Brilliant!! Thanks so much Kiran. That worked. But still don't get a warning before expiry. Some of my friends said that this is something that needs to be built into the calling code and not something that apacheds provides out of the box. Is that right?
— Sent from Mailbox On Sun, May 18, 2014 at 6:33 PM, Kiran Ayyagari <[email protected]> wrote: > On Sat, May 17, 2014 at 7:18 PM, Sathya S <[email protected]> wrote: >> I am continuing on my experiments with getting password policies >> functioning on ApacheDS and I am trying to enable password expiry and a >> warning before the expiry. >> >> This is what I have configured on the server: >> >> dn: >> >> ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationInterc >> eptor,ou=interceptors,ads-directoryServiceId=default,ou=config >> ads-pwdminlength: 7 >> ads-pwdinhistory: 5 >> ads-pwdid: default >> ads-pwdcheckquality: 1 >> ads-pwdlockout: TRUE >> ads-pwdlockoutduration: 0 >> >> *ads-pwdMaxAge: 300ads-pwdExpireWarning: 180* >> ... >> >> My understanding of this is that a user's password is valid for 5 minutes >> after which authentication would fail. After 3 minutes up to 5 minutes, he >> would be able to login, but would receive a warning about impending expiry. >> Is that correct? >> >> yes, but you need to configure ads-pwdgraceauthnlimit (to >0) as well, > otherwise bind operation > always accepts the expired password >> I restarted the server after making the above change. >> >> I have the below Java code to authenticate the user: >> >> Hashtable<String, String> env = new Hashtable<String, >> String>(); >> env.put(Context.INITIAL_CONTEXT_FACTORY, >> "com.sun.jndi.ldap.LdapCtxFactory"); >> env.put(Context.PROVIDER_URL, "ldap://localhost:10389";); >> // >> env.put(Context.SECURITY_AUTHENTICATION, "simple"); >> env.put(Context.SECURITY_PRINCIPAL, >> "uid=Sathya,ou=people,dc=example,dc=com"); >> env.put(Context.SECURITY_CREDENTIALS, "helloworld"); >> >> // Create the initial context >> >> DirContext ctx = new InitialDirContext(env); >> >> I created this user account almost an hour ago but the authentication still >> goes through successfully. Anything I am missing here? >> >> Thanks. >> > -- > Kiran Ayyagari > http://keydap.com
