Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Password Policies in Oracle Internet Directory, 3 of 4
This section contains these topics:
Table 15-1 lists the administrative tasks related to password policies, the tools you use to perform each one, and points you to the corresponding information.
When you create the base entry for an identity management realm--whether during an Oracle Internet Directory installation or later--you also create a password policy entry for that realm. Later, you can use Oracle Directory Manager to view, refresh, and modify those policies.
This section contains these topics:
To view the password policies for a particular identity management realm, in the navigator pane, expand in succession Oracle Internet Directory Servers, directory server instance, Password Policy Management. The navigator pane displays the password policy entries for the identity management realm. The right pane displays a table with two columns:
To get the latest updates to realm-specific password policies, choose Refresh.
To get the password polices of a particular realm, in the navigator pane, choose the realm-specific password policy you want to view. The policies appear in the right pane.
See Also:
"Password Policy Fields in Oracle Directory Manager" for a description of each password policy displayed in Oracle Directory Manager |
To modify the password policies for a particular identity management realm:
This section contains these topics:
The following example disables the pwdLockout
attribute, changing it from its default setting of 1
.
The file my_file.ldif
contains:
dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com
changetype:modify
replace: pwdlockout
pwdlockout: 0
The following command loads this file into the directory:
ldapmodify -p 389 -h myhost -f my_file.ldif
Look at the following examples to learn how to view and modify the password policies of a realm by using command-line tools.
The following example retrieves a specific password policy entry.
ldapsearch -p 389 -h my_host -b "cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com" -s base "objectclass=*"
The following example retrieves all password policy entries:
ldapsearch -p 389 -h my_host -b "" -s sub "objectclass=pwdpolicy"
The following example modifies a password policy entry.
ldapmodify -p 389 -h my_host -v <<EOF dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com changetype: modify replace: pwdMaxAge pwdMaxAge: 100000
You can temporarily disable a user's account, then enable it once again, by using command-line tools.
To permanently disable the account by setting the orclisenabled
attribute to DISABLED
. Setting this attribute to any other value enables the account.
To enable the account after you have disabled it, delete this attribute from the entry.
To enable the account for a specific period, set the orclActiveStartDate
and orclActiveEndDate
attributes in the user entry to the proper value in UTC (Coordinated Universal Time) format. For example:
cn=John Doe,cn=users,o=my_company,dc=com orclactivestartdate:20030101000000z orclactiveenddate: 20031231000000z
In this example, John Doe can log in only between January 1, 2003 and December 31, 2003. He cannot login prior to January 1, 2003 or after December 31, 2003. If you want to disable his account for a period of time between these dates, then set the orclisenabled
attribute to FALSE
.
If you are a member of the Security Administrators Group, then, if an account becomes locked, you can unlock it without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in by using the old password.
To unlock an account, set the orclpwdaccountunlock
attribute to 1.
The following example unlocks the account for user John Doe.
ldapmodify -p port_number -h host_name -D cn=orcladmin -w welcome -v <<EOF dn: cn=John Doe,cn=users,o=my_company,dc=com changetype: modify add: orclpwdaccountunlock orclpwdaccountunlock: 1
You can force users to change their passwords when they log in for the first time. To do this, set the pwdMustChange
attribute in the pwdpolicy
entry to TRUE
, and then reset the password. If you do this, you must explicitly tell the user the new password so that the user can login to change that password.
See Also:
"Resetting Your Own Password by Using the Oracle Internet Directory Self-Service Console" for instructions on resetting passwords |
This section contains these topics:
You can use the Oracle Internet Directory Self-Service Console to enable, disable, and unlock user accounts.
You can temporarily disable a user's account, then enable it once again, by using the Oracle Internet Directory Self-Service Console.
See Also:
"Enabling User Accounts" and "Disabling User Accounts" for instructions on enabling and disabling accounts by using the Oracle Internet Directory Self-Service Console |
If you are a member of the Security Administrators Group, then, if an account becomes locked, you can unlock it without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in by using the old password.
See Also:
"Unlocking User Accounts" for instructions on using the Oracle Internet Directory Self-Service Console to unlock accounts |
If you forget your password or become locked out of your account, then you can reset your password. This involves identifying yourself to the server by providing values for a set of password validation attributes. This takes the form of answering a password hint question to which you had earlier specified an answer.
See Also:
"Resetting Your Password If You Forget It" for instructions on using the Oracle Internet Directory Self-Service Console to reset your password |
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|