Join me at CommunityOne and JavaOne 2007.

I’m going to be at JavaOne this year, to present with a few other colleagues what we’re doing with OpenDS and also on the Java LDAP API front. And I will be supporting my co-workers from the Grenoble Engineering Center who had the chance to get their presentation accepted: Eamonn and Jean-Francois, Luis-Miguel, Christophe and Frederic, Paul, Bertrand

I will also be present at the CommunityOne as OpenDS is part of the Glassfish track.

See you there. And if you have not registered, it is not too late.

Join Me at the 2007 JavaOne Conference Event Connect Tool!

Join me at CommunityOne and JavaOne 2007.

I’m going to be at JavaOne this year, to present with a few other colleagues what we’re doing with OpenDS and also on the Java LDAP API front. And I will be supporting my co-workers from the Grenoble Engineering Center who had the chance to get their presentation accepted: Eamonn and Jean-Francois, Luis-Miguel, Christophe and Frederic, Paul, Bertrand

I will also be present at the CommunityOne as OpenDS is part of the Glassfish track.

See you there. And if you have not registered, it is not too late.

Join Me at the 2007 JavaOne Conference Event Connect Tool!

Directory Server 6 and ldappasswd

Sun Java System Directory Server 6.0 now supports RFC 3062 : LDAP Password Modify Extended Operation, and a new tool is delivered as part of Directory Server Enterprise Edition 6.0 to take advantage of it: ldappasswd.

ldappasswd allows a user or an administrator to change the password of any account. Of course, by default a set of restrictions is configure to prevent malicious use of this feature.

In order to be usable by users other than administrators, the Password Modify Extended Operation requires to add some specific ACI under cn=config.

An example of ACI for the Password Modify Extended operation is presented in the Directory Server Enterprise Edition Administration Manual.

But to allow any authenticated user to change its own password with this tool, the Directory Administrator must add the following entry and ACI, in addition to the usual ACI that allows self write on the userPassword attribute:

dn: oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.11.1
cn: Password Modify Extended Op Access Control
aci: (targetattr != "aci")(version 3.0; acl "Allow Password Change
Extended Op to all auth users"; allow( read , search, compare, proxy )
(userdn = "ldap:///all" and authmethod = "SSL");)

Note that this ACI will require that ldappasswd be used with SSL (which is a good thing if you want to avoid passwords being transfered in cleartext on the network).

Now I can change my own password in LDAP with the tool:

ldappasswd -h <host> -p <port> -D "cn=Ludo,ou=Smart Engineers,dc=Sun,dc=Com" -A -S -Z \
-P /home/ludo/security -N "LudoCert" -W keypasswd "cn=Ludo,ou=Smart Engineers,dc=Sun,dc=com"
Old Password: myOldPasswd
New Password: aNewOne
Re-enter new Password: aNewOne
ldappasswd: password successfully changed