Starting and Stopping Your Server Instance
Configuring the Server Instance
Configuring the Proxy Components
Configuring Security Between Clients and Servers
Configuring Security Between the Proxy and the Data Source
Configuring Servers With the Control Panel
Managing Root User, Global Administrator, and Administrator Accounts
Working With Multiple Root Users
Root Users and the Privilege Subsystem
Managing Root Users With dsconfig
To View the Default Root User Privileges
To Edit the Default Root User Privileges
To Change a Root User's Password
To Change a Root User's Privileges
Setting Root User Resource Limits
Managing Global Administrators
To Create an Administrator with Root User Privileges
Password Policies in a Replicated Environment
To View the List of Password Policies
Properties of the Default Password Policy
To View the Properties of the Default Password Policy
To Create a New Password Policy
To Create a First Login Password Policy
To Assign a Password Policy to an Individual Account
To Prevent Password Policy Modifications
To Assign a Password Policy to a Group of Users
To Change the Directory Manager's Password
To Reset and Generate a New Password for a User
Managing a User's Account Information
To View a User's Account Information
To View Account Status Information
Setting Resource Limits on a User Account
To Set Resource Limits on an Account
To Create a Static Group With groupOfNames
To Create a Static Group With groupOfUniqueNames
To Create a Static Group With groupOfEntries
To List All Members of a Static Group
To List All Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Group
To List All Members of a Dynamic Group
To List All Dynamic Groups of Which a User Is a Member
To Determine Whether a User Is a Member of a Dynamic Group
Defining Virtual Static Groups
To Create a Virtual Static Group
To List All Members of a Virtual Static Group
To List All Virtual-Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Virtual Static Group
Maintaining Referential Integrity
Overview of the Referential Integrity Plug-In
To Enable the Referential Integrity Plug-In
Simulating DSEE Roles in an OpenDS Directory Server
To Determine Whether a User is a Member of a Role
To Alter Membership by Using the nsRoleDN Attribute
The easiest way to configure a password policy is to by using the dsconfig command to set the password policy properties. The following examples configure various properties of the default password policy.
For a complete list of password policy configuration properties and their values, see the Password Policy Configuration.
The following account lockout features can be configured:
Lockout failure count. Specifies the number of authentication failures required to lock a user account.
Lockout duration. Determines the length of time that the account is in a locked state after failed authentication attempts. After the duration time, the account is automatically unlocked. A value of zero indicates that the account is not be automatically unlocked.
Lockout failure expiration interval. Determines the maximum length of time that a previously failed authentication attempt should be counted toward a lockout failure. A value of zero indicates that failed attempts never automatically expire.
Idle lockout interval. Specifies the maximum length of time that a user account can go without authenticating to the directory before the server locks the account. This property is enforced if the last-login-time is enabled and idle-lockout-interval is set to a nonzero value.
The following command sets the account lockout properties for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-password-policy-prop \ --policy-name "Default Password Policy" --set "lockout-failure-count:3" \ --set "lockout-duration:15 minutes" --set "idle-lockout-interval:90 days" \ --set "lockout-failure-expiration-interval:10 minutes"
Last login is a basic security feature that helps the user to keep track of the login history. The directory server provides an operational attribute, ds-pwp-last-login, that holds the user's last login time. If you specify another attribute, the operational attribute must be defined in the server schema, or it must be allowed by at least one of the object classes in the user's entry.
The last-login-time-format property determines the time format. If the time format has changed and last login is enabled, the previous-last-login-time-format property is used.
The following command sets the last login properties for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "last-login-time-attribute:ds-pwp-last-login-time" \ --set "last-login-time-format:yyyyMMdd" \ --set "previous-last-login-time-format:yyyyMMdd"
The password-history-count property specifies the number of past passwords that should be maintained in the history. A value of zero indicates that the server does not maintain a password history.
The password-history-duration property specifies the maximum length of time that a previously used password should remain in the user's password history. A value of 0 seconds indicates that the server should not maintain a password history.
The following command configures password history count and duration for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-password-policy-prop \ --policy-name "Default Password Policy" --set "password-history-count:3" \ --set "password-history-duration:5 seconds"