Configuring Directory Server (Sun OpenSSO Enterprise 8.0 Integration Guide)

Sun OpenSSO Enterprise 8.0 Integration Guide

Configuring Directory Server

Before you can configure OpenSSO Enterprise for administrator-initiated password reset, you must configure the Directory Server must to meet the following conditions:

A password policy is configured and assigned to the test user's LDAP profile in the directory server. The password policy should have the following controls set:

Set Password Expiration

LDAP attributes: passwordexp, passwordmaxage

Set Expiration Warning

LDAP attribute: passwordwarning

Warning Duration

LDAP attribute: passwordExpireWithoutWarning)
The following controls are set to allow for administrator-driven password reset:

Require Password Change at First Login and After Reset

LDAP attribute: passwordchange, passwordmustchange

Allow Users to Change Their Passwords

LDAP attribute: pwdallowuserchange
The passwordPolicySubentry attribute in the test user's LDAP profile is set with the DN of the password policy. This indicates that the password policy has been assigned to this user. Example:

cn=idm_integration,dc=sun,dc=com

See the Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide for detailed instructions on configuring these settings.

Important Information About Using Sun Directory Server 6.3

After you install Sun Directory Server Enterprise Edition 6.3, Directory Server uses Legacy mode for its password policy syntax, which works for both Directory Server 5.x and Directory Server 6.x. However, Directory Server 6.3 maintains two sets of password attributes for both password policies and the user's computed password attributes. This may trigger other potential issues. Unless you are planning to use Directory Server 5.x password policies, a good practice is to migrate a new Directory Server 6.3 instance to the Directory Server 6-Only mode. Doing so removes redundancies and avoids any potential problems.

Here is an example of how you can verify which mode the Directory Server is running in, and how you can enable Directory Server 6–Only mode.

# DirectoryServer-base/ds6/bin/dsconf get-server-prop -p 1389 -D "cn=directory manager" 
-w mypass -c -e pwd-compat-mode
pwd-compat-mode  :  DS5-compatible-mode

# DirectoryServer-base/ds6/bin>dsconf pwd-compat -p 1389 -D "cn=directory manager" 
-w mypass -c -e to-DS6-migration-mode
## Beginning password policy compatibility changes.
## Password policy compatibility changes finished.

Task completed (slapd exit code: 0).

# DirectoryServer-base/ds6/bin/dsconf pwd-compat -p 1389 -D "cn=directory manager" 
-w mypass -c -e to-DS6-mode
## Beginning password policy compatibility changes.
## Password policy compatibility changes finished.

Task completed (slapd exit code: 0).

# DirectoryServer-base/ds6/bin/dsconf get-server-prop -p 1389 -D "cn=directory manager" 
-w mypass -c -e pwd-compat-mode
pwd-compat-mode  :  DS6-mod