Password Policy Settings have no effect

589 views
Skip to first unread message

fabian....@gmail.com

unread,
Oct 1, 2015, 3:49:56 AM10/1/15
to pwm-general
After Installation of Daily-Build 20150928 some password policy settings do not seem to have any effect to the acutual Change Password-Module.

The only Setting I found working is "password.policy.minimumLength".

I tested other settings, like:

password.policy.allowNumeric
password.policy.maximumNumeric
password.policy.minimumNumeric
password.policy.allowSpecial
password.policy.checkWordlist
But the displayed rules in the Password Change-Modul always stays like this:

Password is case sensitive.
Must be at least 8 characters long.
Must not include any numeric characters.
Must not include any symbol (non letter or number) characters.
Must not include any of the following values: password test
Must not include part of your name or username.
Must not include a common word or commonly used sequence of characters.
There is only one Password Policy and it machtches to the testet users (User ist listed when clicking on "View Matches")

System is:

Windows 2012 R2
JRE 1.8.0_60 (64bit)
Tomat 8.0.26 (64bit)
Here is my config (I had to cancel out some info with "XXX"):

<?xml version="1.0" encoding="UTF-8"?>
<PwmConfiguration pwmVersion="" pwmBuild="" pwmBuildType="" xmlVersion="4" createTime="2015-09-29T09:59:34Z" modifyTime="2015-09-29T10:25:43Z">
<properties type="config" modifyTime="2015-09-29T10:25:50Z">
<property key="configTemplate" modifyTime="2015-09-29T09:59:36Z">AD</property>
<property key="configPasswordHash" modifyTime="2015-09-29T10:03:29Z">XXX</property>
<property key="configIsEditable" modifyTime="2015-09-29T10:03:29Z">true</property>
<property key="configEpoch" modifyTime="2015-09-29T10:25:50Z">9</property>
</properties>
<settings modifyTime="2015-09-29T10:25:43Z" modifyUser="default|XXX">
<setting key="ldap.serverUrls" syntax="STRING_ARRAY" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:03:09Z">
<label>LDAP URLs</label>
<value><![CDATA[ldaps://XXX:50001]]></value>
</setting>
<setting key="ldap.proxy.username" syntax="STRING" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:03:09Z">
<label>LDAP Proxy User</label>
<value><![CDATA[CN=XXX]]></value>
</setting>
<setting key="ldap.proxy.password" syntax="PASSWORD" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:03:09Z">
<label>LDAP Proxy Password</label>
<!--Note: This value is encrypted and can not be edited directly.-->
<!--Please use the Configuration Manager GUI to modify this value.-->
<value>XXX</value>
</setting>
<setting key="ldap.rootContexts" syntax="STRING_ARRAY" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:03:09Z">
<label>LDAP Contextless Login Roots</label>
<value><![CDATA[XXX]]></value>
</setting>
<setting key="ldap.testuser.username" syntax="STRING" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:03:09Z">
<label>LDAP Test User</label>
<value />
</setting>
<setting key="pwmAdmin.queryMatch" syntax="USER_PERMISSION" syntaxVersion="2" modifyTime="2015-09-29T10:03:09Z">
<label>Administrator Permission</label>
<value>XXX</value>
</setting>
<setting key="pwm.selfURL" syntax="STRING" syntaxVersion="0" modifyTime="2015-09-29T10:03:09Z">
<label>Site URL</label>
<value><![CDATA[http://XXX:8080/pwm]]></value>
</setting>
<setting key="ldap.serverCerts" syntax="X509CERT" profile="default" syntaxVersion="0" modifyTime="2015-09-29T09:59:53Z">
<label>LDAP Certificates</label>
<value>XXX</value>
<value>XXX</value>
</setting>
<setting key="recovery.response.writePreference" syntax="SELECT" syntaxVersion="0" modifyTime="2015-09-29T10:03:29Z">
<label>Response Write Location</label>
<value><![CDATA[LOCALDB]]></value>
</setting>
<setting key="recovery.response.readPreference" syntax="SELECT" syntaxVersion="0" modifyTime="2015-09-29T10:03:29Z">
<label>Response Read Location</label>
<value><![CDATA[LOCALDB]]></value>
</setting>
<setting key="pwm.securityKey" syntax="PASSWORD" syntaxVersion="0" modifyTime="2015-09-29T10:03:29Z">
<label>Security Key</label>
<!--Note: This value is encrypted and can not be edited directly.-->
<!--Please use the Configuration Manager GUI to modify this value.-->
<value>XXX</value>
</setting>
<setting key="ldap.username.attr" syntax="STRING" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:04:53Z" modifyUser="default|XXX">
<label>Attribute to use for Username</label>
<value><![CDATA[userPrincipalName]]></value>
</setting>
<setting key="ldap.guidAttribute" syntax="STRING" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:06:02Z" modifyUser="default|XXX">
<label>LDAP GUID Attribute</label>
<value><![CDATA[objectSID]]></value>
</setting>
<setting key="password.policy.allowNumeric" syntax="BOOLEAN" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:21:35Z" modifyUser="default|XXX">
<label>Allow Numeric Characters</label>
<value>true</value>
</setting>
<setting key="password.policy.maximumNumeric" syntax="NUMERIC" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:22:11Z" modifyUser="default|XXX">
<label>Maximum Numeric</label>
<value>64</value>
</setting>
<setting key="password.policy.minimumNumeric" syntax="NUMERIC" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:22:07Z" modifyUser="default|XXX">
<label>Minimum Numeric</label>
<value>3</value>
</setting>
<setting key="password.policy.minimumLength" syntax="NUMERIC" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:21:13Z" modifyUser="default|XXX">
<label>Minimum Length</label>
<value>8</value>
</setting>
<setting key="password.policy.allowSpecial" syntax="BOOLEAN" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:24:20Z" modifyUser="default|XXX">
<label>Allow Special Characters</label>
<value>true</value>
</setting>
<setting key="password.policy.checkWordlist" syntax="BOOLEAN" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:25:36Z" modifyUser="default|XXX">
<label>Enable Wordlist</label>
<value>false</value>
</setting>
<setting key="password.policy.ADComplexityLevel" syntax="SELECT" profile="default" syntaxVersion="0" modifyTime="2015-09-29T10:25:43Z" modifyUser="default|XXX">
<label>Active Directory Password Complexity</label>
<value><![CDATA[NONE]]></value>
</setting>
</settings>
</PwmConfiguration>


Can someone help me?

Jason Rivard

unread,
Oct 1, 2015, 11:50:01 AM10/1/15
to pwm-general, fabian....@gmail.com
Ty looking at the setting Policies ⇨ Password Settings ⇨ Password Policy Source and the help for that setting.

You can also look at debug or trace level login during a user authentication and see how the password policy is calculated.

Kendal Montgomery

unread,
Mar 14, 2016, 10:47:11 AM3/14/16
to pwm-general, fabian....@gmail.com
Was there any resolution to this?  I'm having a similar problem where I can't disable the "no numeric" and "no speical character" policies.  I have it set to use PWM source only, because my FreeIPA 4.2 (398 Directory) doesn't seem to be able to provide a password policy the way PWM expects.  I can't seem to get these default restrictions turned off.  I have set password.policy.allowSpecial to true and password.policy.allowNumeric to true.  I am using a 1.8.0 snapshot that I downloaded the other day.

Thanks.

Kendal Montgomery

unread,
Mar 14, 2016, 10:52:49 AM3/14/16
to pwm-general, fabian....@gmail.com
Sorry -- I figured it out.  Those options were "Checked" (true) - by default - in the configuration editor user interface, but were not saved to the config file.  I unset, saved, reset them, saved, and now it works great!
Reply all
Reply to author
Forward
0 new messages