The OpenIAM Identity Manager provides a rich set of rules out of the box that can be used to define complex password policies. However, there will be occasions where there set of policies will need to be extended to handle additional functionality. These following section shows how to define a new policy rule and how to register it with the system.
Password policies rules can be defined in either Java or using Groovy script. The following steps use Groovy due to the simplicity of Groovy.
- All password policy rules must extend the org.openiam.idm.srvc.pswd.rule.AbstractPasswordRule and implement the PasswordValidationCode isValid() method.
- Create a script in the apache-tomcat-6.0.26/iamscripts/plugin directory. The script should have the same name as the name of the class. For example, if the name of the class is MyPasswordRule then the name of the script should be MyPasswordRule.groovy.
The isValid() method must return a valid PasswordValidationCode. This a success will tell to policy evaluators that this requirements for this rule were met and to continue processing. Any other value will be treated as an error and password will fail the policy validation checks. Valid PasswordValidationCode codes are a listed below:
Code |
Description |
|---|---|
PASSWORD_POLICY_NOT_FOUND |
Policy was not found |
FAIL_ALPHA_CHAR_RULE |
Password failed the rule for alphanumeric characters |
FAIL_LOWER_CASE_RULE |
Password failed the rule for the required number of lower case characters |
FAIL_UPPER_CASE_RULE |
Password failed the rule for the required number of upper case characters |
FAIL_NON_APHANUMERIC_RULE |
Password failed the rule for the required number of non alphanumeric characters. |
FAIL_NUMERIC_CHAR_RULE |
Password failed the rule for the required number of numeric characters |
FAIL_HISTORY_RULE |
Password failed the rule for the history. This password was used previously. |
FAIL_LENGTH_RULE |
Password failed the rule for min or max lenght |
FAIL_NEQ_NAME |
Password failed the rule for name which does not allow the name to be used on the password. |
FAIL_NEQ_PASSWORD |
Password failed the rule which does not allow the word password to be contained in the password. |
FAIL_NEQ_PRINCIPAL |
Password failed the rule which does not allow the principal name to be used with in the password. |
FAIL_PASSWORD_CHANGE_FREQUENCY |
Password failed the rule that determines how many times in a day the password can be changed. |
FAIL_PASSWORD_CHANGE_ALLOW |
Password failed the rule which determines if a password change is allowed. |
FAIL_REJECT_CHARS_IN_PSWD |
Password failed the rule that says that some characters are not allowed. |
FAIL_OTHER |
Password failed the policy, but the exact reason is not known. |
The new password rule extends AbstractPasswordRule. The abstract class contains the following objects that may be used by the new class. These objects are listed below.
Class name |
Variable Name |
|---|---|
org.openiam.idm.srvc.policy.dto.Policy |
policy |
String |
password |
String |
principal |
String |
managedSysId |
org.openiam.idm.srvc.user.dto.User |
user |
org.openiam.idm.srvc.auth.dto.Login |
lg |
PasswordHistoryDAO |
passwordHistoryDao |
org.openiam.util.encrypt.Cryptor |
cryptor |
- Once the new rule has been created, it needs to be registered within the system. This can be done using the admin console. The details for which are defined at:
- Once the rule has been registered, it will appear as an option in the list of policy rules available.