Work in progress
This site is in the process of being reviewed and updated.
Before
Previously, Change Password protocol configuration existed in a PropertiesFactoryBean, along with JNDI environment properties.
<bean id="environment" class="org.springframework.beans.factory.config.PropertiesFactoryBean"> <property name="properties"> <props> <prop key="java.naming.security.authentication">simple</prop> <prop key="java.naming.security.principal">uid=admin,ou=system</prop> <prop key="java.naming.security.credentials">secret</prop> <prop key="changepw.entryBaseDn">ou=users,dc=example,dc=com</prop> <prop key="changepw.java.naming.security.credentials">secret</prop> </props> </property> </bean>
After
At the same time as the addition of numerous configuration parameters for SASL to the LDAP protocol, Change Password configuration has all moved to a ChangePasswordConfiguration bean.
<bean id="changePasswordConfiguration" class="org.apache.directory.server.changepw.ChangePasswordConfiguration"> <!-- Whether to enable the Change Password protocol. --> <property name="enabled" value="true" /> <!-- The port to run the Change Password protocol on. --> <property name="ipPort" value="464" /> </bean>
The ChangePasswordConfiguration bean is subordinate to the MutableServerStartupConfiguration.
<bean id="configuration" class="org.apache.directory.server.configuration.MutableServerStartupConfiguration"> ... <property name="changePasswordConfiguration" ref="changePasswordConfiguration" /> ... </bean>
Common Service Configuration Parameters
Parameter |
Default value |
Description |
---|---|---|
enabled |
false |
Whether this service is enabled. |
ipPort |
464 |
The IP port for this service. |
ipAddress |
No default. |
The IP address for this service. |
searchBaseDn |
"ou=users,dc=example,dc=com" |
The single location where principals are stored. If this property is not set the store will search the system partition configuration for catalog entries. Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using the Config Admin service. |
initialContextFactory |
"org.apache.directory.server.core.jndi.CoreContextFactory" |
The JNDI initial context factory to use. |
securityAuthentication |
"simple" |
The authentication mechanism to use for establishing a JNDI context. |
securityPrincipal |
"uid=admin,ou=system" |
The principal to use for establishing a JNDI context. |
securityCredentials |
"secret" |
The credentials to use for establishing a JNDI context. |
serviceName |
Apache Change Password Service |
The friendly name of this service. |
servicePid |
org.apache.changepw |
The PID for this service. A PID is a unique identifier for an instance of a service. PID's are used by OSGi's Config Admin service to dynamically inject configuration into a service when the service is started. |
catalogBaseDn |
No default. |
The single location where catalog entries are stored. A catalog entry is a mapping of a realm (or zone for DNS) to a search base DN. If this property is not set the store will expect a single search base DN to be set. Catalog support is highly experimental and is only tested in the OSGi build of ApacheDS using the Config Admin service. |
Change Password-Specific Configuration Parameters
Parameter |
Default value |
Description |
---|---|---|
encryptionTypes |
des-cbc-md5 |
The encryption types. |
primaryRealm |
EXAMPLE.COM |
The primary realm. |
servicePrincipal |
kadmin/changepw@EXAMPLE.COM |
The service principal name. |
allowableClockSkew |
5 minutes |
The allowable clock skew. |
emptyAddressesAllowed |
true |
Whether tickets issued with empty Host Addresses are allowed. |
policyPasswordLength |
6 characters |
The policy for minimum password length. |
policyCategoryCount |
3 (out of 4) |
The policy for number of character categories required (A - Z), (a - z), (0 - 9), non-alphanumeric (!, $, #, %, ... ). |
policyTokenSize |
3 characters |
The policy for minimum token size. Passwords must not contain tokens larger than 'policyTokenSize' that occur in the user's principal name. |
More Information
For help with more advanced configurations, check out our Interoperability Guide.