PingDS 7.5.1

HDAP and password policies

Examples in this documentation depend on features activated in the ds-evaluation setup profile. For details, refer to Learn about the evaluation setup profile.

The code samples demonstrate how to contact the server over HTTPS using the deployment CA certificate. Before trying the samples, generate the CA certificate in PEM format from the server deployment ID and password:

$ dskeymgr \
 export-ca-cert \
 --deploymentId $DEPLOYMENT_ID \
 --deploymentIdPassword password \
 --outputFile ca-cert.pem
bash

This example demonstrates how to add a subentry password policy with HDAP. Subentry password policies are replicated.

This example uses Kirsten Vaughan as a password administrator. Kirsten is a member of the Directory Administrators group.

  1. Before trying this example, make sure the password administrator has the necessary access:

    1. Grant the subentry-write privilege to edit password policies:

      $ curl \
       --request PATCH \
       --cacert ca-cert.pem \
       --user :password \
       --header 'Content-Type: application/json' \
       --data '[{
        "operation": "add",
        "field": "ds-privilege-name",
        "value": "subentry-write"
       }]' \
       'https://localhost:8443/hdap/dc=com/dc=example/ou=People/uid=kvaughan?_fields=_id,ds-privilege-name'
      bash
    2. Grant access to manage password policies.

      $ curl \
       --request PATCH \
       --cacert ca-cert.pem \
       --user :password \
       --header 'Content-Type: application/json' \
       --url 'https://localhost:8443/hdap/dc=com/dc=example?_fields=_id,aci' \
       --data @- << JSON
      [{
        "operation": "add",
        "field": "aci",
        "value": "(targetattr = \"pwdPolicySubentry||ds-pwp-password-policy-dn||ds-pwp-password-validator||subtreeSpecification\")(version 3.0;acl \"Allow Administrators to manage user password policies\";allow (all) (groupdn = \"ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com\");)"
      }]
      JSON
      bash
  2. Create and assign a subentry password policy as the password administrator:

    $ curl \
     --request POST \
     --cacert ca-cert.pem \
     --user dc=com/dc=example/ou=People/uid=kvaughan:bribery \
     --header 'Content-Type: application/json' \
     --url 'https://localhost:8443/hdap/dc=com/dc=example?_action=create&_fields=*,subtreeSpecification&_prettyPrint=true' \
     --data @- << JSON
    {
      "_id" : "dc=com/dc=example/cn=Replicated%20password%20policy",
      "objectClass" : [ "top", "subentry", "ds-pwp-password-policy", "ds-pwp-validator", "ds-pwp-length-based-validator" ],
      "cn" : [ "Replicated password policy" ],
      "ds-pwp-default-password-storage-scheme" : [ "PBKDF2-HMAC-SHA512" ],
      "ds-pwp-length-based-min-password-length" : 8,
      "ds-pwp-password-attribute" : "userPassword",
      "subtreeSpecification": { "base": "ou=People", "filter": "/objectClass eq \"person\"" }
     }
    JSON
    bash
  3. Verify the password administrator can view which password policy applies:

    $ curl \
     --cacert ca-cert.pem \
     --user dc=com/dc=example/ou=People/uid=kvaughan:bribery \
     'https://localhost:8443/hdap/dc=com/dc=example/ou=People/uid=kvaughan?_fields=_id,pwdPolicySubentry&_prettyPrint=true'
    {
      "_id" : "dc=com/dc=example/ou=People/uid=kvaughan",
      "_rev" : "<revision>",
      "pwdPolicySubentry" : "dc=com/dc=example/cn=Replicated%20password%20policy"
    }
    bash
  4. Verify the field is not visible to regular users:

    $ curl \
     --cacert ca-cert.pem \
     --user dc=com/dc=example/ou=People/uid=bjensen:hifalutin \
     'https://localhost:8443/hdap/dc=com/dc=example/ou=People/uid=bjensen?_fields=_id,pwdPolicySubentry&_prettyPrint=true'
    {
      "_id" : "dc=com/dc=example/ou=People/uid=bjensen",
      "_rev" : "<revision>"
    }
    bash

When listing subentry password policies, use the subentries=true parameter:

$ curl \
 --get \
 --cacert ca-cert.pem \
 --user :password \
 --data "_queryFilter=/objectClass+eq+'ds-pwp-password-policy'" \
 --data '_fields=*,subtreeSpecification' \
 --data 'subentries=true' \
 --data '_prettyPrint=true' \
 'https://localhost:8443/hdap/dc=com/dc=example'
{
  "result" : [ {
    "_id" : "dc=com/dc=example/cn=Replicated%20password%20policy",
    "_rev" : "<revision>",
    "objectClass" : [ "top", "subentry", "ds-pwp-password-policy", "ds-pwp-validator", "ds-pwp-length-based-validator" ],
    "cn" : [ "Replicated password policy" ],
    "ds-pwp-default-password-storage-scheme" : [ "PBKDF2-HMAC-SHA512" ],
    "ds-pwp-length-based-min-password-length" : 8,
    "ds-pwp-password-attribute" : "userPassword",
    "subtreeSpecification" : {
      "filter" : "/objectClass eq \"person\"",
      "base" : "ou=People"
    }
  } ],
  "resultCount" : 1,
  "pagedResultsCookie" : null,
  "totalPagedResultsPolicy" : "NONE",
  "totalPagedResults" : -1,
  "remainingPagedResults" : -1
}
bash

For details about policy settings, refer to DS subentry password policies.