Wednesday, April 30, 2014

OpenAM with IBM Tivoli Directory Server

We know that from OpenAM version 10.1.0 onwards, the LDAP Authentication module is able to support LDAP Behera Password Policy.

So, I was configuring the LDAP Authentication module for a customer to authentication against IBM Tivoli Directory Server. I did verified that IBM Tivoli Directory Server supports IETF-approved Password Policy (also known as Draft Behera LDAP Password Policy).

To be fair, I have no visibility to what the Customer has configured on the IBM Tivoli Directory Server. And I am not sure whether or not it has been configured properly as per documented by IBM. It's a black box to me.

But no luck! As soon as the LDAP Behera Password Policy Support is enabled, OpenAM will throw the following exceptions:

amAuthLDAP:04/14/2014 02:18:54:972 PM ICT: Thread[ajp-,5,jboss]
WARNING: unable to decode PasswordPolicyResponseControl
org.forgerock.opendj.ldap.DecodeException: Cannot decode the provided password policy response control because it does not have a value

        at org.forgerock.opendj.ldap.DecodeException.error(
        at org.forgerock.opendj.ldap.controls.PasswordPolicyResponseControl$1.decodeControl(
        at org.forgerock.opendj.ldap.controls.PasswordPolicyResponseControl$1.decodeControl(
        at org.forgerock.opendj.ldap.responses.AbstractResponseImpl.getControl(
        at com.sun.identity.authentication.modules.ldap.LDAPAuthUtils.processControls(
amAuthLDAP:04/14/2014 02:18:54:972 PM ICT: Thread[ajp-,5,jboss]
No controls returned

So what this means is that use case like Password Expired cannot be automatically detected by OpenAM during authentication.

If IETF approved password policy is supported, then OpenAM should be able to detect Password Expired use case. See Password Must be Changed Now Check.

Currently, based on my testing, OpenAM is treating IBM Tivoli Directory Server as not having the Password Policy Response Control. As such, it is not able to detect Password Expired use case.

In such scenario, OpenAM will treat Password Expired use case as Invalid Credential. The output is the same as what is documented from IBM LDAP documentation.


No comments:

Post a Comment