About Password Policies

This section contains these topics:

• What a Password Policy Is

• Default Password Policy

• Location of Password Policy Entries

• Directory Server Verification of Password Policy Information

• Overview: Establishing a Password Policy for an Identity Management Realm

What a Password Policy Is

Password polices are sets of rules that govern how passwords are used. They can specify, for example:

• The maximum length of time a given password is valid

• The minimum number of characters a password must contain

• The number of numeric characters required in a password

• That users change their passwords periodically

• That users cannot reuse previously used passwords

• That users are locked out after a certain number of login attempts

Default Password Policy

The default password policy for Oracle Internet Directory enforces:

• Password expiration in 60 days

• Account lockout after 10 login failures. Except for the super user account, all accounts remain locked for a duration of 24 hours unless the passwords are reset by the directory administrator.

  If a super user account becomes locked, it stays locked until it is unlocked by using the OID Database Password utility. This utility prompts you for the ODS user password. After you enter the ODS password, it unlocks the account.

• A minimum password length of five characters with at least one numeric character

• A maximum of three grace logins after password expiration

Beginning in Oracle Internet Directory, Release 9.0.4, the password policy entry in the Root Oracle Context applies to the super user, but only the password policy governing account lockout is enforced on that account.

During Oracle Internet Directory installation, the Oracle Universal Installer creates for each identity management realm a password policy entry. This entry contains all password policy information applicable to all users in that realm.

The installer places this entry as shown in Figure 15-1--namely, immediately below the common entry, which resides under the products entry, which, in turn, resides under the Oracle Context specific to the identity management realm.

Figure 15-1 Location of Password Policy Entries

Text description of the illustration oidag081.gif

The Oracle Internet Directory password policy is applicable to simple binds (based on the userpassword attribute), compare operations on the userpassword attribute, and SASL binds. It does not apply to SSL and proxy binds.

To enforce this password policy, set to the appropriate value the orclcommonusersearchbase attribute in the common entry of the realm-specific Oracle Context. Otherwise, no password policy modification can take effect.

Directory Server Verification of Password Policy Information

To ensure that the user password meets the requirements of a given policy, the directory server verifies:

• That the password policy is enabled. It does this by checking the value of the attribute orclpwdpolicyenable in the password policy entry. A value of 1 indicates that the password policy is enabled. A value of 0 indicates that it is disabled.

• Correctness of password policy syntax information, which includes, for example, the correct number of alphabetic and numeric characters, or the correct password length. The directory server checks the syntax during ldapadd and ldapmodify operations.

• Password policy state information, which includes, for example:
  • The timestamp of the user password creation or modification

  • The timestamp of consecutive failed login attempts by the user

  • The time at which the user account was locked

  • Indicator that the password has been reset and must be changed by the user on first authentication

  • A history of user's previously used passwords

  • Time stamps of grace logins

  The directory server checks the state information during ldapbind and ldapcompare operations, but does so only if the orclpwdpolicyenable attribute is set to 1.

  To enable password value syntax checking, set the attributes orclpwdpolicyenable and pwdchecksyntax in the password policy entry to TRUE.

Overview: Establishing a Password Policy for an Identity Management Realm

In general, to establish a password policy:

1. Create a password policy entry, associate it with the pwdpolicy object class, and populate the corresponding attributes.

2. Set values for the pwdPolicy object class, which contains password policy information for the entire directory. Do this during installation when the entry of this object class is created.

3. Verify that the orclpwdpolicyenable attribute in the password policy entry is set to 1.

   See Also: "Password Policy Schema Elements" for a list and descriptions of the attributes of the pwdPolicy object class, and those of the top object class that pertain to password policies