Previous Topic: Test the Password Policy

Next Topic: User Account Administration

Example: Testing a Simple Password Policy

You can use this simple example to show that the CA Directory password policy is functioning correctly.

Client applications using this feature need to be able to parse the password policy response control. In test 1 and 2, the password policy response control is empty (no information to report).

  1. In the Democorp directory, create the following password settings:
    set password-policy = true; 
    set password-retries = 1;
    
  2. Edit the Craig Link entry to include a password.
  3. Use the LDUA to ensure that the DSA supports the password policy control:
    ldua> bind-req
    ----> remote-addr = {                # server address
    ---->     psap = "PP"
    ---->     ssap = "SS"
    ---->     tsap = "TT"
    ---->     nsap = ip "hostname" port 19389
    ----> }
    ldua> unbind-req;
    
    ldua> search-req
    ----> base-object = <>
    ----> attrs = supportedControl;
    ldua> 
    <- LDAP SEARCH-CONFIRM 
    invoke-id = 2   credit = 24
    	Entry:    <>
    	Contents:  
    	(supportedControl "1.3.6.1.4.1.42.2.27.8.5.1")
    ldua>
    

    Note: The supportedControl attribute is in the sunone.dxc schema.

Test 1: Test with an Incorrect Password

  1. Try to log in with an incorrect password.
  2. The bind is refused.
  3. The following response appears:
    <- LDAP BIND-REFUSE 
    		invoke-id = 0   credit = 24
    	Bind Error:    Security Error:  Invalid credentials
    	Controls:
    		password-policy response
    

Test 2 Test with an Incorrect Password Again

  1. Try to log in again with an incorrect password.
  2. The bind is refused again, and the account is suspended.
  3. The following response appears:
    <- LDAP BIND-REFUSE 
    		invoke-id = 0   credit = 24
    	Bind Error:    Security Error:  Invalid credentials
    	Controls:
    		password-policy response
    

Test 3: Test with the Correct Password, but Account Suspended

  1. Try to log in using the correct password.
  2. The bind is refused because the account is suspended.
  3. The following response appears:
    <- LDAP BIND-REFUSE 
    		invoke-id = 0   credit = 24
    	Bind Error:    Security Error:  Invalid credentials
    	Controls:
    		password-policy response
    		Error: account-locked
    


Copyright © 2009 CA. All rights reserved. Email CA about this topic