Oracle Internet Directory Administrator's Guide 10g (10.1.4.0.1) Part Number B15991-01 |
|
|
View PDF |
Password policies are sets of rules that govern how passwords are used. This chapter contains these topics:
This section contains these topics:
Password polices are sets of rules that govern password syntax and how passwords are used. Password policies enforced by Oracle Internet Directory include:
The maximum length of time a given password is valid
The minimum number of characters a password must contain
The minimum number of numeric characters required in a password
The minimum number of alphabetic characters
The minimum number of repeated characters
The use of upper and lower case
The minimum number of non-alphanumeric characters (that is, special characters)
That users change their passwords periodically
The minimum and maximum time between password changes
The grace period for logins after password expiration, by time or by number of logins
That users cannot reuse previously used passwords
In previous releases, Oracle Internet Directory supported only one password policy in each realm. As of Oracle Internet Directory 10g (10.1.4.0.1), Oracle Internet Directory supports multiple password policies in each realm. Another change in 10g (10.1.4.0.1) is that these policies can be applied to any subtree within that realm. This means that entry-specific password policies are now possible.
Password policies can be specified as being realm-specific or directory-wide in scope. To achieve the desired scope, you must create the password policy entry in the appropriate container. In Oracle Internet Directory 10g (10.1.4.0.1), password policies are populated under a "cn=pwdPolicies
" container created under the "cn=common
" entry in each realm. By default these containers contain a password policy with the RDN "cn=default
". The directory specific default password policy, for example, will have the DN: cn=default,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext
.
Other policies can be created under the pwdPolicies
container, with different RDNs. Figure 19-1 illustrates this scenario.
In 10g (10.1.4.0.1), unlike previous releases, password policies are completely decoupled from the orclcommonusersearchbase
attribute in a realm-specific Common Entry. If you upgraded from an earlier release, during the upgrade the existing password policies would have been migrated to the new architecture. However, simply adding a DN to the orclcommonusersearchbase
no longer guarantees that the realm's default password policy will be applied to the subtree rooted at that DN.
In Oracle Internet Directory 10g (10.1.4.0.1), once you define a password policy, you must perform a second step to apply the password policy to a subtree of the directory. You must populate the pwdPolicysubentry
attribute with the DN of the desired password policy on an entry that is the root of a subtree the Administrator wants the policy to be applicable to. Figure 19-2 illustrates this. The pwdPolicysubentry
at l=us
contains the DN of the default policy, "cn=default,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext"
, so the default policy applies to the users in the US. The pwdPolicysubentry
at l=uk
contains the DN of the policy "cn=policy2,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext"
, so policy2
applies to the users in the UK.
At runtime, Oracle Internet Directory resolves the applicable password policy on an entry by looking for a populated pwdPolicysubentry
attribute in the entry and applying the policy pointed to by its value. If a populated pwdPolicysubentry
attribute does not exist, Oracle Internet Directory will traverse up the directory tree until the nearest ancestor entry with a populated pwdPolicysubentry
is found and apply the password policy pointed to by its value.
Note: You can disable a password policy by settingorclpwdpolicyenable to 0. This will leave that portion of the directory without an applicable password policy. Oracle Internet Directory will not traverse up the DIT to find an enabled policy that is applicable. This enables you to leave portions of the directory free of password policies when necessary. However you should be aware of the implications of making such a change before doing this. |
In general, establishing a password policy requires doing the following:
Create a password policy entry in the appropriate container and associating it with the pwdpolicy
object.
Create the desired policy by setting values for attributes defined under the pwdPolicy
object class for the entry created in step 1.
Ensure that the orclpwdpolicyenable
attribute is set to 1. If this is not set to 1, Oracle Internet Directory ignores the policy.
Add and populate a pwdPolicysubentry
attribute with the policy's DN, at the root of the subtree being governed by that policy.
See Also: "Object Class Reference" in Oracle Identity Management User Reference for a list and descriptions of the attributes of thepwdPolicy object class, and those of the top object class that pertain to password policies |
Note: Password policy entries for subtrees and users are replicated. Replicating the 10g (10.1.4.0.1) policies to a pre-10g (10.1.4.0.1) node will not adversely impact the functionality of that node. A pre-10g (10.1.4.0.1) node, however, cannot meaningfully interpret the 10g (10.1.4.0.1) password policies. It will continue to enforce the password policy in the realm Oracle context. |
Note: You must protect password policy entries from anonymous access using Oracle Internet Directory's ACI infrastructure, described in Chapter 18, "Directory Access Control". This is particularly important when a password policy is weak, as that information can assist an attacker in compromising the directory. |
The default password policy for Oracle Internet Directory enforces:
Password expiration in 120 days
Account lockout after 10 login failures. Except for the super user account, all accounts remain locked for a duration of 24 hours unless the passwords are reset by the directory administrator. A user account stays locked even after the lockout duration has passed unless the user binds with the correct password
If the super user account, cn=orcladmin
, becomes locked, it stays locked until it is unlocked by using the OID Database Password utility. This utility prompts you for the ODS user password. After you enter the ODS password, it unlocks the account.
See Also:
|
A minimum password length of five characters with at least one numeric character
Password expiry warning seven days prior to expiry
Five grace logins allowed after password expiry
Beginning in Oracle Internet Directory, Release 9.0.4, the password policy entry in the Root Oracle Context applies to the super user, but only the password policy governing account lockout is enforced on that account.
Note: Oracle Identity Management has two distinct types of privileged user. Both privileged user accounts can be locked if certain password policies are activated.The first type of privileged user, the super user with the DN
The second privileged user, a realm-specific privileged user, governs capabilities such as creation and deletion of users and groups within a realm and all the functionality related to Oracle Delegated Administration Services. This account is represented by an entry with the DN |
The Oracle Internet Directory password policy is applicable to simple binds (based on the userpassword
attribute), compare operations on the userpassword
attribute, and SASL binds. It does not apply to SSL and proxy binds.
The following attributes affect password policy:
Table 19-1 Password Policy Attributes
Name | Function |
---|---|
|
The number of seconds that must elapse between user modifications to the password. The default is 0. |
|
The maximum time, in seconds, that a password can be valid. Upon reaching this age, the password is considered to have expired. The default is 10368000 seconds (120 days). |
|
When this is true, the server locks out a user after a number of consecutive invalid login attempts. The number is specified by |
|
When this is true, the server locks out a user after a number of consecutive invalid login attempts from the same IP address. The number is specified by |
|
The time period in seconds to lock out a user account once the threshold of invalid login attempts is reached. The default is 86400 seconds (24 hours). |
|
The time period in seconds to lock out a user account once the threshold of invalid login attempts from the same IP address is reached. The default is 0. |
|
The maximum number of invalid login attempts the server should allow before locking out a user account. The default value is 10. |
|
The maximum number of invalid login attempts the server should allow from a particular IP address before locking the user account. The default is 0. |
|
The time in seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. The default is 0. |
|
The maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user. The default value is 604800 seconds (seven days). |
|
Enables or disables password syntax check 0–Disable all syntax checks 1–Enable password syntax value checks, except for encrypted passwords (default) |
|
The minimum length of a password governed by this policy. The default is 5 characters |
|
The maximum number of grace logins allowed after a password expires. The default is 5. |
|
The maximum period of time in seconds where grace logins are allowed after a password expires. If |
|
Requires users to reset their password upon their first login after account creation or after a password has been reset by the administrator. The default is 0 (false). |
|
A list of values that are not allowed as passwords. |
|
The minimum number of numeric characters required i in a password. The default is 1. |
|
The minimum number of alphabetic characters required in a password. The default is 0. |
|
The minimum number of non-alphanumeric characters (that is, special characters) required in a password. The default is 0. |
|
The minimum number of uppercase characters required in a password. The default is 0. |
|
The minimum number of lowercase characters required in a password. The default is 0. |
|
The maximum number of repeated characters allowed in a password. The default is 0. |
|
The maximum number of used passwords stored in the |
|
Not currently used. |
|
When this is true, the server evaluates this policy. Otherwise, the policy is ignored and not enforced. The default is 1 (true). |
|
When set to true, enables password encryption. The default is 1 (true). |
|
Enables or disables logins using the hashed password value. 0 = disabled (default). 1 = enabled. |
|
Enables or disables logins using the hashed password value. 0 = disabled (default). 1 = enabled. |
As explained in "Fine-Grained Password Policies", Oracle Internet Directory determines the applicable policy for an entry by locating the appropriate populated pwdPolicysubentry
. To ensure that the user password meets the requirements of a given policy, the directory server verifies:
That the password policy is enabled. It does this by checking the value of the attribute orclpwdpolicyenable
in the password policy entry. A value of 1 indicates that the password policy is enabled. A value of 0 indicates that it is disabled.
Correctness of password policy syntax information, which includes, for example, the correct number of alphabetic and numeric characters, or the correct password length. The directory server checks the syntax during ldapadd
and ldapmodify
operations on the userpassword attribute.
Password policy state information, which, for example, includes:
The timestamp of the user password creation or modification
That the minimum password age is greater than the current time minus the time of password creation
The timestamp of consecutive failed login attempts by the user
The time at which the user account was locked
Indicator that the password has been reset and must be changed by the user on first authentication
A history of user's previously used passwords
Time stamps of grace logins
If the grace login is set by time period, the server checks the time discrepancy between the current time and the expiration.
The directory server checks the state information during ldapbind
and ldapcompare
operations, but does so only if the orclpwdpolicyenable
attribute is set to 1.
To enable password value syntax checking, set the attributes orclpwdpolicyenable
and pwdchecksyntax
in the password policy entry to TRUE
.
This section contains these topics:
Managing Password Policies by Using Oracle Directory Manager
Managing Password Policies, Accounts, and Passwords by Using Command-Line Tools
Managing Accounts and Passwords by Using the Self-Service Console
Table 19-2 lists the administrative tasks related to password policies and the tools you use to perform each one, and points you to the corresponding information.
Table 19-2 Tasks and Tools for Managing Password Polices
You can use Oracle Directory Manager to view, refresh, and modify password policies.
This section contains these topics:
Modifying Password Policies by Using Oracle Directory Manager
Creating Password Policies by Using Oracle Directory Manager
To view the password policies, in the navigator pane, expand Oracle Internet Directory Servers, then directory server instance, then Password Policy Management. The navigator pane displays the password policy entries. The right pane has two tabs. The General tab displays the path to password policy group entry. The Password Policy Effective Subtree tab displays a table with two columns:
The Password Policy column listing each password policy entry
The Effective Subtree column listing the subtree to which each policy applies
To get the latest updates to password policies, choose Refresh.
To get a specific password policy, in the navigator pane, choose the password policy you want to view. The policies appear in the right pane.
See Also: "Password Policy Fields in Oracle Directory Manager" for a description of each password policy displayed in Oracle Directory Manager |
To modify the password policies:
In the navigator pane, expand in succession Oracle Internet Directory Servers, directory server instance, Password Policy Management.
In the navigator pane, choose the password policy you want to modify. The corresponding tab pages appear in the right pane.
In the General tab page, modify the editable attribute fields as needed. These fields are described in Table A-10.
Select the Account Lockout tab page and, to modify the fields, select Global Lockout. Modify the editable attribute fields as needed. These fields are described in Table A-11.
Select the IP Lockout tab page and, to modify the fields, select IP Lockout. Modify the editable attribute fields as needed. These fields are described in Table A-12.
Select the Password Syntax tab page and, to modify the fields, select Check Password Syntax. Modify the editable attribute fields as needed. These fields are described in Table A-13.
Select the Effective Subtree tab page to modify the subtree to which the policy applies.
When you are finished, choose Apply.
To create a new password policy:
In the navigator pane, expand in succession Oracle Internet Directory Servers, directory server instance, Password Policy Management.
In the navigator pane, choose one of the existing password policies. The corresponding tab pages appear in the right pane.
In the right pane, select the name of the policy, then select Edit.
To create a new policy, select Create or Create Like.
In the General tab page, set or modify the editable attribute fields as needed. These fields are described in Table A-10.
Select the Account Lockout tab page and, to modify the fields, select Global Lockout. Modify the editable attribute fields as needed. These fields are described in Table A-11.
Select the IP Lockout tab page and, to modify the fields, select IP Lockout. Modify the editable attribute fields as needed. These fields are described in Table A-12.
Select the Password Syntax tab page and, to modify the fields, select Check Password Syntax. Modify the editable attribute fields as needed. These fields are described in Table A-13.
Select the Effective Subtree tab page, then select Add. Either enter the DN, or select Browse, then use the Select Distinguished Name (DN) Path window to navigate to the subtree to which you want the policy to apply.
When you are finished, choose Apply.
This section contains these topics:
Example: Setting Password Policies by Using Command-Line Tools
Examples: Managing Password Policies by Using Command-Line Tools
Example: Enabling and Disabling Accounts by Using Command-Line Tools
Example: Forcing a Password Change by Using Command-Line Tools
The following example disables the pwdLockout
attribute, changing it from its default setting of 1
.
The file my_file.ldif
contains:
dn: cn=default,cn=pwdPolicies,cn=common,cn=products,cn=OracleContext, o=my_company,dc=com changetype:modify replace: pwdlockout pwdlockout: 0
The following command loads this file into the directory:
ldapmodify -p port -h host -f my_file.ldif
Look at the following examples to learn how to view and modify the password policies of a realm by using command-line tools.
The following example retrieves a specific password policy entry.
ldapsearch -p port -h host \ -b "cn=pwdPolicies,cn=common,cn=products,cn=OracleContext, \ o=my_company,dc=com" \ -s sub "(objectclass=pwdpolicy)"
The following example retrieves all password policy entries:
ldapsearch -p port -h host -b " " -s sub "(objectclass=pwdpolicy)"
The following example modifies a password policy entry.
ldapmodify -p port -h host -w <<EOF dn: cn=default,cn=pwdPolicies,cn=common,cn=products,cn=OracleContext, o=my_company,dc=com changetype: modify replace: pwdMaxAge pwdMaxAge: 10000 EOF
You can temporarily disable a user's account, then enable it once again, by using command-line tools.
To permanently disable the account by setting the orclisenabled
attribute to DISABLED
. Setting this attribute to any other value enables the account.
To enable the account after you have disabled it, delete this attribute from the entry.
To enable the account for a specific period, set the orclActiveStartDate
and orclActiveEndDate
attributes in the user entry to the proper value in UTC (Coordinated Universal Time) format. For example:
cn=John Doe,cn=users,o=my_company,dc=com orclactivestartdate:20030101000000z orclactiveenddate: 20031231000000z
In this example, John Doe can log in only between January 1, 2003 and December 31, 2003. He cannot login prior to January 1, 2003 or after December 31, 2003. If you want to disable his account for a period of time between these dates, then set the orclisenabled
attribute to FALSE
.
If you are a member of the Security Administrators Group, then you can unlock an account without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in using the old password.
To unlock an account, set the orclpwdaccountunlock
attribute to 1.
The following example unlocks the account for user John Doe.
ldapmodify -p port -h host -D cn=orcladmin -w welcome -v <<EOF dn: cn=John Doe,cn=users,o=my_company,dc=com changetype: modify add: orclpwdaccountunlock orclpwdaccountunlock: 1 EOF
You can force users to change their passwords when they log in for the first time. To do this, set the pwdMustChange
attribute in the pwdpolicy
entry to TRUE
, and then reset the password. If you do this, you must explicitly tell the user the new password so that the user can login to change that password.
See Also: "Resetting Your Own Password by Using the Oracle Internet Directory Self-Service Console" for instructions on resetting passwords |
This section explains how to use the Oracle Internet Directory Self-Service Console to:
Enable and disable accounts
Unlock accounts
Reset your own password
You can temporarily disable a user's account, then enable it once again, by using the Oracle Internet Directory Self-Service Console.
See Also: The section on managing accounts in Oracle Identity Management Guide to Delegated Administration for instructions on enabling and disabling accounts by using the Oracle Internet Directory Self-Service Console |
If you are a member of the Security Administrators Group, then, if an account becomes locked, you can unlock it without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in by using the old password.
See Also: The section on managing accounts in Oracle Identity Management Guide to Delegated Administration for instructions on using the Oracle Internet Directory Self-Service Console to unlock accounts |
If you forget your password or become locked out of your account, then you can reset your password. This involves identifying yourself to the server by providing values for a set of password validation attributes. This takes the form of answering a password hint question to which you had earlier specified an answer.
See Also: The section on resetting your password if you forget it in Oracle Identity Management Guide to Delegated Administration for instructions on using the Oracle Internet Directory Self-Service Console to reset your password |
Whenever there are password policy violations, the directory server sends to the client various error and warning messages. In Oracle Internet Directory, 10g (10.1.4.0.1), the directory server can send these messages as LDAP controls only if the client sends a password policy request control as a part of an ldapbind or ldapcompare operation. If the client does not send the request control, then the directory server does not send the response controls. Instead, it sends errors and warnings as part of additional information.
See: "Troubleshooting Password Policies" for a list of the messages and information about how to resolve them |