1

I wonder if someone might be able to help us or offer some advice. We are a Java focused team, and are looking at extending our in house Authentication service, to offload most of the authentication , to use an LDAP server. That way we can simply use an out of the box password policy, which meets our criteria, plus we can use stuff such as replication etc. We are investigating which is the best free LDAP server to use.

So far we have investigated :

  • OpenLDAP (We found this is written in C, and documentation is not all that great).
  • Apache DS (We found this is good, but has a basic password policy. Mainly it does not seem to be extendable to fit one of our requirements (that the password policy should enforce mixed case characters, etc etc). This is surprising as the basic config options are ofcourse supported, eg. minimum length of password, maximum retries before being locked out etc etc.
  • Sun OpenDS (This fits all our needs, but no longer seems to be supported??. Please advise us if this assumption is wrong?It has great support for Password Validators, so that we can handle enforcement of mixed case passwords etc etc).
  • Oracle Unified Directory - This is the SUN DS server which is supprted. However, Oracle Unified Directory is not free unfortunately.

So, basically the question is 2 fold :

(1) Does anyone know how to extend the passowrd policy on Apache DS, such that we can support mixed case character enforcement. eg password must contain a mix of upper case and lower case chars aswell as atleast one digit etc etc. Or is this out of the box? I personally couldnt find any documentation on it?

(2) Does anyone know of any good and free LDAP servers that support this sort of stuff. Any ideas please?

Many Thanks,

R

user2485980
  • 41
  • 6

3 Answers3

1

After all of this, we finally found 389ds (ironically the last one we investigated). This we found was the best (for our needs anyway). The reason is that, it is has a great administration UI, does everything we need to do out of the box, plus, best of all, it is available in a costed option under RedHat. We didnt take the supported option, but nonetheless, as it is supported by RedHat, the documentation , we found was superb. Therefore, we felt confident that everything we needed to do wasexplained 100% rather than with some of the others, was half explained on some unmaintained wiki. So we advise all to look at 389ds.

user2485980
  • 41
  • 6
0

I know ApacheDS doesn't support any extensions for ppolicy checks, can you file a feature request on ApacheDS's JIRA? We might try to get this included in the upcoming release.

I have filed this request https://issues.apache.org/jira/browse/DIRSERVER-1858

kayyagari
  • 1,882
  • 13
  • 10
  • Thanks for doing that. Any idea when the next release will be? I fear it will be too late for us. Do you or does anyone have any advice on whether it is advisable to use the Sun Open DS? – user2485980 Jun 14 '13 at 14:38
  • In other words, sorry I cut that off too quickly, in other words...does anyone have any ideas about how long Sun Open DS will be supported for? Is there a way of getting a free version (either Oracle Unified Directory or Forge software Open DJ)? Or would we have to pay a licence fee? Thanks – user2485980 Jun 14 '13 at 14:40
  • This issue has been fixed now and a new release will be available on June 23rd. – kayyagari Jun 20 '13 at 06:26
  • OpenDJ is an open source project and as such is freely available from the project web site. And as far as I know, it's the only OpenDS fork that is still open source. – Ludovic Poitou Jul 05 '13 at 08:31
0

You should look at the http://forgerock.com/ OpenDJ which is an active and supported if you subscribe spin from OpenDS.

-jim

jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • Thanks Jim. I will ask.. Alternatively, just thinking again about using Apache DS, and just putting in some sort of bespoke interceptor/filter/etc that we can write ourselves to just handle the enforcement of mixed case characters in the password etc. Does Apache DS have something built into it's framework for this sort of option, ie an interceptor/pluggable piece. Any advice on the easiest/best way to do this, rather than just using a plain old Java bespoke class at the point of changing the password code.TIA. – user2485980 Jun 17 '13 at 09:13
  • @user2485980 yes, you can inject an interceptor in ApacheDS, extend the BaseInterceptor[1] and override add and modify methods and do your validation there [1] http://svn.apache.org/repos/asf/directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/api/interceptor/BaseInterceptor.java – kayyagari Jun 18 '13 at 07:03