password change and ppolicy

[tizo <tizone@gmail.com>]

Hi there,

We are using OpenLDAP 2.4.16 with ppolicy, to authenticate users for a JEE application. Authentication works great (with JNDI), and we are receiving ppolicy response controls without problem. In that way, the user knows when the password is about to expired, when the password have been reseted, etc. Now we want to offer users to change passwords from the application. 

Before starting this, I have been testing password changing with phpLDAPAdmin. The fact is that I could only change a user password with clear text. I guess that this behaviour happens because we have pwdCheckQulity setting in 2 in our default password policy. So, when the client (phpLDAPAdmin) tries to modify the password enconding it, the server (OpenLDAP) cannot check the min length of the password, as it is encoded, and then fails. I am guessing too, that phpLDAPAdmin is performing a simple modify operation to change the password, as it is stored in clear text. On the other hand, I could change passwords with ldappasswd withouth problem, and they are stored with SSHA. I know that this command uses RFC 3062.

So, I am wondering which is the best way to change the password from a Java application. I guess that, if I have pwdCheckQulity setting in 2, the password should travel in clear text, so that ppolicy can check its min lenght for example. But I would like it to be stored encoded. How could I do that?. Do I have to use RFC 3062?. Do you know any Java implementation of the client side for that RFC?.

Thanks very much, 

tizo