Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Password Policies in Oracle Internet Directory, 2 of 4
This section contains these topics:
Password polices are sets of rules that govern how passwords are used. They can specify, for example:
The default password policy for Oracle Internet Directory enforces:
If a super user account becomes locked, it stays locked until it is unlocked by using the OID Database Password utility. This utility prompts you for the ODS user password. After you enter the ODS password, it unlocks the account.
Beginning in Oracle Internet Directory, Release 9.0.4, the password policy entry in the Root Oracle Context applies to the super user, but only the password policy governing account lockout is enforced on that account.
During Oracle Internet Directory installation, the Oracle Universal Installer creates for each identity management realm a password policy entry. This entry contains all password policy information applicable to all users in that realm.
The installer places this entry as shown in Figure 15-1--namely, immediately below the common
entry, which resides under the products
entry, which, in turn, resides under the Oracle Context specific to the identity management realm.
The Oracle Internet Directory password policy is applicable to simple binds (based on the userpassword
attribute), compare operations on the userpassword
attribute, and SASL binds. It does not apply to SSL and proxy binds.
To enforce this password policy, set to the appropriate value the orclcommonusersearchbase
attribute in the common
entry of the realm-specific Oracle Context. Otherwise, no password policy modification can take effect.
To ensure that the user password meets the requirements of a given policy, the directory server verifies:
orclpwdpolicyenable
in the password policy entry. A value of 1 indicates that the password policy is enabled. A value of 0 indicates that it is disabled.
ldapadd
and ldapmodify
operations.
The directory server checks the state information during ldapbind
and ldapcompare
operations, but does so only if the orclpwdpolicyenable
attribute is set to 1.
To enable password value syntax checking, set the attributes orclpwdpolicyenable
and pwdchecksyntax
in the password policy entry to TRUE
.
In general, to establish a password policy:
pwdpolicy
object class, and populate the corresponding attributes.
pwdPolicy
object class, which contains password policy information for the entire directory. Do this during installation when the entry of this object class is created.
orclpwdpolicyenable
attribute in the password policy entry is set to 1.
"Password Policy Schema Elements" for a list and descriptions of the attributes of the
See Also:
pwdPolicy
object class, and those of the top
object class that pertain to password policies
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|