Syncing OpenDJ Password Policies

This topic has 2 replies, 2 voices, and was last updated 6 years, 1 month ago by Brad Tumy.

  • Author
    Posts
  • #4962
     Brad Tumy
    Participant

    I am implementing a proof of concept where a user’s password policy (OpenDJ) will be modified via a patch from an onUpdate hook. I don’t seem to be able to update the ds-pwp-password-policy-dn attribute and want to confirm that it’s possible. I am able to write to other operation attributes so was assuming that I could.

    Setup:
    provisioner.openicf-OpenDJ.json:
    “attributesToSynchronize” : [
    “ds-pwp-password-policy-dn”,
    “pwdPolicySubentry”
    ],

    sync.json:
    {
    “default” : “cn=Default Password Policy,cn=Password Policies,cn=config”,
    “source” : “ds-pwp-password-policy-dn”,
    “target” : “ds-pwp-password-policy-dn”
    },

    I am manually changing the password policy, in OpenDJ, to:
    cn=Demo Pass Through Policy,cn=Password Policies,cn=config (a custom pass through policy)

    and then to update I run a patch:
    curl -X PATCH -H “X-OpenIDM-Username: openidm-admin” -H “X-OpenIDM-Password: xxxx”
    -d ‘[
    {
    “operation” : “replace”,
    “field” : “/ds-pwp-password-policy-dn/”,
    “value” : “cn=Default Password Policy,cn=Password Policies,cn=config”
    }
    ]’ ‘http://demo.example.com:9090/openidm/managed/user/jdoe’

    Nothing is getting changed in OpenDJ.

    #4964
     Bill Nelson
    Participant

    Hey Brad,

    You should be able to perform this operation if your user has the appropriate ACIs. I was able to explicitly set this as the rootDN user with the ldapmodify command:

    $ ldapmodify -D “cn=Directory Manager” -w ****** <ENTER>
    dn: uid=bnelson,ou=People,dc=example,dc=com <ENTER>
    changetype: modify <ENTER>
    replace: ds-pwp-password-policy-dn <ENTER>
    ds-pwp-password-policy-dn: cn=Example Corp User Password Policy,
    cn=Password Policies,cn=config <ENTER>
    <ENTER>

    or dynamically using virtual attributes and the appropriate filters for assignment. It may just be the permissions of the account you are using to connect from OpenIDM to OpenDJ.

    BTW, please see both methods detailed in my blog entry at http://idmdude.com/2014/04/22/understanding-openam-and-opendj-account-lockout-behaviors/.

    HTH,

    bill

    #5063
     Brad Tumy
    Participant

    Thanks Bill.

    Turns out that I had pwdAccountLockedTime (for another use case) in the provisioner file and OpenIDM was trying to write to that attribute as well. Once that attribute was flagged as NOT-UPDATEABLE I was able to update the password policy successfully.

    Thanks,
    Brad

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?