Resetting Expired Passwords
When password policy enforces password expiration, some users will not change their passwords in time. This section shows how you can change passwords that have expired.
Note –
Directory Server updates the operational attribute pwdChangedTime(5dsat) every time that the password on the entry is modified. As a result, if you wait to enable password expiration, user passwords that have already aged expire immediately when you enable password expiration. Use warnings and grace logins if this behavior is not what you intend.
This section includes procedures for resetting a password with the password modify extended operation and for allowing grace authentications when passwords expire.
The mechanisms described in this section are intended for use by administrators, or by applications that handle the actual user interaction with the directory. You typically rely on an application to ensure that the end user is in fact using the mechanisms in the way you intended.
To Reset a Password With the Password
Modify Extended Operation
User accounts are locked when passwords expire. When you reset the password, you unlock the account. The password can be reset by another user such as an administrator. After password reset, Directory Server unlocks the user account. Directory Server provides support for RFC 3062, LDAP Password Modify Extended Operation. The extended operation enables you to allow a directory administrator or a directory application to unlock accounts through password reset.
Be cautious when allowing use of the password modify extended operation, as shown in this procedure. Limit access to administrators and applications that you trust. Do not allow passwords to travel over the network in clear text.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
-
Give users access to a password administrator or to a password administration application.
-
Allow the password administrator access to use the password modify extended operation.
The following commands set an ACI to allow members of a Password Managers role to use the password modify extended operation when connected over SSL:
$ cat exop.ldif dn: oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 1.3.6.1.4.1.4203.1.11.1 cn: Password Modify Extended Operation aci: (targetattr != "aci") (version 3.0; acl "Password Modify Extended Operation"; allow( read, search, compare, proxy ) (roledn = "ldap:///cn=Password Managers,dc=example,dc=com" and authmethod = "SSL");) $ ldapmodify -a -D cn=admin,cn=Administrators,cn=config -w - -f exop.ldif Enter bind password: adding new entry oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config $
The entry under cn=features,cn=config allows you to manage access to operations that use the password modify extended operation.
-
Have the password administrator reset the user password.
This step unlocks the user account, and can be completed with the ldappasswd(1) command.
-
(Optional) If the user must change the password, have the password administrator notify the user.
Users must change their passwords after reset if the password policy that governs their entries includes pwdMustChange: TRUE.
To Allow Grace Authentications When
Passwords Expire
This procedure describes how to give users grace authentications, allowing users to change passwords that have expired.
The grace authentications are intended to be managed by an application that handles password policy request and response controls. The procedure shows a simple example of how to use the control in an application.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
-
Make sure that users have access to an application that uses password policy request and response controls.
The application should ensure that users handle grace authentications properly.
-
Allow the application to use the password policy controls.
The following commands set an ACI to allow members of a Password Managers role to use the password policy controls:
$ cat ctrl.ldif dn: oid=1.3.6.1.4.1.42.2.27.8.5.1,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 1.3.6.1.4.1.42.2.27.8.5.1 cn: Password Policy Controls aci: (targetattr != "aci") (version 3.0; acl "Password Policy Controls"; allow( read, search, compare, proxy ) roledn = "ldap:///cn=Password Managers,dc=example,dc=com";) $ ldapmodify -a -D cn=admin,cn=Administrators,cn=config -w - -f ctrl.ldif Enter bind password: adding new entry oid=1.3.6.1.4.1.42.2.27.8.5.1,cn=features,cn=config $
The entry under cn=features,cn=config has the sole purpose of allowing you to manage access to operations that use the password policy request and response controls.
-
Set pwdGraceAuthNLimit in the password policy to the number of authentications to allow after the password has expired.
-
Make sure that the application guides the end user to change the expired password promptly before grace authentications are exhausted.
Caution – The DS5–compatibility-mode password policy is deprecated. You must switch to DS6–mode password policy in this version.
- © 2010, Oracle Corporation and/or its affiliates