Directory Server Enterprise Edition Password Policy

Directory Server Enterprise Edition password policy provides the following features:

• A grace login limit, specified by the pwdGraceLoginLimit attribute. This attribute specifies the number of times that an expired password can be used to authenticate. If the attribute is not present or if it is set to 0, authentication will fail.

• Safe password modification, specified by the pwdSafeModify attribute. This attribute specifies whether the existing password must be sent when changing a password. If the attribute is not present, the existing password does not need to be sent.

In addition, the password policy provides two controls, passwordPolicyRequest and passwordPolicyResponse. These controls enable LDAP clients to obtain the account status information on LDAP add, delete, modrdn, compare, and search operations. The following information is available, using the OID 1.3.6.1.4.1.42.2.27.8.5.1 in the search:

• Period of time before the password expires

• Number of grace login attempts remaining

• The password has expired

• The account is locked

• The password must be changed after being reset

• Password modifications are allowed

• The user must supply his/her old password

• The password quality (syntax) is insufficient

• The password is too short

• The password is too young

• The password already exists in history

Managing the Password Policy Using the DSCC

The DSCC provides a tab for managing the password policies. You can use this tab to add new policies, assign a policy to Directory Server users, delete password policies, and change the password policy compatibility mode. The following figure illustrates this tab.

When you define a new password policy, you use the New Password Policy wizard. It allows you to specify password change settings, expiration settings, and content settings. It also allows you to specify account lockout settings. The following figure illustrates step 2 of the New Password Policy wizard.

Migrating to the New Password Policy

For migration purposes, the new password policy maintains compatibility with previous Directory Server versions by identifying a compatibility mode. The compatibility mode determines whether password policy attributes are handled as old attributes or new attributes, where old refers to any Directory Server 5.2 or 5.2.x password policy attributes.

See Password Policy in Sun Directory Server Enterprise Edition 7.0 Upgrade and Migration Guide for details on migrating to the new password policy.