Skip Headers

Oracle Internet Directory Administrator's Guide
Release 9.0.2

Part Number A95192-01
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Go to previous page Go to next page

18
Password Policies

This chapter discusses password policies--that is, sets of rules that govern how passwords are used.

This chapter contains these topics:

About Password Policies

Password polices are sets of rules that govern how passwords are used. The directory server enforces the password policy syntax checks during ldapadd and ldapmodify to ensure that the user password meets the requirements set in that policy. The password policy state checks are enforced by the directory server during ldapbind and ldapcompare. When you establish a password policy, you set the following types of rules, to mention just a few:

During Oracle Internet Directory installation, the Oracle Universal Installer creates for each subscriber a password policy entry containing all the necessary password policy information. It places this entry as shown in Figure 18-1: immediately below the common entry, which resides under the products entry, which, in turn, resides under the subscriber or default subscriber Oracle context. This password policy is applicable to all users under a given subscriber. The Oracle Internet Directory password policy is applicable only to the userpassword attribute. The orclcommonusersearchbase attribute in the common entry of the subscriber Oracle context must be set to the appropriate value for the password policy to be enforced. This attribute must be set before any password policy modification can take effect.

Figure 18-1 Location of Password Policy Entries

Text description of pwdpoliciesa.gif follows
Text description of the illustration pwdpoliciesa.gif

You establish a password policy by assigning values to the following attributes:

Policy Attribute Description

Password Expiry Time

pwdMaxAge

The maximum length of time, in seconds, that a given password is valid. If this attribute is not present, or if the value is 0 (zero), then the password does not expire. By default, the passwords expire in 60 days.

Password Expiration Warning

pwdExpireWarning

The number of seconds before password expiration that the directory server sends the user a warning. If password expiration is enabled, then, by default, the directory server sends no warnings before the password expires. The directory server sends the warning at each logon. If the user does not modify the password before it expires, the user is locked out until the password is changed by the administrator. For this feature to work, the client application must support it.

The default is 0, which means no warnings are sent.

Grace Login Limit

pwdGraceLoginLimit

Maximum number of grace logins allowed after a password expires. By default, no grace logins.are allowed. The default value is 0.

Password Lockout

pwdLockout

Specification for whether users are locked out of the directory after the number of consecutive failed bind attempts specified by pwdmaxFailure. If the value of this policy attribute is 1, then users are locked out. If this attribute is not present, or if the value is 0, then users are not locked out and the value of pwdMaxFailure is ignored. By default, account lockout is enforced. The account is locked after three consecutive login failures.

Password Maximum Failure

pwdMaxFailure

The number of consecutive failed bind attempts after which a user account is locked. If this attribute is not present, or if the value is 0 (zero), then the account is not locked due to failed bind attempts, and the value of the password lockout policy is ignored. The default is 4.

Password Failure Count Interval

pwdFailureCountInterval

The number of seconds after which the password failure times are purged from the user entry. If this attribute is not present, or if it has a value of 0, then failure times are never purged. The default is 0.

Lockout Duration

pwdLockoutDuration

The number of seconds a user is locked out of the directory if both of the following are true:

  • Account lockout is enabled

  • The user has been unable to bind successfully to the directory for at least the number of times specified by pwdMaxFailure

You can set user lockout for a specific duration, or until the administrator resets the user's password. A default value of 0 (zero) means that the user is locked out forever.

Check Password Syntax

pwdCheckSyntax

Specification for whether syntax checking is enforced. If 1, then syntax checking is enforced. The default is enabled.

Minimum Number of Characters of Password

pwdMinLength

The minimum number of characters required in a password. By default, the minimum length is 5; however, the value for this attribute must be at least 1.

Number of Numeric Characters in Password

orclpwdAlphaNumeric

Number of numeric characters required in a password. By default, one numeric character is required. That is, the default value is 1.

Old Password Can Be New Password

orclpwdToggle

Specification for whether a user's old password can become the new one. By default, it can. The default value is 1.

Illegal Values

orclpwdIllegalValues

Multivalued attribute containing the common words and attribute types whose values cannot be used as a valid password. By default, all words are acceptable password values.


Note:

All user passwords are assumed to be single-valued, as mentioned in the July 2001 version of the IETF draft: http://ietf.org/internet-drafts/draft-behera-ldap-password-policy-05.txt


To establish a password policy, you use the pwdPolicy auxiliary object class, which contains password policy information for the entire directory. You set these values during installation. An entry of this object class is created during installation. It has this DN: cn=pwdpolicyentry,cn=my_application,cn=products,cn=Oracle Context,o=my_company,dc=com. In Release 9.0.2, the policy specified applies to the DIT of a given subscriber. Each subscriber can have their own password policy.

This object class contains the following attributes.

Table 18-1 pwdPolicy Object Class Attributes

The default value for each of these attributes is 0 (zero). These attributes are single-valued, except orclpwdIllegalValues, which is multi-valued.

In addition, the object class top contains these operational attributes, to maintain the user-password state information for each user entry.

Managing Password Policies by Using Oracle Directory Manager

During Oracle Internet Directory installation, a password policy entry is created for each subscriber. Table 18-2 lists and describes the password policy fields in Oracle Directory Manager.

Table 18-2 Password Policy Fields in Oracle Directory Manager
Field Description

Password Policy Entry

This field displays the RDN of the password policy entry. You cannot edit this field.

Password Expiry Time

Enter the number of seconds that a given password is valid. If this attribute is not present, or if the value is 0, then the password does not expire. By default, user passwords never expire.

Account Lockout

From the list, select Enable or Disable.

Account Lockout Duration

Enter the number of seconds a user is locked out of the directory if both of the following are true:

  • Account lockout is enabled

  • The user has been unable to bind successfully to the directory for at least the number of times specified by pwdMaxFailure

You can set user lockout for a specific duration, or until the administrator resets the user's password. A default value of 0 (zero) means that the user is locked out forever.

Password Maximum Failure

Enter the number of consecutive failed bind attempts after which a user account is locked.

Password Failure Count Interval

Enter the number of seconds after which the password failure times are purged from the user entry.

Password Expiration Warning

Enter the length of time before password expiration that the directory server sends the user a warning. By default, no warnings are sent. The directory server sends the warning at each logon. If the user does not modify the password before it expires, then the directory server enforces the modification. This means that the user is locked out until the password is changed by the administrator. For this feature to work, the client application must support it.

Check Password Syntax

Specify whether syntax checking is enforced. If 1, then syntax checking is enforced.

Need to Supply Old Password When Modifying Password

Specify whether user must supply old password with new one when modifying password. By default, the old password is not required.

Minimum Number of Characters of Password

Specify the minimum number of characters required in a password.

Number of Numeric Characters in Password

Specify the number of numeric characters required in a password.

Old Password Can Be New Password

Specify whether a user's old password can become the new one. If you choose Enable from the list, then the old password can become the new one.

When you create a subscriber, you also configure that subscriber's password policies. Later, you can use Oracle Directory Manager to view, refresh, and modify those policies. However, you cannot add or delete them.

Viewing a Subscriber's Password Policies by Using Oracle Directory Manager

To view a subscriber's password policies, in the navigator pane, expand Oracle Internet Directory Servers > directory_server_instance > Password Policy Management. The navigator pane displays the subscriber password policy entries. The right pane displays a table with two columns:

For the latest updates to a subscriber's password policies, choose Refresh.

For a particular subscriber's password polices, in the navigator pane, choose the subscriber password policy you want to view.

Modifying a Subscriber's Password Policies by Using Oracle Directory Manager

To modify a subscriber's password policies:

  1. In the navigator pane, expand Oracle Internet Directory Servers > directory_server_instance > Password Policy Management.

  2. In the navigator pane, choose the subscriber password policy you want to modify.

  3. In the right pane, modify the attribute fields for that policy.

  4. When you are finished, choose Apply.

Managing Password Policies by Using Command-Line Tools

This section contains these topics:

Setting Password Policies by Using Command-Line Tools

The following example enables the pwdLockout attribute, changing it from its default setting of 0 (zero).

The file my_file.ldif contains:

dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com
changetype:modify
replace: pwdlockout
pwdlockout: 1

The following command loads this file into the directory:

ldapmodify -p 389 -h myhost -f my_file.ldif

Managing a Subscriber's Password Policies Using Command-Line Tools

Examine the following examples to learn how to view and modify a subscriber's password policies by using command-line tools.

Example: Viewing a Subscriber's Password Policies Using Command-Line Tools

The following example retrieves a specific password policy entry.

ldapsearch -p 389 -h my_host -b 
"cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com" 
-s base "objectclass=*"

The following example retrieves all password policy entries:

ldapsearch -p 389 -h my_host -b "" -s sub "objectclass=pwdpolicy"

Example: Modifying a Subscriber's Password Policies Using Command-Line Tools

The following example modifies a password policy entry.

ldapmodify -p 389 -h my_host -v <<EOF
dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com
changetype: modify
replace: pwdMaxAge
pwdMaxAge: 100000

Error Messages

See:

"Password Policy Violation Error Messages"


Go to previous page Go to next page
Oracle
Copyright © 1999, 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index