Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Oracle Internet Directory Plug-In for Password Policies, 3 of 3
This example uses the a PL/SQL program, pluginpkg.sql
, which is described in "Contents of Sample PL/SQL Package pluginpkg.sql". In general, this package contains:
pre_add
and pre_modify
isGoodPwd
, which verifies that a password meets the minimum length requirement of eight characters
Thus, in this example, if you try to add a user with the userpassword
value less than eight characters, then the request is rejected. Similarly, if you try to modify a user password, and the new password value is less than eight characters, then the request is rejected.
This section contains these topics:
Having implemented the standalone value checking PL/SQL program, do the following:.
sqlplus ods/odspwd @pluginpkg.sql
pluginreg.dat
, which contains the following:
### add plugin ### dn: cn=pre_add_plugin,cn=plugin,cn=subconfigsubentry objectclass:orclPluginConfig objectclass:top orclpluginname:pwd_plugin orclplugintype:operational orclplugintiming:pre orclpluginldapoperation:ldapadd orclpluginenable:1 orclpluginversion:1.0.1 cn:pre_add_plugin orclpluginsubscriberdnlist:dc=com;o=IMC ,c=US orclpluginattributelist:userpassword ### modify plugin ### dn: cn=pre_mod_plugin,cn=plugin,cn=subconfigsubentry objectclass:orclPluginConfig objectclass:top orclpluginname:pwd_plugin orclplugintype:operational orclplugintiming:pre orclpluginldapoperation:ldapmodify orclpluginenable:1 orclpluginversion:1.0.1 cn:pre_mod_plugin orclpluginsubscriberdnlist:dc=com;o=IMC ,c=US orclpluginattributelist:userpassword
Note that, in this plug-in, we let the directory server know that there are two plug-in modules to invoke when it receives ldapadd or ldapmodify requests. We use orclpluginsubscriberdnlist:dc=com;o=IMC,c=US
so that the plug-in is invoked ONLY if the target entry is under dc=com
or o=IMC,c=US
.
To add this file to the directory, enter the following:
ldapadd -p portnum -h hostname -D cn=orcladmin -w orcladminpwd -v -f pluginreg.dat
You can use standard PL/SQL character functions to process the password value. Download any PL/SQL program that can do regular expression. The important thing is to integrate the value checking functions with your plug-in modules.
Turn on the directory server plug-in to help you examine the process and content of plug-ins.
To setup the directory server plug-in debugging, execute the following command:
sqlplus ods/password @$ORACLE/ldap/admin/oidspdsu.pls
To enable directory server plug-in debugging, execute the following command:
sqlplus ods/password @$ORACLE/ldap/admin/oidspdon.pls
To disable directory server plug-in debugging, execute the following command:
sqlplus ods/password @$ORACLE/ldap/admin/oidspdof.pls
To show directory server plug-in debugging messages, execute the following command:
sqlplus ods/password @$ORACLE/ldap/admin/oidspdsh.pls
To delete directory server plug-in debugging messages, execute the following command:
sqlplus ods/password @$ORACLE/ldap/admin/oidspdde.pls
The script pluginpkg.sql
, as used in this example, contains the following:
CREATE OR REPLACE PACKAGE pwd_plugin AS PROCEDURE pre_add (ldapplugincontext IN ODS.plugincontext, dn IN VARCHAR2, entry IN ODS.entryobj, rc OUT INTEGER, errormsg OUT VARCHAR2 ); PROCEDURE pre_modify (ldapplugincontext IN ODS.plugincontext, dn IN VARCHAR2, mods IN ODS.modlist, rc OUT INTEGER, errormsg OUT VARCHAR2 ); -- Function: isGoodPwd -- Parameter: inpwd -- Purpose: simple password validation function -- if the password is less than 8 chars -- this function will return 0, indicating that -- it is not a good password FUNCTION isGoodPwd(inpwd IN VARCHAR2) RETURN INTEGER; END pwd_plugin; / show error CREATE OR REPLACE PACKAGE BODY pwd_plugin AS FUNCTION isGoodPwd(inpwd IN VARCHAR2) RETURN INTEGER IS i NUMBER; ret NUMBER DEFAULT 1; minpwdlen NUMBER DEFAULT 8; len NUMBER DEFAULT 0; BEGIN plg_debug( '=== begin of ISGOODPWD ==='); plg_debug( 'password = ' || inpwd); len := LENGTH(inpwd); plg_debug( 'password length = ' || len); IF len < minpwdlen THEN RETURN 0; ELSE RETURN ret; END IF; plg_debug( '=== end of ISGOODPWD ==='); EXCEPTION WHEN OTHERS THEN plg_debug( 'Exception in isGoodPwd(). Error code is ' || TO_ CHAR(SQLCODE)); plg_debug( ' ' || Sqlerrm); RETURN 0; END; PROCEDURE pre_add (ldapplugincontext IN ODS.plugincontext, dn IN VARCHAR2, entry IN ODS.entryobj, rc OUT INTEGER, errormsg OUT VARCHAR2 ) IS inpwd VARCHAR2(256) DEFAULT NULL; ret NUMBER DEFAULT 1; BEGIN plg_debug( '=== begin of PRE_ADD_PLUGIN ==='); plg_debug( 'dn = ' || dn); plg_debug( 'entry obj ' || ':entryname = ' || entry.entryname); FOR l_counter1 IN 1..entry.attr.COUNT LOOP plg_debug( 'attrname[' || l_counter1 || '] = ' || entry.attr(l_counter1).attrname); FOR l_counter2 IN 1..entry.attr(l_counter1).attrval.COUNT LOOP plg_debug( entry.attr(l_counter1).attrname || '[' || l_counter1 || ']' || '.val[' || l_counter2 || '] = ' || entry.attr(l_counter1).attrval(l_counter2)); END LOOP; IF entry.attr(l_counter1).attrname = 'userpassword' THEN inpwd := entry.attr(l_counter1).attrval(1); -- assuming only one attr val for userpassword END IF; END LOOP; IF (inpwd IS NOT NULL) THEN ret := isGoodPwd(inpwd); END IF; IF (inpwd IS NULL OR ret = 0) THEN rc := 1; errormsg := 'PASSWORD POLICY VIOLATION:0000X, less than 8 chars'; plg_debug( ' we got an invalid password '); ELSE plg_debug( ' we got a good password '); rc := 0; errormsg := 'no pre_mod plguin error msg'; END IF; plg_debug( '=== end of PRE_ADD_PLUGIN ==='); EXCEPTION WHEN OTHERS THEN plg_debug( 'Exception in PRE_ADD plugin. Error code is ' || TO_ CHAR(SQLCODE)); plg_debug( ' ' || Sqlerrm); rc := 1; errormsg := 'exception: pre_add plguin'; END; PROCEDURE pre_modify (ldapplugincontext IN ODS.plugincontext, dn IN VARCHAR2, mods IN ODS.modlist, rc OUT INTEGER, errormsg OUT VARCHAR2 ) IS old_passwd VARCHAR2(256) DEFAULT NULL; new_passwd VARCHAR2(256) DEFAULT NULL; ret NUMBER DEFAULT 1; BEGIN plg_debug( '=== begin of PRE_MOD_PLUGIN ==='); plg_debug( dn); FOR l_counter1 IN 1..mods.COUNT LOOP IF (mods(l_counter1).operation = 2) AND (mods(l_counter1).type 'userpassword') THEN FOR l_counter2 IN 1..mods(l_counter1).vals.COUNT LOOP new_passwd := mods(l_counter1).vals(l_counter2).val; END LOOP; END IF; IF (mods(l_counter1).operation = 0) AND (mods(l_counter1).type = 'userpassword') THEN FOR l_counter2 IN 1..mods(l_counter1).vals.COUNT LOOP new_passwd := mods(l_counter1).vals(l_counter2).val; END LOOP; END IF; IF (mods(l_counter1).operation = 1) AND (mods(l_counter1).type = 'userpassword') THEN FOR l_counter2 IN 1..mods(l_counter1).vals.COUNT LOOP old_passwd := mods(l_counter1).vals(l_counter2).val; END LOOP; END IF; END LOOP; plg_debug(' new password: ' || new_passwd); plg_debug(' old password: ' || old_passwd); IF (new_passwd IS NOT NULL) THEN ret := isGoodPwd(new_passwd); END IF; IF (new_passwd IS NULL OR ret = 0) THEN rc := 1; errormsg := 'PASSWORD POLICY VIOLATION:0000X, less than 8 chars'; plg_debug( ' we got an invalid password '); ELSE plg_debug( ' we got a good password '); rc := 0; errormsg := 'no pre_mod plguin error msg'; END IF; plg_debug( '=== end of PRE_MOD_PLUGIN ==='); EXCEPTION WHEN OTHERS THEN plg_debug( 'Exception in PRE_MODIFY plugin. Error code is ' || TO_ CHAR(SQLCODE)); plg_debug( ' ' || Sqlerrm); rc := 1; errormsg := 'exception: pre_mod plguin'; END; END pwd_plugin; / show error GRANT EXECUTE ON pwd_plugin TO ods_server; EXIT;
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|