LDAPPasswordChangeValve

Valve for changing a users password in an LDAP Directory.

Password modifications can be done in two ways: 

(1) Password change: Used when the current user password is known and supplied by the user. A password change is done in user context, i.e. the user binds to the DS and performs the operation(s) and policies etc. are applied. This method is always used if the current password is supplied. 

(2) Password reset: Used when the current password is NOT known/supplied. A password reset can be performed in two ways: 

(2.1) As an admin password reset. Admin bind to DS and modifies the user password. To enable this method set configuration property: 'reset: "true"' 

(2.2) By first (as admin) modify the user password to a known random value and then perform a password change (as described above). This is the default reset method. Note: this may affect password history. 

If the current password is supplied, this valve ALWAYS performs a password change (1). 

If current password is NOT supplied a password change with random password (2.2) is performed UNLESS reset is configured (2.1) (Note: ADPasswordChangeValve redefines this behaviour). 

Which method to use depends on the directory server and if you need to preserve password history etc.

Valve operates on all items in current item set.

Properties

Name Description Default value Mandatory Supports property expansion
connection_ref Id of LDAP connection to use. Must refer to a connection of type 'LDAP' Yes No
value The password to set Yes Yes
password_attr_name Name of password attribute userPassword No No
rebind Flag controlling if the current LDAP connection should be rebound (as user) or if a new connection should be used to change the password true No No
replace Flag controlling if password change should use single modify operation or separate delete and add. true No No
reset Flag forcing password reset instead of a change with random password when current password is not known. false No No
current_password_param_name Name of parameter containing the current password. If this is configured the valve will bind with the current password instead of a random password before setting the new password. No No
temp_password_prefix Prefix of temporary random password used for password reset (when current password is not known). This property can be used to force compliance with directory password policies. Random_ No No
temp_password_maxlen Length of temporary random password 16 No No

Example Configuration (bare minimum)

{
        "name": "LDAPPasswordChangeValve",
        "config": { 
              "connection_ref":"b0f2ddff-9585-47c5-9286-2bee2b731197",
              "value":"{{request.password}}"
        }
}

Example configuration (full)

{
        "name": "LDAPPasswordChangeValve",
        "config": { 
              "connection_ref":"b0f2ddff-9585-47c5-9286-2bee2b731197",
              "value":"{{request.new_password}}",
              "current_password_param_name":"{{request.old_password}}",
              "password_attr_name":"customPassword",
              "rebind":"false",
              "replace":"false", 
              "temp_password_prefix":"pwdPolicyC0mpat!bl3_", 
              "temp_password_maxlen":"32" 
        }
}

Requirements