This topic contains 5 replies, has 3 voices, and was last updated by 
Scott Heger 1 week, 1 day ago.
-
Posts
-
I am trying to better understand the password policy in force in OpenAM when creating and updating users. I am running into an issue where I cannot create a new user in OpenAM without getting the following error:
Minimum password length is 8This occurs with the REST API, but also just by using the GUI console (New Subject -> enter user details and “1234” as the password).
How do I change the minimum number of characters? I checked in OpenDJ, and the password policy there only seems to require 6 characters:
Password Validator : Type : enabled
————————————:———————:——–
Attribute Value : attribute-value : true
Character Set : character-set : true
Dictionary : dictionary : false
Length-Based Password Validator : length-based : true
Repeated Characters : repeated-characters : true
Similarity-Based Password Validator : similarity-based : true
Unique Characters : unique-characters : true(This is the output of the attributes of the “Length-Based Password Validator”):
Property : Value(s)
——————–:———
enabled : true
max-password-length : 0
min-password-length : 6So, I am left puzzled about where the “8” in the error message is coming from. We are using an LDAP module in our “Organization Authentication Configuration” configuration. There is a configuration item there (“Minimum Password Length”) which seemed to be an obvious source, but when we changed it to “0” (per the note associated with the setting) we still saw no effect.
Any help would be appreciated.
Sounds like you are running into http://bugster.forgerock.org/jira/browse/OPENAM-11052. See the workaround in this KB article: https://backstage.forgerock.com/knowledge/kb/book/b93241706/a95716975
Scott, thanks for your reply. I saw that too and it looked promising.
Here is my curl command:
curl -X POST \
‘http://<BASEURL>:8080/openam/json/realms/root/users/?_action=create’ \
-H ‘accept-api-version: protocol=1.0, resource=2.0’ \
-H ‘cache-control: no-cache’ \
-H ‘content-type: application/json’ \
-H ‘iplanetdirectorypro: AQIC5wM2LY4Sfczi3ekaIUqjPpUDf8_DqKmTtlOalO1h5eg.*AAJTSQACMDEAAlNLABM3ODczNTI1OTQ1OTMzOTY2MTU5AAJTMQAA*’ \
-d ‘{
“username”: “usertest656_1@example.com”,
“mail”:”usertest65@example.com”,
“userpassword”: “1234”
}’The reply is:
{“code”:404,”reason”:”Not Found”,”message”:”Minimum password length is 8.”}Even though I have the “Accept-API-Version” header set to “protocol=1.0, resource=2.0” it did not seem to affect things. Also, this happens in the OpenAM console while just trying to add a new subject.
Any other ideas? I appreciate your time and reply.
A couple things:
1.) The example in the bug report has “Accept-API-Version: protocol=1.0,resource=2.0” yet says that is what is needed to avoid the issue. The example probably should not have it mentioned or use it as the workaround.
2.) Not sure the header is case-sensitive or not (you use lower case) or “moreover” how picky it is in parsing the value (e.g. you have a space between the params) but try using exactly what is suggested i.e.
Accept-API-Version: protocol=1.0,resource=2.03.) If the above doesn’t work then try changing the default protocol to OLDEST (via console as follows or ssoadm):
Configure > Global Services > REST APIs > Default Resource Version and select OLDEST–Nikolaos
Hi Nikolaos,
1) I noted that also.
2) Same issues. I was exporting the curl command with Postman, which lost the case. It doesn’t seem to make a different with or without the space.
3) I also tried that as well, with no luck.Thank you for your reply.
The password minimum length is set via a property on the IdRepo Service and cannot be set via the console. You can set it via ssoadm though. It can be set globally or on a per realm basis. Here’s how to set:
Global:
./ssoadm set-attr-defs -s sunIdentityRepositoryService -t Organization -u [adminID] -f [passwordfile] -a sunIdRepoAttributeValidator=class=com.sun.identity.idm.server.IdRepoAttributeValidatorImpl sunIdRepoAttributeValidator=minimumPasswordLength=[minlength]Realm:
./ssoadm set-realm-svc-attrs -s sunIdentityRepositoryService -e [realmname] -u [adminID] -f [passwordfile] -a sunIdRepoAttributeValidator=class=com.sun.identity.idm.server.IdRepoAttributeValidatorImpl sunIdRepoAttributeValidator=minimumPasswordLength=[minlength]In both cases, replace [adminID], [passwordfile] and [minlength] with appropriate values.
Note
You must restart the web application container in which OpenAM runs to apply these configuration changes.
You must be logged in to reply to this topic.
