Has somebody experience with collective.pwexpiry 0.9.1 and LDAP?

I am trying to combine Active Directory password complexity requirements implemented in collective.pwexpiry with LDAP in Plone 4.3 (later I will try it with Plone 5).

I adapted all settings in configuration registry tool as described in the configuration and customization paragraph on the PyPi download page (and later also directly in the registry.xml). I got the script notify_and_expire.py running and that works fine for 15 days and other days that I added.

3 times trying to login with a wrong password results in a block and the unblock function works.

I implemented also this: Defining custom password validation methods.
The idea is that the default Plone password length check of 5 characters is replaced by this validator: check on min 8 characters plus minimum of special characters in it.

I used a copy of the example_validator.py and renamed that to password_validator.py and changed the classname inside it from ADPasswordValidator to MyPasswordValidator.

I added in configure.zcml (located in the same directory as example_validator.py and password_validator.py) this adapter as documented on PyPI.

My Plone 4.3 is configured that users can register themselves and define a own password.
Now the issues that I face (and i tried it by moving the plugins in different order for the various PAS functions like Authentication, User Adder, User Management and Challenge etcetera).

When a new user registers only password check on 5 characters works (that is the default of Plone).
Immediately after successful registration the system comes with Password Expired (strange). When a Reset is done (email with activate link is send) then I can login.

I also want users to force to change passwords and therefore the history is kept but also that is not working at all.

Finally I tried this all also on a clean Plone without LDAP, but without success..

Has somebody the same experience are found a solution or can give me some hints. Maybe a false configuration in the wrong configure.zcml file?

What position should the plugins have for the PAS functions?

Thanks for any suggestion.

Sometimes you find yourself what the issue is. :smiley:

It turned out that Products.PasswordStrength was hindering a proper functioning of collective.pwexpiry. After I deleted Products.PasswordStrength from installed Add-on products, from buildout and the eggs directory (just to make sure nothing was there)... all was working as intended.

The issue that your password gets immediately expired when using Plone's user self-registration and the option that the user can also define its own password is not yet solved. I think the reason is that collective.pwexpiry adds an user property called password_date, which is by default initially set to value 2000/01/01. The original register.py program of plone.app.users does not know that property, so it cannot update the initial password date, therefore pwexpiry demands you to immediately set a new password (password expired as it sees 2000/01/01...

Hmmm, I need to figure out how to solve that without too much hassle...

But maybe you find this useful information.
BTW: collective.pwexpiry 0.9.1 in not compatible with Plone 5 (somwhere a reference to usergroups which does not exist.). The authors do not state that it is ready for Plone 5. I just tried it for fun...

Last X Passwords check = the password history function of collective.pwexpiry works nicely when your store users and groups in Zope, but when you use OpenLDAP with plone.app.ldap then it does not work

The registry parameter password_history_size is set to 5, but that part of the plugin is not invoked. I need to do more testing and debugging (after my holiday...).