Can i read user password policy from LDAP, like when it expires or more details like password strength (minimal length etc.) ? I need these information so I can use the same policy for users kept in my database. My java application require that users from the database have to be synchronized with domain.
If you want to get the password policy through LDAP queries try this
without PSO policy in your current domain
String searchDomain= "DC=company,DC=ORG";
String ldapQuery = "(&(objectClass=domainDNS))";
String ldapAttribute = "maxPwdAge";
If you use a PSO policy try this code
String domainLookupString = "CN=UsersPSO,CN=Password Settings Container,CN=System,DC=company,DC=ORG";
String ldapFilterString = "(&(objectClass=msDS-PasswordSettings))";
String ldapAttribute = "msDS-MaximumPasswordAge"
Usually, there are at least three different things that are of concern in these circumstances.
Account status, which includes such information as is the account locked, expired or disabled. The account "status" is typically reflected on the MMC Account Tab. We put some information on our wiki about the LDAP values at:
http://ldapwiki.willeke.com/wiki/Active%20Directory%20Account%20Lockout and http://ldapwiki.willeke.com/wiki/MMC%20Account%20Tab
Password status, is the password expired.
Unfortunately, the attributes that reflect the status of these conditions are not reflected in AD in real time. Some are only updated when a user attempts to authenticate. (either successfully or un-successfully).
-jim
Yes you can, with JNDI. You have to read the value of the pwdPolicySubentry operational attribute from the user's Context. This gives you the DN of the pwdPolicy object, which you then lookup as a Context with attributes, and get all the attributes starting with 'pwd'. However if the user has the default password policy you will have to look at your LDAP server configuration to find its DN. In OpenLDAP this is in slapd.conf in the ppolicy_default line in the 'overlay ppolicy' directives block.
It depends the underlying LDAP server.
For instance, if you are using Microsoft Active Directory, a user entry will have an attribute called accountExpires which is the date the account expires.
Active Directory also have a user attribute called userAccountControl which is a bit-mask specifying various account related states. For instance, if bit 24 is set, that means that the password has expired (userAccountControl & 0x800000 != 0). Bit 2 is "account disabled" etc. Read more at http://support.microsoft.com/kb/305144.
For other LDAP servers (OpenLDAP, ApacheDS, etc, etc) you'll have to look into the documentation.
来源:https://stackoverflow.com/questions/7846134/how-to-read-ldap-password-policy-in-java