Administrators can set error mode for password policy messages, override native LDAP password policy validation, and perform evaluations to confirm the deployment is working as required.
These tasks are the same regardless of the credential collector you have configured. Perform the following tasks to complete your password policy configuration:
Users with administrative privileges can set the Server Error Mode for password policy messages.
Figure 24-4shows the Access Manager settings.
Figure 24-4 Server Error Mode for Password Management
Prerequisites
You need to disable native LDAP password policy validation before the non-native password policy can be used.
For example, with Oracle Internet Directory registered for Oracle Access Management, native password policy is generally located as follows:
dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext,<DOMAIN_CONTAINER>
Caution:
Disabling the native LDAP password policy validation leaves no enforcement for direct LDAP operations. There are various password policies in Oracle Internet Directory, including one in the following:
dn: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext
However, this might not apply to your domain.
You can disable the Oracle Internet Directory password policy by setting the orclpwdpolicyenable
parameter to zero (0).
See Also:
The various attributes described in
The following procedure is only an example. Your environment will be different.
Prerequisites
Note:
After disabling the ECC, access to resources protected by schemes and policies that rely on the ECC will be prohibited, including access to the Oracle Access Management Console.
Prerequisites
You can perform a number of evaluations to confirm that your deployment is working properly.
Confirm access after login:
Open a new browser and request a resource.
Log in with your user credentials.
Confirm that you have access to the resource.
Confirm no access on incorrect login:
Open a new browser and request a resource.
Log in with incorrect user credentials.
Confirm that you must re-authenticate.
Confirm lockout after exceeding maximum incorrect login attempts:
Open a new browser and request a resource.
Log in with incorrect user credentials repeatedly.
Confirm that the user account is locked.
Modify and evaluate your password expiry policy:
Log in to the Oracle Access Management Console.
In your password policy, reset the expiry and lockout periods (Table 24-2) so that you will see warnings on your next login.
Save the policy updates.
Open a new browser and request a resource.
Verify the warning page appears advising that the password will expire.
Click the link to continue without password change.
Change your password:
Open a new browser and request a resource.
On the password expiry warning page, click the link to change your password.
On the password change page, enter your correct old password.
In the new password field, enter a different new password that does not follow the password policy and confirm the password validation error.
Enter a new password that meets requirements and confirm success and access to the resource.