| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
10. Managing Users and Groups With dsconfig
Managing Root User, Global Administrator, and Administrator Accounts
Working With Multiple Root Users
Root Users and the Privilege Subsystem
Managing Root Users With dsconfig
To View the Default Root User Privileges
To Edit the Default Root User Privileges
To Change a Root User's Password
To Change a Root User's Privileges
Setting Root User Resource Limits
Managing Global Administrators
To Create an Administrator with Root User Privileges
To Change the Directory Manager's Password
To Reset and Generate a New Password for a User
Managing a User's Account Information
To View a User's Account Information
To View Account Status Information
To Create a Static Group With groupOfNames
To Create a Static Group With groupOfUniqueNames
To Create a Static Group With groupOfEntries
To List All Members of a Static Group
To List All Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Group
To List All Members of a Dynamic Group
To List All Dynamic Groups of Which a User Is a Member
To Determine Whether a User Is a Member of a Dynamic Group
Defining Virtual Static Groups
To Create a Virtual Static Group
To List All Members of a Virtual Static Group
To List All Virtual-Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Virtual Static Group
Maintaining Referential Integrity
Overview of the Referential Integrity Plug-In
To Enable the Referential Integrity Plug-In
Simulating ODSEE Roles in an Oracle Unified Directory Server
To Determine Whether a User is a Member of a Role
To Alter Membership by Using the nsRoleDN Attribute
11. Managing Password Policies
User accounts are essentially user entries that you create, modify, or remove in your directory. The directory server provides easy-to-use utilities to manage user accounts and passwords.
Before you begin to manage user accounts, ensure that you have the appropriate password policies set up on the directory server. For more information, see Chapter 11, Managing Password Policies.
Directory administrators are often asked to create, reset, or remove passwords for other users. The ldappasswordmodify utility enables you to change or reset a user's password with the LDAP password modify extended operation. You can specify authorization IDs with the --authzid option by prefixing dn:, u:, or by specifying the full DN.
$ ldappasswordmodify -h localhost -p 1389 \ --authzID "dn:cn=Directory Manager" \ --currentPassword mypassword --newPassword mynewpassword The LDAP password modify operation was successful
This example assumes that the user does not remember the existing password.
$ ldappasswordmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --authzID u:jvedder The LDAP password modify operation was successful Generated Password: evx07npv
This example assumes that the user remembers the existing password. The new password is passed to the server in a specified file.
$ ldappasswordmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --authzID uid=jvedder,ou=People,dc=example,dc=com \ --currentPassword password --newPasswordFile pwdFile The LDAP password modify operation was successful
You can use the manage-account command to display information about the user's account and any password policy that is applied to the user. You can also use this command to enable and disable a user's account. The manage-account command accesses the server over SSL via the administration port. For more information, see Managing Administration Traffic to the Server.
The manage-account command returns the DN of the password policy in effect on a user account, as well as the account status, and password and login related information
$ manage-account -D "cn=directory manager" -w password get-all \ --targetDN uid=kvaughan,ou=People,dc=example,dc=com Password Policy DN: cn=Default Password Policy,cn=Password Policies,cn=config Account Is Disabled: false Account Expiration Time: Seconds Until Account Expiration: Password Changed Time: 19700101000000.000Z Password Expiration Warned Time: Seconds Until Password Expiration: 432000 Seconds Until Password Expiration Warning: 0 Authentication Failure Times: Seconds Until Authentication Failure Unlock: Remaining Authentication Failure Count: Last Login Time: Seconds Until Idle Account Lockout: Password Is Reset: false Seconds Until Password Reset Lockout: Grace Login Use Times: Remaining Grace Login Count: 4 Password Changed by Required Time: Seconds Until Required Change Time: Password History:
For example, to view just the password history, run the following command:
$ manage-account -D "cn=directory manager" -w password get-password-history \ --targetDN "uid=kvaughan,ou=People,dc=example,dc=com"
For a complete list of subcommands, run the following command:
$ manage-account --help
You can use the manage-account command to assess whether an account is enabled or disabled.
$ manage-account -D "cn=directory manager" -w password get-account-is-disabled \ --targetDN "uid=kvaughan,ou=People,dc=example,dc=com" Account Is Disabled: false
$ manage-account -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-account-is-disabled --operationValue true \ --targetDN "uid=kvaughan,ou=People,dc=example,dc=com" Account Is Disabled: true
$ manage-account -D "cn=directory manager" -w password clear-account-is-disabled \ --targetDN "uid=kvaughan,ou=People,dc=example,dc=com" Account Is Disabled: false
You can control search operations on the server for each client account by assigning resource limits to the entry. Resource limits are assigned by adding specific operational attributes to the user entry. The directory server then enforces the limits based on the account that the client uses to bind to the directory.
The resource limits that you set on specific user accounts take precedence over the resource limits set in the server-wide configuration. The following limits can be set:
Look-through limit. Specifies the maximum number of entries examined for a search operation. Use the ds-rlim-lookthrough-limit operational attribute.
Size limit. Specifies the maximum number of entries returned in response to a search operation. use the ds-rlim-size-limit operational attribute.
Time limit. Specifies the maximum time spent processing a search operation. Use the ds-rlim-time-limit operational attribute.
Note - The Directory Manager can use unlimited resources by default.
dn: uid=kvaughan,ou=people,dc=example,dc=com changetype: modify add: ds-rlim-lookthrough-limit ds-rlim-lookthrough-limit: 1000 - add: ds-rlim-size-limit ds-rlim-size-limit: 500 - add: ds-rlim-time-limit ds-rlim-time-limit: 300
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --filename add_resource.ldif Processing MODIFY request for uid=kvaughan,ou=people,dc=example,dc=com MODIFY operation successful for DN uid=kvaughan,ou=people,dc=example,dc=com
|