Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Evaluation Guide 11 g Release 1 (11.1.1.5.0) |
1. Overview of Directory Server Enterprise Edition
3. High Data Availability and Integrity
Connection-Based Access Control
Forced Password Change After Reset
Directory Manager Enhancements
Simplified Password Updates With LDAP Extended Operations
Enhanced Auditing for Updates Performed Using Proxy Authorization
8. Synchronizing Directory Server With Windows Users and Groups
A. Standards and RFCs Supported by Directory Server Enterprise Edition
Directory Server Enterprise Edition password policy provides the following features:
A grace login limit, specified by the pwdGraceLoginLimit attribute. This attribute specifies the number of times that an expired password can be used to authenticate. If the attribute is not present or if it is set to 0, authentication will fail.
Safe password modification, specified by the pwdSafeModify attribute. This attribute specifies whether the existing password must be sent when changing a password. If the attribute is not present, the existing password does not need to be sent.
In addition, the password policy provides two controls, passwordPolicyRequest and passwordPolicyResponse. These controls enable LDAP clients to obtain the account status information on LDAP add, delete, modrdn, compare, and search operations.
The following information is available, using the OID 1.3.6.1.4.1.42.2.27.8.5.1 in the search:
Period of time before the password expires
Number of grace login attempts remaining
The password has expired
The account is locked
The password must be changed after being reset
Password modifications are allowed
The user must supply his/her old password
The password quality (syntax) is insufficient
The password is too short
The password is too young
The password already exists in history
The DSCC provides a tab for managing the password policies. You can use this tab to add new policies, assign a policy to Directory Server users, delete password policies, and change the password policy compatibility mode. The following figure illustrates this tab.
When you define a new password policy, you use the New Password Policy wizard. It allows you to specify password change settings, expiration settings, and content settings. It also allows you to specify account lockout settings. The following figure illustrates step 2 of the New Password Policy wizard.
For migration purposes, the new password policy maintains compatibility with previous Directory Server versions by identifying a compatibility mode. The compatibility mode determines whether password policy attributes are handled as old attributes or new attributes, where old refers to any Directory Server 5.2 or 5.2.x password policy attributes.
See Password Policy in Oracle Directory Server Enterprise Edition Upgrade and Migration Guide for details on migrating to the new password policy.