Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Unified Directory
11g Release 2 (11.1.2)

Part Number E22648-05
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

24 Managing Password Policies

A password policy is a set of rules governing the use of passwords in the system and is an integral component of any security strategy employed for your directory.

Oracle Unified Directory includes a default password policy for general users and a default root users password policy. These default password policies reside in the directory server's configuration and can be modified.

Oracle Unified Directory supports multiple password policies, so you can create and configure specialized password policies for a specific set of users in addition to using the default password policies. Customized password policies can be defined as LDAP subentries, and stored with the user data, which allows them to be replicated across servers.

This chapter outlines the components of password policies and provides procedures to configure and manage password policies. The chapter covers the following topics:

24.1 Password Policy Components

All password policies involve the following configurable components:

Password validation is not handled directly in the password policy, but by specific password validator entries, the DNs of which are present in the password policy. For more information, see Section 24.6, "Password Validators".

24.2 The Default Password Policy

The Default Password Policy includes a number of configurable properties. These are listed in the following table.

Property Description

account-status-notification-handler

The account status notification handler is used to send messages when events occur during the course of password policy processing. This property specifies the DNs of the account status notification handlers that should be used for this password policy.

allow-expired-password-changes

Not recommended. Indicates whether users are allowed to change their passwords after the passwords have expired. The user needs to issue the request anonymously and include the current password in the request. If this property is enabled, this feature uses the Password Modify Extended Operation, which is enabled by default at initial configuration.

allow-user-password-changes

Indicates whether users are allowed to change their own passwords if they have access control rights to do so.

default-password-storage-scheme

Specifies the DNs for the password storage schemes that are used to encode clear-text passwords for this password policy.

deprecated-password-storage-scheme

Specifies the DNs for password storage schemes that are considered deprecated for this password policy. If a user with this password policy authenticates to the server and his password is encoded with any deprecated schemes, those values are removed and replaced with values encoded using the default password storage scheme.

expire-password-without-warning

Indicates whether user passwords are allowed to expire even if the user has not yet seen a password expiration warning. If this is set to false, the user is always guaranteed to see at least one warning message even if the password expiration time has passed. The expiration time will be reset to the current time plus the warning interval (ds-cfg-password-expiration-warning-interval).

force-change-on-add

Indicates whether users are required to change their passwords the first time they use their accounts and before they are allowed to perform any other operation.

force-change-on-reset

Indicates whether users are required to change their passwords after an administrative password reset and before they are allowed to perform any other operation.

grace-login-count

Specifies the maximum number of grace login that a user should be given. A grace login makes it possible for a user to authenticate to the server even after the password has expired, but the user is not allowed to do anything else until he has changed his password.

idle-lockout-interval

Specifies the maximum length of time that a user account can remain idle (that is, that the user may go without authenticating to the directory) before the server locks the account. This action is enforced if last login time tracking is enabled and if the idle lockout interval is set to a nonzero value.

last-login-time-attribute

Specifies the name of the attribute in the user's entry that is used to hold the last login time for the user. If this is provided, the specified attribute must either be defined as an operational attribute in the server schema, or it must be allowed by at least one of the object classes in the user's entry. The ds-pwp-last-login operational attribute has been defined for this purpose. Last login time tracking is only enabled if the ds-cfg-last-login-time-attribute and ds-cfg-last-login-time-format attributes have been configured for the password policy.

last-login-time-format

Specifies the format string that should be used to generate the last login time values. This can be any valid format string that can be used in conjunction with the java.text.SimpleDateFormat class. Note that for performance reasons, it might be desirable to configure this attribute so that it only stores the date (format: yyyyMMdd) and not the time of the last login. Then, it only needs to be updated once per day, rather than each time the user may authenticate. Last login time tracking is only enabled if the ds-cfg-last-login-time-attribute and ds-cfg-last-login-time-format attributes have been configured for the password policy.

lockout-duration

Specifies the length of time that a user account should remain locked due to failed authentication attempts before it is automatically unlocked. A value of "0 seconds" indicates that any locked accounts are not automatically unlocked and must be reset by an administrator.

lockout-failure-count

Specifies the number of authentication failures required to lock a user account, either temporarily or permanently. A value of zero indicates that automatic lockout is not enabled.

lockout-failure-expiration-interval

Specifies the maximum length of time that a previously failed authentication attempt should be counted toward a lockout failure. Note that the record of all previous failed attempts is always cleared upon a successful authentication. A value of "0 seconds" indicates that failed attempts are never automatically expired.

max-password-age

Specifies the maximum length of time that a user is allowed to keep the same password before choosing a new one. This is often known as the password expiration interval. A value of "0 seconds" indicates that passwords never expire. If the ds-cfg-expire-passwords-without-warning attribute is set to false, the effective password expiration time is recalculated to be the time at which the first warning is received, plus the warning interval (ds-cfg-password-expiration-warning-interval). This behavior ensures that a user always has the full configured warning interval to change his password.

max-password-reset-age

Specifies the maximum length of time that users are allowed to change their passwords after they have been administratively reset and before they are locked out. This is only applicable if the ds-cfg-force-change-on-reset attribute is set to true. A value of "0 seconds" indicates that there are no limits on the length of time that users have to change their passwords after administrative resets.

min-password-age

Specifies the minimum length of time that a user is required to have a password value before it can be changed again. Providing a nonzero value ensures that users are not allowed to repeatedly change their passwords in order to flush their previous password from the history so it can be reused.

password-attribute

Specifies the attribute in the user's entry that holds the encoded passwords for the user. The specified attribute must be defined in the server schema, and it must have either the user password syntax or the authentication password syntax. Typically, you enter "userPassword" for the User Password syntax (OID: 1.3.6.1.4.1.26027.1.3.1). You can also specify, if your server supports it, the value authPassword for the authenticated password syntax (OID: 1.3.6.1.4.1.4203.1.1.2).

password-change-requires-current-password

Indicates whether users are required to provide their current password when setting a new password. If this is set to true, then users are required to provide their current password when changing their existing password. This may be done using the password modify extended operation, or using a standard LDAP modify operation by deleting the existing password value and adding the new password value in the same modify operation.

password-expiration-warning-interval

Specifies the length of time before the password expires that the users should start to receive notification that it is about to expire. This must be given a nonzero value if the ds-cfg-expire-passwords-without-warning attribute is set to false.

password-generator

Specifies the DN for the password generator that should be used in conjunction with this password policy. The password generator is used in conjunction with the password modify extended operation to provide a new password for cases in which the client did not include one in the request. If no password generator DN is specified, then the password modify extended operation does not automatically generate passwords for users.

password-history-count

Specifies the maximum number of password values that should be maintained in the password history. Whenever a user's password is changed, the server checks the proposed new password against the current password and all passwords stored in the history. If a match is found, then the user is not allowed to use that new password. A value of zero indicates either that the server should not maintain a password history (that is, the password history duration has a value of "0 seconds") or that the password history list should be based entirely on duration and no maximum count should be enforced (that is, the password history duration has a value other than "0 seconds"). Note that if an administrator reduces the configured password history count to a smaller (but still nonzero) value, each user entry containing password history state information is not impacted until a password change is processed for that user. At that time, any excess history state values is purged from the entry. If the history count is reduced to zero and the password history duration is also set to "0 seconds," any state information in the user's entry is retained in case the feature is re-enabled.

password-history-duration

Specifies the maximum length of time that a formerly used password should remain in effect in the user's password history. Whenever a user's password is changed, the server checks the proposed new password against the current password and all passwords stored in the history. If a match is found, the user is not allowed to use that new password. A value of "0 seconds" indicates either that the server should not maintain a password history (that is, the password history count has a value of "0") or that the password history list should be based entirely on count and no maximum duration should be enforced (that is, the password history count has a value other than "0").

password-validator

Specifies the DNs for password validators that should be used in conjunction with this password policy. The password validators are invoked whenever a user attempts to provide a new password in order to determine whether that new password is acceptable.

previous-last-login-time-format

Specifies the format string that was used in the past for older last login time values. This value is not necessary unless the last login time feature is enabled and the format in which the values are stored has been changed.

require-change-by-time

Specifies a time by which all users with this password policy are required to change their passwords. This option works independently of password expiration (that is, force all users to change their passwords at some point even if password expiration is disabled).

require-secure-authentication

Indicates whether users with this password policy are required to authenticate in a secure manner using a secure communication mechanism like SSL, or a secure SASL mechanism like DIGEST-MD5, EXTERNAL, or GSSAPI that does not expose the password in the clear.

require-secure-password-changes

Indicates whether users with this password policy are required to make password changes in a secure manner, such as over a secure communication channel like SSL.


24.2.1 To View the Properties of the Default Password Policy

You can view the properties of the default password policy by using the dsconfig command, or by using ODSM.

To view the properties by using dsconfig, run the following command:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  get-password-policy-prop --policy-name "Default Password Policy"

Property                                  : Value(s)
------------------------------------------:--------------------------
account-status-notification-handler       : -
allow-expired-password-changes            : false
allow-user-password-changes               : true
default-password-storage-scheme           : Salted SHA-1
deprecated-password-storage-scheme        : -
expire-passwords-without-warning          : false
force-change-on-add                       : false
force-change-on-reset                     : false
grace-login-count                         : 0
idle-lockout-interval                     : 0 s
last-login-time-attribute                 : -
last-login-time-format                    : -
lockout-duration                          : 0 s
lockout-failure-count                     : 0
lockout-failure-expiration-interval       : 0 s
max-password-age                          : 0 s
max-password-reset-age                    : 0 s
min-password-age                          : 0 s
password-attribute                        : userpassword
password-change-requires-current-password : false
password-expiration-warning-interval      : 5 d
password-generator                        : Random Password Generator
password-history-count                    : 0
password-history-duration                 : 0 s
password-validator                        : -
previous-last-login-time-format           : -
require-change-by-time                    : -
require-secure-authentication             : false
require-secure-password-changes           : false

To view any advanced properties, include the --advanced option, as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  get-password-policy-prop --policy-name "Default Password Policy" --advanced

To view the properties of the default password policy by using ODSM, do the following:

The password policy properties, and their values, are displayed in the right-hand pane.

24.2.2 To Modify the Default Password Policy

You can modify the properties of the default password policy by using the dsconfig command, or by using ODSM.

To modify the properties by using dsconfig, run the following command:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-policy-prop --policy-name "Default Password Policy" \
  --set allow-expired-password-changes:true

To modify the properties of the default password policy by using ODSM, do the following:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Policy element.

  4. Select Default Password Policy.

    The password policy properties, and their values, are displayed in the right-hand pane.

  5. Modify the required property and click Apply.

You cannot display or modify advanced properties by using ODSM.

24.3 Password Policies in a Replicated Environment

The password policies that reside in the directory server configuration (under cn=config) are not replicated. Configuration information in general is not replicated and is specific to each directory server instance. If you modify the default password policy, you must make the same changes on each directory server instance in a replicated topology. Similarly, specialized password policies under cn=config are not replicated to other directory servers.

Password policies that are created as subentries (that is, as part of the data) are replicated. For information about creating password policies as subentries, see Section 24.4.7, "To Define a Password Policy as an LDAP Subentry".

Additional considerations for using password policies in replicated environments include the following:

24.4 Configuring Password Policies by Using the Command Line

The easiest way to configure a password policy is by using the dsconfig command to manage the existing password policies and to modify the password policy properties.

This section covers the following topics:

24.4.1 Configuring the Default Password Policy

The following examples use dsconfig to modify various properties of the default password policy.

Example 24-1 Configuring Account Lockout

The following account lockout features can be configured:

  • Lockout failure count. Specifies the number of authentication failures required to lock a user account.

  • Lockout duration. Determines the length of time that the account is in a locked state after failed authentication attempts. After the duration time, the account is automatically unlocked. A value of zero indicates that the account is not be automatically unlocked.

  • Lockout failure expiration interval. Determines the maximum length of time that a previously failed authentication attempt should be counted toward a lockout failure. A value of zero indicates that failed attempts never automatically expire.

  • Idle lockout interval. Specifies the maximum length of time that a user account can go without authenticating to the directory before the server locks the account. This property is enforced if the last-login-time is enabled and idle-lockout-interval is set to a nonzero value.

The following command sets the account lockout properties for the default password policy.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -n \
  set-password-policy-prop \
  --policy-name "Default Password Policy" --set "lockout-failure-count:3" \
  --set "lockout-duration:15 minutes" --set "idle-lockout-interval:90 days" \
  --set "lockout-failure-expiration-interval:10 minutes"

Example 24-2 Configuring Last Login

Last login is a basic security feature that helps the user to keep track of the login history. The directory server provides an operational attribute, ds-pwp-last-login, that holds the user's last login time. If you specify another attribute, the operational attribute must be defined in the server schema, or it must be allowed by at least one of the object classes in the user's entry.

The last-login-time-format property determines the time format. If the time format has changed and last login is enabled, the previous-last-login-time-format property is used.

The following command sets the last login properties for the default password policy.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -n \
  set-password-policy-prop \
  --policy-name "Default Password Policy" \
  --set "last-login-time-attribute:ds-pwp-last-login-time" \
  --set "last-login-time-format:yyyyMMdd" \
  --set "previous-last-login-time-format:yyyyMMdd"

Example 24-3 Configuring Password History Count and Duration

The password-history-count property specifies the number of past passwords that should be maintained in the history. A value of zero indicates that the server does not maintain a password history.

The password-history-duration property specifies the maximum length of time that a previously used password should remain in the user's password history. A value of 0 seconds indicates that the server should not maintain a password history.

The following command configures password history count and duration for the default password policy.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -n \
  set-password-policy-prop \
  --policy-name "Default Password Policy" --set "password-history-count:3" \
  --set "password-history-duration:5 seconds"

24.4.2 To Create a New Password Policy

You can configure and store multiple password policies with different configuration options. When you set up a directory server instance, the instance uses the default password policy and applies it to all user entries, except root users (for example, the cn=Directory Manager account).

You can change the default password policy or you can create new password policies for specific groups in your directory. If a specific property is not present in a password policy, the server reads that property from the default password policy, in other words, all password policies inherit their default values from the default password policy.

The following command creates a new password policy and sets the default-password-storage-scheme, lockout-duration, lockout-failure-count, and password-change-requires-current-password properties. The remaining properties are inherited from the default Password Policy.

Use the dsconfig command to create a new password policy, as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  create-password-policy \
  --policy-name "Temp Password Policy" --set password-attribute:userPassword \
  --set default-password-storage-scheme:"Salted SHA-1" \
  --set lockout-duration:300s --set lockout-failure-count:3 \
  --set password-change-requires-current-password:true

24.4.3 To Create a First Login Password Policy

The First Login Password Policy is a specialized password policy that requires a user to change his password when first logging in to the system. Typically, an administrator sets up a new temporary password for newly created accounts, and the user is required to create his password after first logging in with the temporary password.

Use the dsconfig command to create a first login password policy.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  create-password-policy --policy-name "First Login Password Policy" \
  --set password-attribute:userpassword \
  --set default-password-storage-scheme:"Salted SHA-1" \
  --set allow-user-password-changes:true --set force-change-on-add:true \
  --set force-change-on-reset:true \
  --set expire-password-without-expiration:false \
  --set password-expiration-warning-interval:86400 \
  --set min-password-age:0 --set max-password-age:259200 \
  --set lockout-duration:3600 --set lockout-failure-count:3 \
  --set password-change-requires-current-password:true

24.4.4 To Assign a Password Policy to an Individual Account

You can assign a password policy to an individual by adding the ds-pwp-password-policy-dn attribute to the user's entry. The server then uses the configured password policy for that user.

  1. Use ldapmodify to add the ds-pwp-password-policy-dn attribute.

    $ ldapmodify --h localhost -p 1389 -D "cn=Directory Manager" -j pwd-file \
    dn: uid=mgarcia,ou=Contractors,dc=example,dc=com
    changetype: modify
    add: ds-pwp-password-policy-dn
    ds-pwp-password-policy-dn: cn=Temp Password Policy,cn=Password Policies,cn=config
    
  2. Verify the entry by using ldapsearch.

    $ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -j pwd-file \
      -b "dc=example,dc=com" -s sub "(uid=mgarcia)" ds-pwp-password-policy-dn
    

24.4.5 To Prevent Password Policy Modifications

To prevent users from modifying their password policy, you must add an ACI to the root entry.

Use the ldapmodify command with the specific ACI.

$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -j pwd-file \
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr != "passwordPolicySubentry")(version 3.0; acl "Allow self 
modification except for passwordPolicySubentry"; 
allow (write) (userdn = "ldap:///self");)

24.4.6 To Assign a Password Policy to a Group of Users

You can assign a password policy to a group of users by adding a virtual attribute that automatically assigns the ds-pwp-password-policy-dn attribute to all user entries that match the criteria associated with that virtual attribute. The criteria can be based entirely or in part on the group membership for a user.

Use dsconfig to create a virtual attribute that adds a password policy to a group of users.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  create-virtual-attribute \
  --name "Add PWPolicy to Admins" --type user-defined --set enabled:true \
  --set attribute-type:ds-pwp-password-policy-dn \
  --set group-dn:cn=Admins,ou=Groups,dc=example,dc=com \
  --set conflict-behavior:real-overrides-virtual \
  --set value:"cn=Admins PWPolicy,cn=Password Policies,cn=config"

24.4.7 To Define a Password Policy as an LDAP Subentry

LDAP subentries are special entries that hold operational data for the server. They are similar to operational attributes in that they are not returned to clients unless explicitly requested by including a Subentries Control request control.

You can define a password policy as an LDAP subentry, which means that the password policy is stored along with the user data, and can therefore be replicated.

Subentry password policies override the default password policy that is defined in the configuration. Settings that are not included in the subentry password policy are inherited from the default password policy.

When more than one password policy is defined under the same parent node with overlapping scope, the election of the password policy subentry that will apply to an entry within that scope cannot be determined. You must therefore ensure that the password policies are defined in such a way that they do not conflict with each other.

Subentry password policies must rely on standard password policy properties only. A subentry password policy cannot contain password policy extension that are specific to Oracle Unified Directory.

For subentry password policies, password validators and password generators are always inherited from the default server password policy. You cannot define password validators or password generators for individual password policy subentries.

To define a subentry password policy, create the password policy in an LDIF file, and add it to the data by using ldapmodify. You can specify the entries to which the password policy should be applied by including an LDAP filter in the subentry subtree specification.

The following example creates a password policy that applies only to a group of administrators. This password policy specifies the following:

  • The user's account will be locked after a three successive failed password attempts.

  • A failure interval of 300 seconds, after which a previously failed authentication attempt is no longer counted toward a lockout failure.

  • A lockout duration of 300 seconds, after which it is automatically unlocked.

  • Users to which this password policy applies can change their own passwords.

  • Users with this password policy must change their password in a secure manner that does not expose the credentials.

  1. Create an LDIF file (admin-pwp.ldif) that includes the entry specifying the password policy.

    dn: cn=Admins Password Policy,dc=example,dc=com
    objectClass: top
    objectClass: subentry
    objectClass: pwdPolicy
    cn: Admins Password Policy
    pwdAttribute: userPassword
    pwdLockout: TRUE
    pwdMaxFailure: 3
    pwdFailureCountInterval: 300
    pwdLockoutDuration: 300
    pwdAllowUserChange: TRUE
    pwdSafeModify: TRUE
    subtreeSpecification: {relativeBase "ou=people", specificationFilter
      "(isMemberOf=cn=Admins,ou=Groups,dc=example,dc=com)" }
    
  2. Use the ldapmodify command to add the entry to the directory.

    $ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \
      --defaultAdd --filename admin-pwp.ldif 
    Processing ADD request for cn=Admins Password Policy,dc=example,dc=com
    ADD operation successful for DN cn=Admins Password Policy,dc=example,dc=com
    

24.4.8 To Delete a Password Policy

You can delete any password policy, except the Default Password Policy and the Default Root User Policy, from the directory when it is no longer needed.

In practice, first check the users who have the password policy you plan to delete, move them to a new password policy, and then remove the old password policy. If a password policy is deleted, any users who have a deleted password policy continue to have the ds-pwd-password-policy-dn pointing to the old password policy. The server returns an error when any requests to access the entry occur.

Use dsconfig to delete a password policy.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -n \
  delete-password-policy --policy-name "Temp Password Policy"

24.5 Configuring Password Policies by Using Oracle Directory Services Manager

You can use ODSM to manage password policies, as described in the following sections.

24.5.1 List the Configured Password Policy Subentries

You can display all password policy subentries that are configured in the server by using ODSM, as follows:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Policy Subentry element.

    The DNs of all password policy subentries are listed.

  4. To display the details of a password policy subentry, select its DN.

    The password policy subentry properties are displayed in the right hand pane.

  5. To modify any aspect of the password policy subentry, change the required value and click Apply.

For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.

24.5.2 Create a Password Policy Subentry

You can create a new password policy subentry by using ODSM, as follows:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Policy Subentry element.

  4. Click the Add icon.

    The password policy subentry properties are displayed in the right hand pane.

  5. On the Create new password policy subentry screen, complete the required fields.

    For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.

  6. When you have completed configuring the password policy subentry, click Create.

24.5.3 Create a Password Policy Subentry Based on an Existing Password Policy Subentry

You can create a new password policy subentry that is based on an existing password policy subentry by using ODSM, as follows:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Policy Subentry element.

  4. Select the password policy subentry on which you want to base the new subentry.

  5. Click the Add like icon.

    The properties of the original password policy subentry are displayed in the right hand pane.

  6. Modify the required values.

    For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.

  7. When you have completed configuring the new password policy subentry, click Create.

24.5.4 Delete a Password Policy Subentry

You can delete a password policy subentry by using ODSM, as follows:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Policy Subentry element.

  4. Select the password policy subentry that you want to deleted.

  5. Click the Delete icon.

    You are prompted to confirm the deletion. Click OK.

24.5.5 Display the Configured Password Policies

You can display the list of password policies by using ODSM, as follows:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Policy element.

    The list of configured password policies is displayed.

  4. Select a password policy to display its properties in the right hand pane.

For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.

24.5.6 Modify a Password Policy

You can modify a configured password policy by using ODSM, as follows:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Policy element.

    The list of configured password policies is displayed.

  4. Select the password policy whose properties you want to modify.

For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.

24.5.7 Create a Password Policy

You can create a new password policy by using ODSM, as follows:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Policy element.

  4. Click the Add icon.

  5. On the Create New Password Policy screen, configure the required properties.

    For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.

  6. When you have configured the new password policy, click Create.

24.5.8 Create a Password Policy Based on an Existing Password Policy

You can create a new password policy that is based on an existing password policy by using ODSM, as follows:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Policy element.

  4. Select the password policy on which you want to base the new policy.

  5. Click the Add like icon.

  6. On the Create New Password Policy screen, modify the properties to create the new policy.

    For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.

  7. When you have configured the new password policy, click Create.

24.5.9 Delete a Password Policy

You can delete a password policy by using ODSM, as follows:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Policy element.

  4. Select the password policy that you want to delete.

  5. Click the Delete icon.

  6. Click OK to confirm the deletion.

24.5.10 Display the Supported Password Storage Schemes

A password storage scheme provides a mechanism for encoding user passwords for storage in the server. In most cases, the password is encoded in a manner that prevents users from determining what the clear-text password is, while still allowing the server to determine whether the user-supplied password is correct. Oracle Unified Directory supports a number of password storage schemes. For more information, see Section D.15.9, "password storage scheme".

You can use ODSM to display the list of password storage schemes, as follows:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Storage element.

  4. The list of password storage schemes is displayed.

24.5.11 Enable or Disable a Password Storage Scheme

You can use ODSM to enable or disable a password storage scheme, as follows:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Storage element.

  4. Select the password storage scheme that you want to enable or disable.

  5. In the right hand pane, check or uncheck the Enabled box, as required.

  6. Click Apply to save your changes.

24.6 Password Validators

Password validators provide a mechanism to determine whether a provided plain text password is acceptable for use. Validation prevents users from choosing trivial passwords that are weak and might be easily guessed. Types of validation that might be performed include:

The password policy for a user specifies the set of password validators that should be used whenever that user provides a new password. To activate a password validator, you must enable the corresponding configuration entry, and include the DN of that entry in the password-validator attribute of the password policy in which you want that validator active.

The following password validators are available in the server by default:

24.6.1 Managing Password Validators

You can manage password validators by using the dsconfig command or by using the ODSM interface, as described in the following sections:

24.6.1.1 To Display the Available Password Validators

Use the dsconfig command to list the password validators that are available, as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  list-password-validators
Password Validator                  : Type                : enabled
------------------------------------:---------------------:--------
Attribute Value                     : attribute-value     : true
Character Set                       : character-set       : true
Dictionary                          : dictionary          : false
Length-Based Password Validator     : length-based        : true
Repeated Characters                 : repeated-characters : true
Similarity-Based Password Validator : similarity-based    : true
Unique Characters                   : unique-characters   : true

To display the available password validators by using ODSM, do the following:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Validator element.

    The available password validators are displayed.

24.6.1.2 To Display the Properties of a Password Validator

Use the dsconfig command to display the properties of a particular password validator, as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  get-password-validator-prop --validator-name "Length-Based Password Validator"
Property            : Value(s)
--------------------:---------
enabled             : true
max-password-length : 0
min-password-length : 6

To display the properties of a password validator by using ODSM, do the following:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Validator element.

    The available password validators are displayed.

  4. Click on a password validator to display its properties in the right hand pane.

24.6.1.3 To Enable or Disable a Password Validator

All of the password validators, except the Dictionary validator, are enabled by default. A validator must be enabled before it can be associated with a specific password policy.

Use the dsconfig command to set the enabled property to true or false. For example, to disable the Length-Based password validator, set the enabled property as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-validator-prop --validator-name "Length-Based Password Validator" \
  --set enabled:false

To enable or disable a password validator by using ODSM, do the following:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Validator element.

    The available password validators are displayed.

  4. Click on a password validator to display its properties in the right hand pane.

  5. Select the Enabled check box to enable the validator, or deselect this check box to disable the validator.

  6. Click Apply to save the configuration changes.

24.6.1.4 To Configure the Values of a Password Validator

Use the dsconfig command to configure properties of a password validator. For example, to specify that passwords must be at least eight characters long, set the min-password-length property as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-validator-prop --validator-name "Length-Based Password Validator" \
  --set min-password-length:6

To display the properties of a password validator by using ODSM, do the following:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Validator element.

    The available password validators are displayed.

  4. Click on a password validator to display its properties in the right hand pane.

  5. Configure any required properties and click Apply to save the configuration change.

24.6.1.5 To Associate a Password Validator With a Password Policy

A password validator is only taken into account when it is associated with a specific password policy.

To associate a password validator with a password policy by using dsconfig, set the password-validator property of the password policy.

For example, to specify that the default password policy should check whether passwords conform to a specific number of characters, set the password-validator property of the default password policy as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-policy-prop --policy-name "Default Password Policy" \
  --set password-validator:"Length-Based Password Validator"

To associate a password validator with a password policy by using ODSM, do the following:

  1. Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".

  2. Select the Security tab.

  3. Expand the Password Policy element.

    The available password policies are displayed.

  4. Click on a password policy to display its properties in the right hand pane.

  5. Expand the Syntax element in the right hand pane.

  6. From the Password Validator list, select the password validators that you want to associate with this password policy.

  7. Click Apply to save the configuration changes.

24.7 Password Generators

Password generators are used to generate passwords for user accounts. A password generator is used in conjunction with the password modify extended operation to provide a new password for cases in which the client did not include a password in its request. If no password generator is associated with the password policy that is in force, the password modify extended operation does not automatically generate passwords for users.

The passwords that are created by a password generator are not subject to validation. You should configure password generators so that the passwords they create are in-line with the requirements of the associated password validators.

By default one password generator is configured on a directory server instance - the random password generator. The following sections describe how to manage password generators by using dsconfig.

24.7.1 To Display the Configured Password Generators

Use the dsconfig command to list the configured password generators, as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  list-password-generators
Password Generator        : Type   : enabled
--------------------------:--------:--------
Random Password Generator : random : true

24.7.2 To Display the Properties of a Password Generator

Use the dsconfig command to display the properties of a password generator, as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  get-password-generator-prop --generator-name "Random Password Generator"
Property               : Value(s)
-----------------------:-----------------------------------------------------
enabled                : true
password-character-set : alpha:abcdefghijklmnopqrstuvwxyz, numeric:0123456789
password-format        : "alpha:3,numeric:2,alpha:3"

The password character set is a multi-valued property, with each value defining a different character set. The format of the character set is the name of the set followed by a colon and the characters that are in that set. For example, the value "alpha:abcdefghijklmnopqrstuvwxyz" defines a character set named "alpha" containing all of the lower-case ASCII alphabetic characters.

The password format is a comma-delimited list of elements in which each of those elements is comprised of the name of a character set defined in the password-character-set property, a colon, and the number of characters to include from that set. For example, the default value of "alpha:3,numeric:2,alpha:3" generates an 8-character password in which the first three characters are from the "alpha" set, the next two are from the "numeric" set, and the final three are from the "alpha" set.

24.7.3 To Enable or Disable a Password Generator

The random password generator is enabled by default. A validator must be enabled before it can be associated with a specific password policy.

Use the dsconfig command to set the enabled property to true or false. For example, to disable the random password generator, set the enabled property as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-generator-prop --generator-name "Random Password Generator" \
  --set enabled:false

24.7.4 To Configure the Values of a Password Generator

Use the dsconfig command to configure properties of a password generator. For example, to specify that passwords generated by the random password generator must be of the form, three letters, three numbers, and two defined special characters, set the corresponding properties as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-generator-prop --generator-name "Random Password Generator" \
  --add password-character-set:special:\!@#\$%^&*\(\) 
  --set password-format:alpha:3,numeric:3,special:2

24.7.5 To Associate a Password Generator With a Password Policy

A password generator is only taken into account when it is associated with a specific password policy.

To associate a password generator with a password policy by using dsconfig, set the password-generator property of the password policy.

For example, to specify that the default password policy should use a new password generator, named Special Generator, set the password-generator property of the default password policy as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-policy-prop --policy-name "Default Password Policy" \
  --set password-generator:"Special Generator"