Hi Juan,

The implementation should be done by NSN, but as you can see in the link http://www.opennms.org/wiki/Spring_Security_and_LDAP  it has been adopted by the opennms community in the past.

Br,
Roberto

_____________________________________________
From: Ejarque, Juan (NSN - ES/Madrid) 
Sent: Monday, November 19, 2012 4:04 PM
To: Pulvirenti, Roberto (NSN - IT/Catania); Ribeiro, Claudia (NSN - PT/Amadora)
Cc: Martins, Miguel (NSN - PT/Amadora); Grasso, Giuseppe (NSN - IT/Milan)
Subject: RE: CEMUS SDK open points


Thanks Roberto,

Let me come down to practicalities: that solution you suggest, is it something that should be implemented  by the OpenNMS community?, or by NSN internally?

Thanks,
Juan carlos

_____________________________________________
From: Pulvirenti, Roberto (NSN - IT/Catania) 
Sent: Thursday, November 15, 2012 4:53 PM
To: Ribeiro, Claudia (NSN - PT/Amadora)
Cc: Martins, Miguel (NSN - PT/Amadora); Ejarque, Juan (NSN - ES/Madrid); Grasso, Giuseppe (NSN - IT/Milan)
Subject: RE: CEMUS SDK open points


Ciao Claudia,

My opinion is that integration with LDAP could still be a valid solution because there you can set up account and associate a max age to the passwords.

Br,
Roberto

_____________________________________________
From: Ribeiro, Claudia (NSN - PT/Amadora) 
Sent: Thursday, November 15, 2012 2:26 PM
To: Pulvirenti, Roberto (NSN - IT/Catania)
Cc: Martins, Miguel (NSN - PT/Amadora); Ejarque, Juan (NSN - ES/Madrid); Grasso, Giuseppe (NSN - IT/Milan)
Subject: RE: CEMUS SDK open points


Hi Roberto,

Related to the CEMUS project there was a limitation raised against user pw policy( E133712). The status is set to closed because the user pw was fixed and compliant with VDF pw policy. However a maximum expire time wasn’t implemented.

Your feedback:

Feedback 1/2

I will change the admin password soon to be more compliant to the VDF policies b
ecause this is the only thing I can do immediately, but as agreed with Morten I'
m copying/pasting facts and conclusion already written in an internal email.
I believed that policy requirements applied to OpenNMS GUI's users were not to b
e implemented because of the following reasons:
- "system related" policy requirements depicted in the attached VDF policy docum
ent should be applied to OS accounts or to those GUIs/applications's users who c
an access sensitive/important data. In a similar project for VDF Italy/Malta it 
was asked to be compliant to "system related" policy requirements only from OS v
iewpoint and not to OpenNMS GUI accounts.
- Users in OpenNMS cannot do dangerous operations. The most dangerous operation 
is to remove all provisioned nodes, misconfigure thresholds, clear alarms that s
houldn't be cleared...., which is something can be easily rebuilt from last data
base dumps.
- For this reason, in the RFQ Functional Compliance description there are no sta
tements saying that we will implement VDF password policy for OpenNMS
- OpenNMS GUI should be used only by 1 or 2 administrators and some operators, m
ainly (if not all) from NSN Care.
In any case note that OpenNMS properly supports users, roles and groups and each
 password is MD5 encrypted.

Feedback 2/2

In case this requirement becomes mandatory for OpenNMS, I would avoid any develo
pment and I would exploit just LDAP functionalities already used by FTM, which a
re explained in http://www.openldap.org/doc/admin24/overlays.html#Password (sect
ion 12.10.2. Password Policy Configuration).

In this case please note that my understanding is that LDAP does not fulfill all
 reqs in the doc, in particular:
•	Passwords must not be identical to the username of the account.
•	Passwords must not consist of words from the local language dictionaries (e.g.
 English).
•	Passwords must combine the use of at least 2 of the following: upper and lower
 case letters, numbers, and special characters

In order to integrate OpenNMS with LDAP I need to follow procedure explained in 
http://www.opennms.org/wiki/Spring_Security_and_LDAP. We can use a new LDAP inst
ance that could be attached to openNMS-rg or less elegantly the same LDAP instan
ce used by FTM.

I've the feeling that freeRadius (http://www.opennms.org/wiki/Spring_Security_an
d_Radius) can help us to satisfy the dictionary requirement and probably freeRad
ius and LDAP together (http://etutorials.org/Server+Administration/ldap+system+a
dministration/Part+II+Application+Integration/Chapter+8.+Standard+Unix+Services+
and+LDAP/8.4+FreeRadius/), but this should be carefully investigated.

I think that at about 5 MWD are needed to scout everything and at least get a si
mple and working LDAP integration

Last status of this error: 
Right now the openNMS pw is compliant with vdf requirements.
The only problem is that we don't have a maximum expiricy time. 
To check later with Vf security, for now this stefa will be closed.

So, the requirement right now is to implement a maximum expiration time according to VDF pw policy. Could you please share your opinion about what can be done?

Br,

Cláudia