Could you please provide an update for this issue? This is very confusing for our customers

This issue has been created almost four years ago but did not receive any public update from Atlassian yet.

Currently, external users can reset their passwords via JIRA / Confluence which are connected to Crowd which is connected MS Active Directory. This has to be done since our Crowd server is not publicly accessable.

We are hit by the issue that no proper error message is printed. If a customer enters a weak password, he gets an ugly error message like this directly on the set password screen (e.g. in JIRA):

Error from Crowd server propagated to here via REST API (check the Crowd server logs for details): org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'cn=Test User,ou=users,ou=Test,dc=ad,dc=mycompany,dc=com'

 This confuses the customer since they don't know what has gone wrong. The message does not imply that the entered password was too weak according to the password policy defined in Active Directory.

So can someone from Atlassian please give an update on this issue?

I just reread my last comment from 10/2012 and I realized I left something out:

TL;DR

Crowd should have an option to enforce the current password complexity requirements on a per-directory basis. For the Internal Crowd Directory, this option is implied by the presence of a password complexity regexp. It should made be clear to the Crowd administrator that the password will then have to match the Crowd password complexity regexp AND the OpenLDAP/AD/etc directory's requirements.

Hopefully this simplifies this the next time Crowd development priorities are evaluated. This is very simple, guys!

Hello, is there any progress? We are currently trying to implement Crowd and this feature would be more than welcome.

From our OpenLDAP expert:

"Based on http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies - I think that they can search for objectClass= pwdPolicy to find password policies, but I'm not quite sure how they'd know which one was assigned to the directory without being able to read the openldap.conf file on the server to see what is defined with the ppolicy_default directive...

I guess I see why they would want to make their password policy match up with whatever is defined in OpenLDAP if one exists, but to me it seems like it'd be easier / more useful to define and enforce the complexity requirements in Crowd...I wonder if they'd allow this as an option."

I agree with his assessment. One of the use cases used to sell Crowd is as a front-end to OpenLDAP and other directories. This is how we use it. If we could use the Internal Directory complexity requirements regexp when changing OpenLDAP user's passwords, it would be quite nice. We could define the complexity requirements and apply it to all directories (which is very desirable in our organization).

Thanks for opening this new issue, Arvind. It seems to me that if OpenLDAP doesn't support a feature similar to ntSecurityDescriptor, then you could just provide a description box identical to the Internal Directory's "Password Complexity Requirement Message:". For those using AD, you could automatically use the contents of ntSecurityDescriptor to save them the potential inconsistency of message vs. actual requirements. The OpenLDAP folks would have to remember to change the message in Crowd if there's no equivalent to ntSecurityDescriptor.

I've consulted our OpenLDAP expert to see if he can weigh in on this.