LDAPPasswordChangeValve
Warning
This valve is blocking - this may hurt throughput and cause performance issues since other pipes won't be able to execute while this valve is waiting on a long-running operation in the same instance of the pipes module, for example due to a network request, disk access or similar. Try to limit the usage of blocking valves, try to ensure that they are fast to execute, and if needed, consider deploying multiple instances of the pipes module.
Note
Valve for changing a users password in an LDAP Directory.
Password modifications can be done in two ways:
Password change: Used when the current user password is known and supplied by the user. A password change is done in user context, i.e. the user binds to the DS and performs the operation(s) and policies etc. are applied. This method is always used if the current password is supplied.
Password reset: Used when the current password is NOT known/supplied. A password reset can be performed in two ways:
As an admin password reset. Admin bind to DS and modifies the user password. To enable this method set configuration property: 'reset: "true"'
By first (as admin) modify the user password to a known random value and then perform a password change (as described above). This is the default reset method. Note: this may affect password history.
If the current password is supplied, this valve ALWAYS performs a password change (1).
If current password is NOT supplied a password change with random password (2.2) is performed UNLESS reset is configured (2.1) (Note: ADPasswordChangeValve redefines this behaviour).
Which method to use depends on the directory server and if you need to preserve password history etc.
Valve operates on all items in current item set.
Properties
Name | Description | Default value | Mandatory | Supports property expansion |
---|---|---|---|---|
connection_ref | Id of LDAP connection to use. Must refer to a connection of type 'LDAP' | Yes | No | |
value | The password to set | Yes | Yes | |
password_attr_name | Name of password attribute | userPassword | No | No |
rebind | Flag controlling if the current LDAP connection should be rebound (as user) or if a new connection should be used to change the password | true | No | No |
replace | Flag controlling if password change should use single modify operation or separate delete and add. | true | No | No |
reset | Flag forcing password reset instead of a change with random password when current password is not known. | false | No | No |
current_password_param_name | Name of parameter containing the current password. If this is configured the valve will bind with the current password instead of a random password before setting the new password. | No | No | |
temp_password_prefix | Prefix of temporary random password used for password reset (when current password is not known). This property can be used to force compliance with directory password policies. | Random_ | No | No |
temp_password_maxlen | Length of temporary random password | 16 | No | No |
Example Configuration (bare minimum)
{
"name": "LDAPPasswordChangeValve",
"config": {
"connection_ref":"b0f2ddff-9585-47c5-9286-2bee2b731197",
"value":"{{request.password}}"
}
}
Example configuration (full)
{
"name": "LDAPPasswordChangeValve",
"config": {
"connection_ref":"b0f2ddff-9585-47c5-9286-2bee2b731197",
"value":"{{request.new_password}}",
"current_password_param_name":"{{request.old_password}}",
"password_attr_name":"customPassword",
"rebind":"false",
"replace":"false",
"temp_password_prefix":"pwdPolicyC0mpat!bl3_",
"temp_password_maxlen":"32"
}
}