stored as an attribute on the user object itself. For example if the policy was ‘Test1’, you would see this attribute: pwdPolicySubentry=cn=Test1,ou=Policies,dc=example,dc=com There are three ways to enable a pwpolicy, globally, by group or by user, which is how commander is setting it. Thanks, Shawn
