Add a new password policy for root users to isolate them from changes to th...

neil_a_wilson

21.09.2006 0bd16bc948ad073b128c03e4713105212e072b2b

Add a new password policy for root users to isolate them from changes to the
default policy and to make it more obvious that root users are subject to
password policy enforcement.  The new password policy is the same as the
default policy with the following exceptions:

- The default password storage scheme has been changed from SSHA to SSHA512
- There is no default password generator
- Password changes require that the current password be provided

OpenDS Issue Number:  676

 opends/resource/config/config.ldif

@@ -824,7 +824,7 @@
dn: cn=Default Password Policy,cn=Password Policies,cn=config
objectClass: top
objectClass: ds-cfg-password-policy
cn: Default PasswordPolicy
cn: Default Password Policy
ds-cfg-password-attribute: userPassword
ds-cfg-default-password-storage-scheme: SSHA
ds-cfg-allow-expired-password-changes: false
@@ -849,6 +849,33 @@
ds-cfg-require-secure-password-changes: false
ds-cfg-skip-validation-for-administrators: false

dn: cn=Root Password Policy,cn=Password Policies,cn=config
objectClass: top
objectClass: ds-cfg-password-policy
cn: Root Password Policy
ds-cfg-password-attribute: userPassword
ds-cfg-default-password-storage-scheme: SSHA512
ds-cfg-allow-expired-password-changes: false
ds-cfg-allow-multiple-password-values: false
ds-cfg-allow-pre-encoded-passwords: false
ds-cfg-allow-user-password-changes: true
ds-cfg-expire-passwords-without-warning: false
ds-cfg-force-change-on-add: false
ds-cfg-force-change-on-reset: false
ds-cfg-grace-login-count: 0
ds-cfg-idle-lockout-interval: 0 seconds
ds-cfg-lockout-failure-count: 0
ds-cfg-lockout-duration: 0 seconds
ds-cfg-lockout-failure-expiration-interval: 0 seconds
ds-cfg-minimum-password-age: 0 seconds
ds-cfg-maximum-password-age: 0 seconds
ds-cfg-maximum-password-reset-age: 0 seconds
ds-cfg-password-expiration-warning-interval: 5 days
ds-cfg-password-change-requires-current-password: true
ds-cfg-require-secure-authentication: false
ds-cfg-require-secure-password-changes: false
ds-cfg-skip-validation-for-administrators: false

dn: cn=Password Storage Schemes,cn=config
objectClass: top
objectClass: ds-cfg-branch
@@ -998,11 +1025,12 @@
cn: Directory Manager
givenName: Directory
sn: Manager
userPassword: {SSHA}7SvN6HIPUPGr0YFd0NbRkoXWyWzHsOnEfUMyxg==
userPassword: {SSHA512}l1t43vVl7Uh03PpQ2vCsT0B7Q0HTi+tKJmH7tZTmSGaKrMHWHO1czfwEsjMgfbeQoiYQDGDuxolipR0H6ajMu1YHlTjPNG9Z
ds-cfg-alternate-bind-dn: cn=Directory Manager
ds-rlim-size-limit: 0
ds-rlim-time-limit: 0
ds-rlim-lookthrough-limit: 0
pwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config

dn: cn=Root DSE,cn=config
objectClass: top

 opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java

@@ -615,5 +615,57 @@
    // SHA-2 should be considered secure.
    return true;
  }



  /**
   * Generates an encoded password string from the given clear-text password.
   * This method is primarily intended for use when it is necessary to generate
   * a password with the server offline (e.g., when setting the initial root
   * user password).
   *
   * @param  passwordBytes  The bytes that make up the clear-text password.
   *
   * @return  The encoded password string, including the scheme name in curly
   *          braces.
   *
   * @throws  DirectoryException  If a problem occurs during processing.
   */
  public static String encodeOffline(byte[] passwordBytes)
         throws DirectoryException
  {
    byte[] saltBytes = new byte[NUM_SALT_BYTES];
    new SecureRandom().nextBytes(saltBytes);

    byte[] passwordPlusSalt = new byte[passwordBytes.length + NUM_SALT_BYTES];
    System.arraycopy(passwordBytes, 0, passwordPlusSalt, 0,
                     passwordBytes.length);
    System.arraycopy(saltBytes, 0, passwordPlusSalt, passwordBytes.length,
                     NUM_SALT_BYTES);

    MessageDigest messageDigest;
    try
    {
      messageDigest =
           MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA_512);
    }
    catch (Exception e)
    {
      int msgID = MSGID_PWSCHEME_CANNOT_INITIALIZE_MESSAGE_DIGEST;
      String message = getMessage(msgID, MESSAGE_DIGEST_ALGORITHM_SHA_512,
                                  String.valueOf(e));
      throw new DirectoryException(ResultCode.OTHER, message, msgID, e);
    }


    byte[] digestBytes    = messageDigest.digest(passwordPlusSalt);
    byte[] digestPlusSalt = new byte[digestBytes.length + NUM_SALT_BYTES];
    System.arraycopy(digestBytes, 0, digestPlusSalt, 0, digestBytes.length);
    System.arraycopy(saltBytes, 0, digestPlusSalt, digestBytes.length,
                     NUM_SALT_BYTES);

    return "{" + STORAGE_SCHEME_NAME_SALTED_SHA_512 + "}" +
           Base64.encode(digestPlusSalt);
  }
}


 opends/src/server/org/opends/server/tools/ConfigureDS.java

@@ -39,7 +39,7 @@
import org.opends.server.core.DirectoryException;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.LockFileManager;
import org.opends.server.extensions.SaltedSHA1PasswordStorageScheme;
import org.opends.server.extensions.SaltedSHA512PasswordStorageScheme;
import org.opends.server.protocols.ldap.LDAPResultCode;
import org.opends.server.types.DN;
import org.opends.server.util.args.ArgumentException;
@@ -441,7 +441,7 @@

          byte[] rootPWBytes = getBytes(rootPW);
          String encodedPassword =
               SaltedSHA1PasswordStorageScheme.encodeOffline(rootPWBytes);
               SaltedSHA512PasswordStorageScheme.encodeOffline(rootPWBytes);
          StringConfigAttribute bindPWAttr =
               new StringConfigAttribute(ATTR_USER_PASSWORD, "", false, false,
                                         false, encodedPassword);