Introduction
The Change Password service is a protocol provider that implements RFC 3244 to service Kerberos Change Password and Set Password Protocol requests. Change Password is a request-reply protocol that uses Kerberos infrastructure to allow users to securely set initial passwords or to change existing passwords. The Change Password protocol interoperates with the original Kerberos Change Password protocol, while adding the ability for an administrator to set a password for a new user.
The Change Password service is implemented as a protocol-provider plugin for the Apache Directory server. As a plugin, Change Password leverages Apache MINA for front-end services and the Apache Directory read-optimized backing store via JNDI for persistent directory services.
Change Password, in conjunction with MINA and the Apache Directory, provides an easy-to-use yet fully-featured password service. As implemented within the Apache Directory, Change Password will provide:
- Original Kerberos password changing service
- Initial password setting service (RFC 3244)
- Optional LDAP management
- UDP and TCP Support (MINA)
- Traffic throttling (MINA)
- Overload shielding (MINA)
- Easy POJO embeddability for containers such as Geronimo, JBoss, and OSGi
Configuration
Change Password Property |
Default Value |
Description |
---|---|---|
changepw.principal |
kadmin/changepw@EXAMPLE.COM |
Principal for this Change Password server |
changepw.primary.realm |
EXAMPLE.COM |
Primary realm this Change Password service serves |
changepw.port |
464 |
The port for the Change Password protocol to use |
changepw.entry.basedn |
ou=Users,dc=example,dc=com |
Base DN for looking up users |
changepw.encryption.types |
des-cbc-md5 |
Allowed Kerberos Cipher Text type(s) |
changepw.empty.addresses.allowed |
true |
Whether tickets issued with empty Host Addresses are allowed |
changepw.allowable.clockskew |
5 minutes |
Allowable clockskew for all Change Password transactions |
changepw.password.length |
6 characters |
Minimum password length |
changepw.category.count |
3 (out of 4) |
Number of character categories required (A - Z), (a - z), (0 - 9), non-alphanumeric (!, $, #, %, ... ) |
changepw.token.size |
3 characters |
Password must not contain tokens larger than 3 characters that occur in the user's principal name. |
changepw.buffer.size |
1024 |
Buffer size for MINA ByteBuffers |
java.naming.ldap.attributes.binary |
krb5Key |
MANDATORY for JNDI to return Kerberos keys as binary, not String |