Tagged: ,

This topic contains 5 replies, has 3 voices, and was last updated by  Scott Heger 2 months ago.

  • Author
    Posts
  • #19102
     atarpley 
    Participant

    I am trying to better understand the password policy in force in OpenAM when creating and updating users. I am running into an issue where I cannot create a new user in OpenAM without getting the following error:

    Minimum password length is 8

    This occurs with the REST API, but also just by using the GUI console (New Subject -> enter user details and “1234” as the password).

    How do I change the minimum number of characters? I checked in OpenDJ, and the password policy there only seems to require 6 characters:

    Password Validator : Type : enabled
    ————————————:———————:——–
    Attribute Value : attribute-value : true
    Character Set : character-set : true
    Dictionary : dictionary : false
    Length-Based Password Validator : length-based : true
    Repeated Characters : repeated-characters : true
    Similarity-Based Password Validator : similarity-based : true
    Unique Characters : unique-characters : true

    (This is the output of the attributes of the “Length-Based Password Validator”):
    Property : Value(s)
    ——————–:———
    enabled : true
    max-password-length : 0
    min-password-length : 6

    So, I am left puzzled about where the “8” in the error message is coming from. We are using an LDAP module in our “Organization Authentication Configuration” configuration. There is a configuration item there (“Minimum Password Length”) which seemed to be an obvious source, but when we changed it to “0” (per the note associated with the setting) we still saw no effect.

    Any help would be appreciated.

    #19103
     Scott Heger 
    Participant
    #19104
     atarpley 
    Participant

    Scott, thanks for your reply. I saw that too and it looked promising.

    Here is my curl command:
    curl -X POST \
    ‘http://<BASEURL>:8080/openam/json/realms/root/users/?_action=create’ \
    -H ‘accept-api-version: protocol=1.0, resource=2.0’ \
    -H ‘cache-control: no-cache’ \
    -H ‘content-type: application/json’ \
    -H ‘iplanetdirectorypro: AQIC5wM2LY4Sfczi3ekaIUqjPpUDf8_DqKmTtlOalO1h5eg.*AAJTSQACMDEAAlNLABM3ODczNTI1OTQ1OTMzOTY2MTU5AAJTMQAA*’ \
    -d ‘{
    “username”: “usertest656_1@example.com”,
    “mail”:”usertest65@example.com”,
    “userpassword”: “1234”
    }’

    The reply is:
    {“code”:404,”reason”:”Not Found”,”message”:”Minimum password length is 8.”}

    Even though I have the “Accept-API-Version” header set to “protocol=1.0, resource=2.0” it did not seem to affect things. Also, this happens in the OpenAM console while just trying to add a new subject.

    Any other ideas? I appreciate your time and reply.

    #19106
     Nikolaos Giannopoulos 
    Participant

    A couple things:

    1.) The example in the bug report has “Accept-API-Version: protocol=1.0,resource=2.0” yet says that is what is needed to avoid the issue. The example probably should not have it mentioned or use it as the workaround.

    2.) Not sure the header is case-sensitive or not (you use lower case) or “moreover” how picky it is in parsing the value (e.g. you have a space between the params) but try using exactly what is suggested i.e.
    Accept-API-Version: protocol=1.0,resource=2.0

    3.) If the above doesn’t work then try changing the default protocol to OLDEST (via console as follows or ssoadm):
    Configure > Global Services > REST APIs > Default Resource Version and select OLDEST

    –Nikolaos

    #19107
     atarpley 
    Participant

    Hi Nikolaos,

    1) I noted that also.
    2) Same issues. I was exporting the curl command with Postman, which lost the case. It doesn’t seem to make a different with or without the space.
    3) I also tried that as well, with no luck.

    Thank you for your reply.

    #19116
     Scott Heger 
    Participant

    The password minimum length is set via a property on the IdRepo Service and cannot be set via the console. You can set it via ssoadm though. It can be set globally or on a per realm basis. Here’s how to set:

    Global:
    ./ssoadm set-attr-defs -s sunIdentityRepositoryService -t Organization -u [adminID] -f [passwordfile] -a sunIdRepoAttributeValidator=class=com.sun.identity.idm.server.IdRepoAttributeValidatorImpl sunIdRepoAttributeValidator=minimumPasswordLength=[minlength]

    Realm:
    ./ssoadm set-realm-svc-attrs -s sunIdentityRepositoryService -e [realmname] -u [adminID] -f [passwordfile] -a sunIdRepoAttributeValidator=class=com.sun.identity.idm.server.IdRepoAttributeValidatorImpl sunIdRepoAttributeValidator=minimumPasswordLength=[minlength]

    In both cases, replace [adminID], [passwordfile] and [minlength] with appropriate values.

    Note
    You must restart the web application container in which OpenAM runs to apply these configuration changes.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?