You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Introduction

The Change Password service is a protocol provider that implements RFC 3244 to service Kerberos Change Password and Set Password Protocol requests. Change Password is a request-reply protocol that uses Kerberos infrastructure to allow users to securely set initial passwords or to change existing passwords. The Change Password protocol interoperates with the original Kerberos Change Password protocol, while adding the ability for an administrator to set a password for a new user.

The Change Password service is implemented as a protocol-provider plugin for the Apache Directory server. As a plugin, Change Password leverages Apache MINA for front-end services and the Apache Directory read-optimized backing store via JNDI for persistent directory services.

Change Password, in conjunction with MINA and the Apache Directory, provides an easy-to-use yet fully-featured password service. As implemented within the Apache Directory, Change Password will provide:

  • Original Kerberos password changing service
  • Initial password setting service (RFC 3244)
  • Optional LDAP management
  • UDP and TCP Support (MINA)
  • Traffic throttling (MINA)
  • Overload shielding (MINA)
  • Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi

Configuration

Change Password Property

Default Value

Description

changepw.principal

kadmin/changepw@EXAMPLE.COM

Principal for this Change Password server

changepw.primary.realm

EXAMPLE.COM

Primary realm this Change Password service serves

changepw.port

464

The port for the Change Password protocol to use

changepw.entry.basedn

ou=Users,dc=example,dc=com

Base DN for looking up users

changepw.encryption.types

des-cbc-md5

Allowed Kerberos Cipher Text type(s)

changepw.empty.addresses.allowed

true

Whether tickets issued with empty Host Addresses are allowed

changepw.allowable.clockskew

5 minutes

Allowable clockskew for all Change Password transactions

changepw.password.length

6 characters

Minimum password length

changepw.category.count

3 (out of 4)

Number of character categories required (A - Z), (a - z), (0 - 9), non-alphanumeric (!, $, #, %, ... )

changepw.token.size

3 characters

Password must not contain tokens larger than 3 characters that occur in the user's principal name.

changepw.buffer.size

1024

Buffer size for MINA ByteBuffers

java.naming.ldap.attributes.binary

krb5Key

MANDATORY for JNDI to return Kerberos keys as binary, not String
  • No labels