java

OpenDS 2.0.0 Release Candidate 1 is now available

Ludo3 Comments

Opends Logo TagThe OpenDS development team is very pleased to announce the immediate availability of OpenDS 2.0.0-RC1 which is the first release candidate for OpenDS 2.0.

OpenDS 2.0 has a number of new features over OpenDS 1.2.0 that was released in February 2009 :

  • A new mode for Multi-Master Replication providing greater consistency and availability of data: Assured Replication
  • Recurring tasks allow an administrator to schedule repeated tasks such as backups
  • New extensible matching rules and indexing allowing comparing, ordering of data according to specific locales and languages
  • Better monitoring information for the server and for Replication
  • Full compliance with RFC 4518 and matching of UTF-8 in attributes with a DirectoryString syntax
  • VLV indexes are now built during the Import
  • Several improvements in the Control Panel
  • Works with IBM JVM (Java 6 SR4 required)
  • Works by default with JConsole and VisualVM when JMX Connection Handler is enabled
  • Default settings and ergonomics have been improved reducing the need for tuning parts of the server
  • Greatly improved performances and stability over time of those performances
  • Resolved a possible security issue when Pre-ReadEntry, Post-ReadEntry and Assertion Controls were enabled

Overall, over 150 issues have been fixed. However, there are still a few issues with the release candidates, and more specifically upgrading from an earlier version is not functional. This should be fixed in the next release candidate.

Localization of the OpenDS messages is still work in progress and thus some messages can still appear in English when running a localized version of the server.

The purpose of the Release Candidate is to solicit one last round of testing before the final release.

So please test the OpenDS release with your client applications, in your environment or on your favorite platform.

If you do find a bug, please report it with Issue Tracker.

We welcome feedback. Please report you experience with OpenDS on our mailing lists, or on #opends IRC channel on Freenode.

OpenDS 2.0.0-RC1 is built from revision 5374 of the b2.0 branch of our source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.0.0-RC1/OpenDS-2.0.0-RC1.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.0.0-RC1/OpenDS-2.0.0-RC1-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.0.0-RC1/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.0.0-RC1.

Major changes incorporated since OpenDS 1.3.0-build006 include:

  • Revision 5318 (Issue #3969) – Provide support for wildcards in dsconfig certificate management.
  • Revision 5321 (Issue #3962) – Fix memory leaks after Bind – Unbind
  • Revision 5323 (Issue #3971) – Enable Windows to detect the JVM automatically on install.
  • Revision 5336 (Issue #3981) – Fix uncontrolled memory growth under heavy connect/disconnect load.
  • Revision 5338 (Issue #3977) – Fix memory leak in Control Panel.
  • Revision 5347 (Issue #3938) – Improve the speed of dsconfig in non-interactive mode.
  • Revision 5364 (Issue #3995) – Fix an error that caused replication to stop if the queue-size-bytes maximum was reached.
  • Revision 5365 (Issue #3250) – Fix a problem that could cause replication initialization to fail.
  • Revision 5369 (Issues #3984 & #3989) – Fix security issues with Assertion, Pre-Read, and Post-Read Controls.
  • Revision 5374 – Upgrade JE to the latest official release (3.3.82).

Technorati Tags: , , , , ,

OpenDS as the OpenSSO User Repository

LudoLeave a comment

OpenSSO Express 7 was announced earlier in April with a full support for OpenDS Standard Edition for storing users’ identity data.

Back in March, I pointed out Indira’s blog and the detailed how to guide for configuring OpenDS as the OpenSSO user store.

BlahRecently, the official documentation appeared on the OpenSSO resource center. So if you want to use OpenDS as the OpenSSO User Repository, I encourage you to read and follow the steps detailed here: http://wikis.sun.com/display/OpenSSO/Using+OpenDS+as+a+User+Data+Store.

Technorati Tags: , , , , ,

OpenDS 1.3.0-Build006 is now available

LudoLeave a comment

Opends Logo TagWe have just uploaded OpenDS 1.3.0-build006, built from revision 5309 of our source tree, to our promoted builds folder.

Note that now that this build has been promoted, we’ve made a branch on the OpenDS code repository to produce the OpenDS 2.0 release. The next promoted build will be a release candidate.

The direct link to download the core server is: http://www.opends.org/promoted-builds/1.3.0-build006/OpenDS-1.3.0-build006.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/1.3.0-build006/OpenDS-1.3.0-build006-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/1.3.0-build006/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

There are still issues with upgrading with the QuickSetup tool and reverting to build earlier than revision 5134 is not supported.

Detailed information about this build is available at http://www.opends.org/promoted-builds/1.3.0-build006.

Major changes that have been incorporated since the last promoted build (OpenDS 1.3.0-build004) include:

  • Revision 5185 (Issue #3609) – Added the ability to deregister delayed listeners on a configuration entry.
  • Revision 5187 (Issue #3194) – Ensure that ldapcompare checks for superfluous arguments.
  • Revision 5193 (Issue #3915) – Ensure that abandon operations do not block request handlers.
  • Revision 5195 – Addition of localized resource files with new translations.
  • Revision 5196 – (Issue #3686) – Fix an issue that prevented make-ldif from parsing redirects to file based attributes.
  • Revision 5197 (Issue #2764) – Fix a problem with the ldapsearch –countEntries option.
  • Revision 5199 (Issue #3779) – Fix an issue that caused a merge with real attribute to show only the virtual attribute value.
  • Revision 5201 (Issue #2070) – Add validation of the DB cache size before applying it to the JE.
  • Revision 5208 (Issue #2642) – Fix a problem that prevented ldif-diff from detecting differences in encoded values.
  • Revision 5209 (Issue #3814) – Fix a problem that caused the start-ds script to return before the server had started.
  • Revision 5210 (Issue #3913) – Fix a problem that caused OpenDS to stop accepting connections after being ping by specific Load Balancers.
  • Revision 5214 – Add support for numSubordinates in NDB Backend
  • Revision 5218 (Issue #3001) – Fix a performance bottleneck in GeneralizedTimeSyntax.format.
  • Revision 5219 (Issue #3445) – Provide normalization of multi-valued RDNs.
  • Revision 5223 (Issue #3925) – Fix a problem with dsreplication.
  • Revision 5224 (Issues #2273 & #3482) – Add more stringent pattern checks to make sure that only files that could have been named by the TimeStampNaming policy are accepted by the filename filter.
  • Revision 5226 (Issue #3638) – Ensure that referrals are properly managed for bind operations.
  • Revision 5230 (Issue #2896) – The server should return a "Protocol Error" after a bind with an unrecognised version number.
  • Revision 5233 (Issue #2671) – Fix a problem that caused invalid values to be accepted for VLV index configuration.
  • Revision 5234 (Issue #3827) – Ensure that the import-ldif command takes into account the –skipfile option.
  • Revision 5235 (Issue #3926) – Ensure that import-ldif creates inherited objectclass attributes.
  • Revision 5236 (Issue #3343) – Fix a problem with virtual attribute rules.
  • Revision 5237 (Issue #3918) – Restore the behavior where an empty controls context-specific BER sequence is not encoded if the LDAP message has no controls.
  • Revision 5238 (Issue #2608) – Fix a problem that caused stop-ds to fail when the connection with the smtp-server failed.
  • Revision 5241 (Issues #3842 & #3770) – Validate recurring task day against the actual maximum of a given calendar instance.
  • Revision 5243 (Issue #3773) – Remove recurring task iterations completely upon recurring task removal.
  • Revision 5244 (Issue #2233) – Log a notice when a task starts and ends execution.
  • Revision 5247 (Issue #3336) – Take the appropriate action for failed dependencies for scheduled tasks.
  • Revision 5249 (Issue #2725) – Prevent completed tasks from causing exceptions if the task class is disallowed after it has completed.
  • Revision 5254 (Issue #3179) – Fix a thread left in the system after shutdown.
  • Revision 5256 – Use the platform mbean server by default to allow access to the server monitoring data from VisualVM and similar monitoring tools.
  • Revision 5257 & 5259 (Issues #3387 & #3388) – Fix issues with attribute name exceptions.
  • Revision 5260 – Improve the monitoring code in the case of a server being slow to answer.
  • Revision 5261 (Issue #2977) – Fix an exception that occurred during Replication Server database trimming.
  • Revision 5264 (Issue #3602) – Change the masks for user-defined and 3rd-party messages so that messages no longer have the top-bit set.
  • Revision 5265 (Issue #3047) – For export-ldif, change the default access rights of the exported file from 644 to 600.
  • Revision 5266 (Issue #2624) – Correct an issue that caused ldapsearch to return the wrong return code if no password was provided.
  • Revision 5268 – Various improvements to the task scheduler.
  • Revision 5272 – Avoid ConcurrentModificationException when removing completed task iterations.
  • Revision 5273 (Issue #3928) – Fix a problem that caused the wrong error message to be sent to the access log.
  • Revision 5276 (Issue #3939) – Improve memory allocation when sending search result entries.
  • Revision 5281 (Issue #3943) – Make the installation path across consistent across tools.
  • Revision 5283 (Issue #3949) – Unknown trailing ASN.1 elements are now ignored when decoding the Password Modify extended operation value.
  • Revision 5285 (Issue #3951) – Fix an issue that was causing the Control Panel to use the admin port for ldap operations.
  • Revision 5286 (Issue #3948) – Correct the display of monitoring information in the Control Panel.
  • Revision 5287 (Issue #3931) – Fix a problem with virtual attributes generating data multiple times.
  • Revisions 5288 & 5289 (Issues #3944 & #3945) – Fix licensing issues with the upgrade utility.
  • Revision 5290 (Issue #3952) – FIx a problem with log files on Windows.
  • Revision 5292 (Issue #3444) – Fix a problem where only a single name form was allowed per structural object class.
  • Revision 5297 (Issue #3964) – Improve JE backend cleaner scalability.
  • Revision 5299 (Issue #3949) – Fix an issue in the ASN.1 parsing code to support LDAP implied extensibility.
  • Revision 5300 (Issue #3965) – Revert is not supported from 2.0 to a previous version. This change introduces the corresponding flag day.
  • Revision 5301 (Issue #3958) – Support upgrading from a standard OpenDS server to a branded OpenDS server of the same version.
  • Revision 5302 (Issue #3968) – Fix a problem that caused dsconfig –displayCommand to provide invalid values.
  • Revisions 5305 & 5306 (Issue #3964) – Enable high priority check-pointer by default for more robust out of the box performance.

Technorati Tags: , , , , ,

OpenDS and LDAP naming services on the Identity Buzz Podcast

LudoLeave a comment

IdmbuzzbeeTwo weeks ago, Nick Wooler and I talked about LDAP Naming Services and OpenDS in a new episode of the famous Identity Management Buzz Podcast. We cover the basics of Naming services, why LDAP naming services are the way to go and how OpenDS fits in this picture, for Solaris, OpenSolaris but also the other operating systems.

For more information, you can check the Identity Management Starter Kits for using OpenDS as the OpenSolaris Naming Service.

To learn more about OpenDS, go to the open source main web site http://www.opends.org/.

Technorati Tags: , , , , , , ,

OpenDS Tab Sweep April 27

LudoLeave a comment

It’s been a while since I last swept my browser’s tabs. OpenDS is being used and mentioned more and more those days.

  • Masoud Kalali, in the Java zone of DZone.com, wrote a long and detailed article demonstrating how to do end to end security with JavaDB. One of the mechanism for securing the access to the database is LDAP based authentication and authorization and Masoud details how to use OpenDS to enable this.
  • In the Architects zone of DZone.com, Masoud again published an interview with me (yeah, I know, but a little bit of self promotion never hurts) about the OpenDS project and Sun Directory Server Enterprise Edition.
  • Johan Andersson, wrote a blog post on the subject of LDAP and MySQL Cluster, describing some of the work we’ve done in the OpenDS project (and that has also been conducted in OpenLDAP).
  • On a different note, I came accross the Ldap Synchronization Connector (LSC) open source project (under the BSD license), delivering tools to to synchronize a LDAP directory from a list of data sources including any database with a JDBC connector, another LDAP directory, flat files… LSC seems a pretty new and confidential project, yet they are listing a few real customers based deployments. LSC is written in Java, and uses OpenDS as an embedded directory server.
  • OpenDS on Amazon EC2. An Amazon Machine Image (AMI) built on the OpenSolaris AMI, with OpenDS pre-installed and ready to use is now available and supported. This was announced along with AMI for GlassFish and OpenSSO.

Technorati Tags: , , , ,

Hallo OpenDS ! Cześć OpenDS ! Hola OpenDS !

Ludo1 Comment

OpenDS, LDAP directory server. Open Standards, Open SourceCommunities are amazing. A day after we announced the Translation Community for the OpenDS project, we’ve already added 3 languages to the ones already set.

So I’m please to announce the availability in the Community Translation Interface, the OpenDS German translation project, the OpenDS Spanish translation project and the OpenDS Polish translation project.

OpenDS Gemeinschaft für Deutsch Übersetzung ist nun offen

OpenDS comunidad para la traducción español ya está abierto

OpenDS społeczność niemiecki tłumaczenie jest już otwarty

Disclaimer : those 3 translation above are computer generated, unlike the OpenDS community let translations !

General discussion are taking place on the G11N alias <g11n@opends.dev.java.net> but language specific mailing lists have been created to discuss in native languages the details:

  • For German : g11n_de@opends.dev.java.net
  • For Spanish : g11n_es@opends.dev.java.net
  • For Polish: g11n_pl@opends.dev.java.net

Please subscribe to the mailing lists if you intend to participate. And many thanks to the OpenDS community members that have already signed up.

Technorati Tags: , , , , ,

OpenDS 1.3.0-Build004 is now available

LudoLeave a comment

Opends Logo TagWe have just uploaded OpenDS 1.3.0-build004, built from revision 5184 of our source tree, to our promoted builds folder.

Note that this is a jump from OpenDS 1.3.0-build002 to OpenDS 1.3.0-build004. OpenDS 1.3.0-build003 was done with specific compilation to enable the MySQL Cluster NDB Backend, but not promoted with the regular builds.

The direct link to download the core server is: http://www.opends.org/promoted-builds/1.3.0-build004/OpenDS-1.3.0-build004.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/1.3.0-build004/OpenDS-1.3.0-build004-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/1.3.0-build004/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Upgrade from 1.0 or 1.2 is still broken, but upgrade from 1.3.0-build002 should work. However, a Flag Day was raised with revision 5134 which requires a rebuild of all indexes, or even better export the database to LDIF and re-import it.

Compared to 1.2.0, OpenDS 1.3.0-build004 contains the following new features and major improvements :

  • Assured Replication that provides stronger consistency and availability for replicated data
  • Supports Recurring Tasks allowing an administrator to schedule repeated tasks such as backups
  • Improves defaults settings and ergonomics for some server properties
  • Now builds VLV indexes during Import
  • A new internal ASN.1 encoding / decoding library that delivers better and more stable performances
  • Improves the Control Panel in various area
  • Now works well / better with IBM JVM
  • Full compliance with RFC 4518. Now DirectoryString matching fully supports UTF-8 characters
  • Supports languages specific matching rules for DirectoryStrings, for comparing and ordering, as well as support for indexing according to those rules
  • Provides better monitoring information for Replication
  • Full support for negotiating encryption through SASL and stacking encryption channels with TLS
  • Many performance improvements in the Core server and in Replication

Detailed information about this build is available at http://www.opends.org/promoted-builds/1.3.0-build004.

Major changes that have been incorporated since the last promoted build (OpenDS 1.3.0-build002) include:

  • Revision 5124 (Issue #3626) – Replace occurrences of grep, cat, etc. with built-in shell commands.
  • Revision 5125 (Issue #3896) – Fix an issue that prevented users from creating a sub-suffix with the Control Panel.
  • Revision 5126 (Issue #3826) – Fix an exception in the Control Panel that occurred if a node existed as a non-suffix node.
  • Revision 5129 (Issues # 3295 & 3899) – Fix an SNMP exception at startup and a resource issue on Windows platforms.
  • Revision 5130 (Issue #3297) – Fix a problem that caused localised answers to be rejected by certain commands.
  • Revision 5131 (Issue #3528) – Check that the start time entered for scheduled tasks has not already passed.
  • Revision 5132 – Remove keytool dependencie by using the keystore API, integrate Andy Wang’s IBM JVM/JDK changes, provide a Platform class to put platform and JDK version-specific code in a single location, provide APIs for core matching rules.
  • Revision 5133 (Issue #2616) – Fix an ldapsearch error when parsing command-line arguments.
  • Revision 5134 (Issue #3880) – Provide support for unicode characters in core matching rules.
  • Revision 5135 – Create a flag day for changes in revision 5134.
  • Revision 5136 (Issue #3555) – Refresh the DIT view in the Manage Entries menu of the Control Panel.
  • Revision 5138 (Issue #3582) – Fix a problem that caused reverts to fail with the error “no valid existing backup locations”.
  • Revision 5139 (Issue #3451) – Use a specific error message with ldapcompare if a specified file cannot be read.
  • Revision 5141 (Issue #3894) – Fix a potential data corruption issue when writing binary attributes/blobs.
  • Revision 5143 (Issue #3903) – Fix a problem that caused the “Start Server when the Upgrade has Completed” option to fail when upgrading using QuickSetup.
  • Revision 5145 (Issue #3455) – Correct an error that occurred when deleting a VLV index.
  • Revision 5147 (Issue #2793) – Ensure that incremental backups work as expected when an empty directory is specified.
  • Revision 5148 – Provide localized resource files.
  • Revision 5149 (Issue #3893) – Correct a problem that caused dsreplication enable between an OpenDS 1.2 server and an OpenDS 1.3 server to fail.
  • Revision 5150 & 5153 (Issue #3629) – Remove duplicate dsconfig error messages.
  • Revision 5151 (Issue #3793) – Provide the ability to create extensible indexes using dsconfig.
  • Revision 5152 (Issue #3910) – Ensure that Base64 encoding works with UTF-8 characters.
  • Revision 5155 (Issue #3908) – Fix a problems with ChangeNumber generators.
  • Revision 5156 (Issue #3892) – Make ACI evaluation optional when returning entries and references to clients.
  • Revision 5157 (Issue #3900) – Fix an error that occurred when importing / adding LDIF due to trailing spaces.
  • Revision 5158 (Issue #3505) – Fix a confusing ACI targetscope message.
  • Revision 5159 (Issue #2667) – Fix a problem that occurred when configuring VLV indexes with dsconfig.
  • Revision 5160 (Issue #3312) – Change aci and ds-cfg-global-aci equality matching rules to octetStringMatch instead of CaseIgnoreIA5EqualityMatchingRule.
  • Revision 5161 (Issue #2624) – Ensure that ldapsearch returns the correct return code when no password is provided.
  • Revision 5167 (Issue #3828) – Prevent a connection to the server from being tied up while waiting for the user to enter a password.
  • Revision 5168 (Issue #3321) – Fix an error raised during index creation and delete with dsconfig.
  • Revision 5169 (Issue #3270) – Ensure that ldappasswordmodify takes into account the password history count.
  • Revision 5171 (Issue #3251) – Fix the LDIFReader rejectLastEntry, which printed an incorrect entry.
  • Revision 5172 (Issue #2963) – Fix a problem that caused dsreplication status to display an incorrect value for missing changes.
  • Revision 5173 (Issue #3907) – Provide a pkg(5) delivery.
  • Revision 5174 (Issue #3904) – Complete the replication referral URL configuration regular expression implementation.
  • Revision 5175 (Issue #3748) – Ensure that all admin tools use 4444 as the default admin port.
  • Revision 5176 (Issue #3856) – Fix a problem that caused LDAPS connections to be logged as LDAP connections in the access log.
  • Revision 5177 (Issue #3673) – Ensure that the server checks for port availability on Windows.
  • Revision 5178 (Issue #3528) – Ensure that scheduled tasks check that the start time has not passed.
  • Revision 5179 (Issue #2965) – Add the missing-changes to cn=monitor for replication servers.
  • Revision 5180 & 5181 (Issue #3119) – Prevent a null pointer exception that occurred when disabling the referential integrity plugin.
  • Revision 5184 (Issue #3914) – Fix a problem that prevented the server state from being updated.

Technorati Tags: , , , , ,

Getting started with OpenDS Translations

Ludo1 Comment

OpenDS for the International crowd...Pavel Heimlich, the lead for the French translation for OpenDS, kindly posted an How To Guide for using CTI for the OpenDS community led translations, on the OpenDS Wiki.

If you’re interested in testing your translation skills with OpenDS messages, check the page, it gives a pretty good idea on how simple it is to use the tool… The hard part is really in providing good and consistent translation !

Technorati Tags: , , , , ,

OpenDS Tips: Importing LDIF with encrypted passwords.

LudoLeave a comment

Opends Logo TagBy default, the OpenDS LDAP directory server password policy is set to reject encrypted passwords, as it cannot check that they match the quality requirements.

So when adding or importing data with encrypted passwords, the server returns some error like this:

LDAP: error code 53 – Pre-encoded passwords are not allowed for the password attribute userPassword

To allow pre-encoded passwords, the default password policy settings must be changed. This can be done using the dsconfig command line tool in advanced mode:

$ dsconfig --advanced -p 4444 -h localhost -D "cn=directory manager" -X
>>>> Specify OpenDS LDAP connection parameters
Password for user 'cn=directory manager':
>>>> OpenDS configuration console main menu
What do you want to configure?
1)   Access Control Handler          24)  Monitor Provider
2)   Account Status Notification     25)  Network Group
Handler
3)   Administration Connector        26)  Network Group Criteria
4)   Alert Handler                   27)  Network Group Request Filtering
Policy
5)   Attribute Syntax                28)  Network Group Resource Limits
6)   Backend                         29)  Password Generator
7)   Certificate Mapper              30)  Password Policy
8)   Connection Handler              31)  Password Storage Scheme
9)   Crypto Manager                  32)  Password Validator
10)  Debug Target                    33)  Plugin
11)  Entry Cache                     34)  Plugin Root
12)  Extended Operation Handler      35)  Replication Domain
13)  Extension                       36)  Replication Server
14)  Global Configuration            37)  Root DN
15)  Group Implementation            38)  Root DSE Backend
16)  Identity Mapper                 39)  SASL Mechanism Handler
17)  Key Manager Provider            40)  Synchronization Provider
18)  Local DB Index                  41)  Trust Manager Provider
19)  Local DB VLV Index              42)  Virtual Attribute
20)  Log Publisher                   43)  Work Queue
21)  Log Retention Policy            44)  Workflow
22)  Log Rotation Policy             45)  Workflow Element
23)  Matching Rule
q)   quit
Enter choice: 30
>>>> Password Policy management menu
What would you like to do?
1)  List existing Password Policies
2)  Create a new Password Policy
3)  View and edit an existing Password Policy
4)  Delete an existing Password Policy
b)  back
q)  quit
Enter choice [b]: 3
>>>> Select the Password Policy from the following list:
1)  Default Password Policy
2)  Root Password Policy
c)  cancel
q)  quit
Enter choice [c]: 1
>>>> Configure the properties of the Password Policy
Property                                   Value(s)
--------------------------------------------------------------------
1)   account-status-notification-handler        -
2)   allow-expired-password-changes             false
3)   allow-multiple-password-values             false
4)   allow-pre-encoded-passwords                false
5)   allow-user-password-changes                true
6)   default-password-storage-scheme            Salted SHA-1
7)   deprecated-password-storage-scheme         -
8)   expire-passwords-without-warning           false
9)   force-change-on-add                        false
10)  force-change-on-reset                      false
11)  grace-login-count                          0
12)  idle-lockout-interval                      0 s
13)  last-login-time-attribute                  -
14)  last-login-time-format                     -
15)  lockout-duration                           0 s
16)  lockout-failure-count                      0
17)  lockout-failure-expiration-interval        0 s
18)  max-password-age                           0 s
19)  max-password-reset-age                     0 s
20)  min-password-age                           0 s
21)  password-attribute                         userpassword
22)  password-change-requires-current-password  false
23)  password-expiration-warning-interval       5 d
24)  password-generator                         Random Password Generator
25)  password-history-count                     0
26)  password-history-duration                  0 s
27)  password-validator                         -
28)  previous-last-login-time-format            -
29)  require-change-by-time                     -
30)  require-secure-authentication              false
31)  require-secure-password-changes            false
32)  skip-validation-for-administrators         false
33)  state-update-failure-policy                reactive
?)   help
f)   finish - apply any changes to the Password Policy
c)   cancel
q)   quit
Enter choice [f]: 4
>>>> Configuring the "allow-pre-encoded-passwords" property
Indicates whether users can change their passwords by providing a
pre-encoded value.
This can cause a security risk because the clear-text version of the
password is not known and therefore validation checks cannot be applied to
it.
Do you want to modify the "allow-pre-encoded-passwords" property?
1)  Keep the default value: false
2)  Change it to the value: true
?)  help
q)  quit
Enter choice [1]: 2
Press RETURN to continue
>>>> Configure the properties of the Password Policy
Property                                   Value(s)
--------------------------------------------------------------------
1)   account-status-notification-handler        -
2)   allow-expired-password-changes             false
3)   allow-multiple-password-values             false
4)   allow-pre-encoded-passwords                true
5)   allow-user-password-changes                true
6)   default-password-storage-scheme            Salted SHA-1
7)   deprecated-password-storage-scheme         -
8)   expire-passwords-without-warning           false
9)   force-change-on-add                        false
10)  force-change-on-reset                      false
11)  grace-login-count                          0
12)  idle-lockout-interval                      0 s
13)  last-login-time-attribute                  -
14)  last-login-time-format                     -
15)  lockout-duration                           0 s
16)  lockout-failure-count                      0
17)  lockout-failure-expiration-interval        0 s
18)  max-password-age                           0 s
19)  max-password-reset-age                     0 s
20)  min-password-age                           0 s
21)  password-attribute                         userpassword
22)  password-change-requires-current-password  false
23)  password-expiration-warning-interval       5 d
24)  password-generator                         Random Password Generator
25)  password-history-count                     0
26)  password-history-duration                  0 s
27)  password-validator                         -
28)  previous-last-login-time-format            -
29)  require-change-by-time                     -
30)  require-secure-authentication              false
31)  require-secure-password-changes            false
32)  skip-validation-for-administrators         false
33)  state-update-failure-policy                reactive
?)   help
f)   finish - apply any changes to the Password Policy
c)   cancel
q)   quit
Enter choice [f]:
The Password Policy was modified successfully
Press RETURN to continue

The equivalent non interactive command is:

$ dsconfig set-password-policy-prop \
--policy-name "Default Password Policy" \
--set allow-pre-encoded-passwords:true \
--hostname localhost \
--trustAll \
--port 4444 \
--bindDN "cn=directory manager" \
--bindPassword ****** \
--no-prompt

Alternately, this can be done over LDAP (although it’s not officially supported):

$ bin/ldapmodify -Z -X -p 4444 -h localhost -D "cn=directory manager"
Password for user 'cn=directory manager':
dn: cn=Default Password Policy,cn=Password Policies,cn=config
changetype: modify
replace: ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords: true
Processing MODIFY request for cn=Default Password Policy,cn=Password Policies,cn=config
MODIFY operation successful for DN cn=Default Password Policy,cn=Password Policies,cn=config

Technorati Tags: , , ,