Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

ProcedureTo Create a Password Policy

You create and modify specialized password policies in the same way that you create and modify any other directory entry. The following procedure demonstrates use of a text editor to write the password policy entry in LDIF. Then you use the ldapmodify command with the -a option to add the password policy entry to the directory.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Before You Begin

Example data as shown here is from Example.ldif unless stated otherwise.

  1. Complete a password policy worksheet for the policy you want to create.

    See Worksheet for Defining Password Policy for a sample.

  2. Write a password policy entry, in LDIF, that is based on the worksheet.

    For example, the following policy entry specifies a password policy for temporary employees at Example.com, whose subtree root is dc=example,dc=com:


    dn: cn=TempPolicy,dc=example,dc=com
    objectClass: top
    objectClass: pwdPolicy
    objectClass: sunPwdPolicy
    objectClass: LDAPsubentry
    cn: TempPolicy
    pwdAttribute: userPassword
    pwdCheckQuality: 2
    pwdLockout: TRUE
    pwdLockoutDuration: 300
    pwdMaxFailure: 3
    pwdMustChange: TRUE

    In addition to the default password policy settings, the policy as shown here specifies additional behaviors. Password quality checks are enforced. Accounts are locked for five minutes, 300 seconds, after three consecutive bind failures. Passwords must be changed after the passwords are reset. After the policy is assigned to user accounts, the settings explicitly specified here override the default password policy.

  3. Add the password policy entry to the directory.

    For example, the following command adds the password policy for temporary employees at Example.com under dc=example,dc=com. The password policy has been saved in a file named pwp.ldif.


    $ ldapmodify -a -D uid=kvaughan,ou=people,dc=example,dc=com -w - -f pwp.ldif
    Enter bind password: 
    adding new entry cn=TempPolicy,dc=example,dc=com
    
    $ ldapsearch -D uid=kvaughan,ou=people,dc=example,dc=com -w --b dc=example,dc=com \
    "(&(objectclass=ldapsubentry)(cn=temppolicy))"
    Enter bind password:
    version: 1
    dn: cn=TempPolicy,dc=example,dc=com
    objectClass: top
    objectClass: pwdPolicy
    objectClass: LDAPsubentry
    cn: TempPolicy
    pwdCheckQuality: 2
    pwdLockout: TRUE
    pwdLockoutDuration: 300
    pwdMaxFailure: 3
    pwdMustChange: TRUE
    $

    As shown in Example.ldif, kvaughan is an Human Resources manager who has access to modify dc=example,dc=com entries. Vaughan's bind password, as shown in Example.ldif, is bribery.

See Also

To define which user accounts are governed by the policies you define, see To Assign a Password Policy to an Individual Account or To Assign a Password Policy Using Roles and CoS.