Child pages
  • How to set up a password history policy
Skip to end of metadata
Go to start of metadata

Let's say we want to prevent the reuse of the four previous passwords when updating OpenIDM managed users.

Storing and managing the password history

To do so, we need to create, for each user, an Array containing the four last passwords. We name that attribute lastPass and declare it in bin/defaults/script/ui/onCreate-user-set-default-fields.js :

object.lastPass = new Array(5);


Note : It's highly recommended to use a custom onCreate javascript file ; you can for example copy the original bin/defaults/script/ui/onCreate-user-set-default-fields.js file to bin/defaults/script/ui/onCreate-user-set-default-fields-custom.js, add the above line and call the new file in "conf/managed.json", instead of the old one.

Even if we need just four elements, we declare an array containing five ones because of this bug. We also have to update the lastPass attribute each time the password is modified, therefore we create a script named bin/defaults/script/ui/onUpdate-user-pwpolicy.js, with the following content :

if (newObject.password != oldObject.password) {
        newObject.lastPass[1] = oldObject.lastPass[2];
        newObject.lastPass[2] = oldObject.lastPass[3];
        newObject.lastPass[3] = oldObject.lastPass[4];
        newObject.lastPass[4] = oldObject.password;
}

and call it in the user configuration bloc of managed.json :

...
    "name" : "user",
    "onUpdate" : {
                   "type" : "text/javascript",
                   "file" : "bin/defaults/script/ui/onUpdate-user-pwpolicy.js"
                 },
...

Extending the Policy Service

Now, we have to extend the policy service by adding a scripted policy in a custom javascript file, for example script/pwpolicy.js :

var policy1 = {
                  "policyId" : "is-new",
                  "policyExec" : "isNew",
                  "policyRequirements" : ["IS_NEW"]
              }
addPolicy(policy1);

function isNew(fullObject, value, params, property) {
    var length = fullObject.lastPass.length;
    for(var i = 1; i < length; i++) {
        if(fullObject.lastPass[i] == value) {
			return [{"policyRequirement": "IS_NEW"}];
		}
	}
    return [];
}

In conf/policy.json we first reference our previous script by filling the additionalFiles value :

{
    "file" : "bin/defaults/script/policy.js",
    "additionalFiles" : ["script/pwdpolicy.js"],
    ...

Then, in the same file, we call our new policy in the password configuration bloc, by it's policyId :

...
	{
    	"name" : "password",
        "policies" : [
        	{
            	"policyId" : "not-empty"
            },
            {
            	"policyId" : "is-new"
            },
...

Finally, we configure OpenIDM to encrypt the new attribute and deny retrieving it through REST, so in conf/managed.json :

...
           {
                    "name" : "user",
                    "properties" : [
                        {
                             "name" : "lastPass",
                             "encryption" : {
                                  "key" : "openidm-sym-default"
                              },
                             "scope" : "private"
                         }
                      ...
  • No labels