[OPENIDM-10945] Policy Validation fails on Multiple Passwords sample Created: 16/May/18  Updated: 17/May/18  Resolved: 17/May/18

Status: Closed
Project: OpenIDM
Component/s: None
Affects Version/s: 6.5.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Katie Gonzalez Assignee: Brendan Miller
Resolution: Not a defect Votes: 0
Labels: Samples, documentation, policy
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File managed.json     File policy.json    



Policy validation is failing for the multiple passwords sample. The policy.json (attached) for the sample states:


    "policyId" : "at-least-X-capitals",
    "params" : {
        "numCaps" : 1
    "policyId" : "at-least-X-numbers",
    "params" : {
        "numNums" : 1

But the managed.json (attached)managed.json has separate policies for "ldapPassword" and "ldap2Password" so the password for the curl command in the sample should cover both ldap passwords.

The following error occurs when creating a user with "password" : "Passw0rd". If I use "password" : "Passw0rD1" it works.


curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --header "Content-Type: application/json" \
 --request PUT \
 --data '{
   "userName": "jdoe",
   "givenName": "John",
   "sn" : "Doe",
   "displayName" : "John Doe",
   "mail" : "john.doe@example.com",
   "password" : "Passw0rd"
 }' \
 "http://localhost:8080/openidm/managed/user/jdoe" {"code":403,"reason":"Forbidden","message":"Policy validation failed","detail":{"result":false,"failedPolicyRequirements":[{"policyRequirements":[{"params":{"numCaps":2},"policyRequirement":"AT_LEAST_X_CAPITAL_LETTERS"}],"property":"ldapPassword"},{"policyRequirements":[{"params":{"numNums":2},"policyRequirement":"AT_LEAST_X_NUMBERS"}],"property":"ldap2Password"}]}}



Comment by Laurent Bristiel [X] (Inactive) [ 17/May/18 ]

Is that a bug?
I thought this was on purpose.
I mean in the documentation of the sample it is explained that "the create request failed with a policy validation failure on the two new password fields. Although the password met the requirement for the main password field, the user could not be created because the password did not meet the requirements of the ldapPassword and ldap2Password fields." .... then we do another request with a password that match everything and it works.
cc Lana Frost

Comment by Lana Frost [ 17/May/18 ]

I think you're right - the policy validation is failing as expected because (from the docs):

The value of a managed user's password field is used by default for the additional passwords unless the CREATE, UPDATE, or PATCH requests on the managed user explicitly contain a value for these additional passwords.

So the password that you supply here must pass policy validation for ldapPassword too, which is:

The schema includes an ldapPassword field that is mapped to the accounts in the system/ldap/accounts target. This field is subject to the standard policies associated with the password field of a managed user. In addition, the ldapPassword must contain two capital letters instead of the usual one capital letter requirement. 

Generated at Fri Mar 05 06:43:13 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.