This topic has 5 replies, 3 voices, and was last updated 4 years, 10 months ago by Scott Heger.
-
AuthorPosts
-
October 11, 2017 at 2:57 pm #19102
atarpley
ParticipantI am trying to better understand the password policy in force in OpenAM when creating and updating users. I am running into an issue where I cannot create a new user in OpenAM without getting the following error:
Minimum password length is 8
This occurs with the REST API, but also just by using the GUI console (New Subject -> enter user details and “1234” as the password).
How do I change the minimum number of characters? I checked in OpenDJ, and the password policy there only seems to require 6 characters:
Password Validator : Type : enabled
————————————:———————:——–
Attribute Value : attribute-value : true
Character Set : character-set : true
Dictionary : dictionary : false
Length-Based Password Validator : length-based : true
Repeated Characters : repeated-characters : true
Similarity-Based Password Validator : similarity-based : true
Unique Characters : unique-characters : true(This is the output of the attributes of the “Length-Based Password Validator”):
Property : Value(s)
——————–:———
enabled : true
max-password-length : 0
min-password-length : 6So, I am left puzzled about where the “8” in the error message is coming from. We are using an LDAP module in our “Organization Authentication Configuration” configuration. There is a configuration item there (“Minimum Password Length”) which seemed to be an obvious source, but when we changed it to “0” (per the note associated with the setting) we still saw no effect.
Any help would be appreciated.
October 11, 2017 at 5:05 pm #19103Scott Heger
ParticipantSounds like you are running into http://bugster.forgerock.org/jira/browse/OPENAM-11052. See the workaround in this KB article: https://backstage.forgerock.com/knowledge/kb/book/b93241706/a95716975
October 11, 2017 at 5:17 pm #19104atarpley
ParticipantScott, thanks for your reply. I saw that too and it looked promising.
Here is my curl command:
curl -X POST \
‘http://<BASEURL>:8080/openam/json/realms/root/users/?_action=create’ \
-H ‘accept-api-version: protocol=1.0, resource=2.0’ \
-H ‘cache-control: no-cache’ \
-H ‘content-type: application/json’ \
-H ‘iplanetdirectorypro: AQIC5wM2LY4Sfczi3ekaIUqjPpUDf8_DqKmTtlOalO1h5eg.*AAJTSQACMDEAAlNLABM3ODczNTI1OTQ1OTMzOTY2MTU5AAJTMQAA*’ \
-d ‘{
“username”: “[email protected]”,
“mail”:”[email protected]”,
“userpassword”: “1234”
}’The reply is:
{“code”:404,”reason”:”Not Found”,”message”:”Minimum password length is 8.”}Even though I have the “Accept-API-Version” header set to “protocol=1.0, resource=2.0” it did not seem to affect things. Also, this happens in the OpenAM console while just trying to add a new subject.
Any other ideas? I appreciate your time and reply.
October 11, 2017 at 8:26 pm #19106Nikolaos Giannopoulos
ParticipantA couple things:
1.) The example in the bug report has “Accept-API-Version: protocol=1.0,resource=2.0” yet says that is what is needed to avoid the issue. The example probably should not have it mentioned or use it as the workaround.
2.) Not sure the header is case-sensitive or not (you use lower case) or “moreover” how picky it is in parsing the value (e.g. you have a space between the params) but try using exactly what is suggested i.e.
Accept-API-Version: protocol=1.0,resource=2.03.) If the above doesn’t work then try changing the default protocol to OLDEST (via console as follows or ssoadm):
Configure > Global Services > REST APIs > Default Resource Version and select OLDEST–Nikolaos
October 11, 2017 at 10:42 pm #19107atarpley
ParticipantHi Nikolaos,
1) I noted that also.
2) Same issues. I was exporting the curl command with Postman, which lost the case. It doesn’t seem to make a different with or without the space.
3) I also tried that as well, with no luck.Thank you for your reply.
October 12, 2017 at 5:32 pm #19116Scott Heger
ParticipantThe password minimum length is set via a property on the IdRepo Service and cannot be set via the console. You can set it via ssoadm though. It can be set globally or on a per realm basis. Here’s how to set:
Global:
./ssoadm set-attr-defs -s sunIdentityRepositoryService -t Organization -u [adminID] -f [passwordfile] -a sunIdRepoAttributeValidator=class=com.sun.identity.idm.server.IdRepoAttributeValidatorImpl sunIdRepoAttributeValidator=minimumPasswordLength=[minlength]
Realm:
./ssoadm set-realm-svc-attrs -s sunIdentityRepositoryService -e [realmname] -u [adminID] -f [passwordfile] -a sunIdRepoAttributeValidator=class=com.sun.identity.idm.server.IdRepoAttributeValidatorImpl sunIdRepoAttributeValidator=minimumPasswordLength=[minlength]
In both cases, replace [adminID], [passwordfile] and [minlength] with appropriate values.
Note
You must restart the web application container in which OpenAM runs to apply these configuration changes. -
AuthorPosts
You must be logged in to reply to this topic.