The default password policy applies to all users in the directory instance who do not have a specialized policy defined. However, the default password policy does not apply to the Directory Manager. See Which Password Policy Applies for details on policy scope.
The default password policy is the one policy that you can configure using the dsconf command. You can also view default password policy by reading cn=Password Policy,cn=config.
This section shows the policy attributes for each policy area and the related dsconf server properties. It also explains how to view and change default password policy settings.
The following table shows the password policy attributes and related dsconf server properties for each password policy area.
Policy Area |
Policy Attribute |
dsconf Server Property |
---|---|---|
Account Lockout |
pwdFailureCountInterval |
pwd-failure-count-interval |
pwdLockout |
pwd-lockout-enabled |
|
pwdLockoutDuration |
pwd-lockout-duration |
|
pwdMaxFailure |
pwd-max-failure-count |
|
Password Changes |
passwordRootdnMayBypassModsChecks |
pwd-root-dn-bypass-enabled |
pwdAllowUserChange |
pwd-user-change-enabled |
|
pwdInHistory |
pwd-max-history-count |
|
pwdMinAge |
pwd-min-age |
|
pwdMustChange |
pwd-must-change-enabled |
|
pwdSafeModify |
pwd-safe-modify-enabled |
|
Password Content |
pwdCheckQuality |
pwd-check-enabled, pwd-accept-hashed-password-enabled, pwd-strong-check-dictionary-path, pwd-strong-check-enabled, pwd-strong-check-require-charset |
pwdMinLength |
pwd-min-length |
|
passwordStorageScheme |
pwd-storage-scheme |
|
Password Expiration |
pwdExpireWarning |
pwd-expire-warning-delay |
pwdGraceAuthNLimit |
pwd-grace-login-limit |
|
pwdMaxAge |
pwd-max-age |
|
Tracking Last Authentication Time |
pwdKeepLastAuthTime |
pwd-keep-last-auth-time-enabled |
The properties that correlate to pwdCheckQuality configure the Password Check plug-in. Therefore, the five properties apply to the entire server instance. The five properties thus also apply to other password policies where pwdCheckQuality: 2.
You can view default password policy settings with the dsconf command.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Read the default password policy configuration.
$ dsconf get-server-prop -h host -p port | grep ^pwd- pwd-accept-hashed-pwd-enabled : N/A pwd-check-enabled : off pwd-compat-mode : DS5-compatible-mode pwd-expire-no-warning-enabled : on pwd-expire-warning-delay : 1d pwd-failure-count-interval : 10m pwd-grace-login-limit : disabled pwd-keep-last-auth-time-enabled : off pwd-lockout-duration : 1h pwd-lockout-enabled : off pwd-lockout-repl-priority-enabled : on pwd-max-age : disabled pwd-max-failure-count : 3 pwd-max-history-count : disabled pwd-min-age : disabled pwd-min-length : 6 pwd-mod-gen-length : 6 pwd-must-change-enabled : off pwd-root-dn-bypass-enabled : off pwd-safe-modify-enabled : off pwd-storage-scheme : SSHA pwd-strong-check-dictionary-path : /local/ds6/plugins/words-english-big.txt pwd-strong-check-enabled : off pwd-strong-check-require-charset : lower pwd-strong-check-require-charset : upper pwd-strong-check-require-charset : digit pwd-strong-check-require-charset : special pwd-supported-storage-scheme : CRYPT pwd-supported-storage-scheme : SHA pwd-supported-storage-scheme : SSHA pwd-supported-storage-scheme : NS-MTA-MD5 pwd-supported-storage-scheme : CLEAR pwd-user-change-enabled : on |
You can change the default password policy by setting server properties with the dsconf command.
Before completing this procedure, read and complete the Worksheet for Defining Password Policy.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Translate the settings from your worksheet into dsconf command property settings.
Use the dsconf set-server-prop command to change default password policy properties appropriately.
For example, the following command allows the Directory Manager to violate the default policy when modifying passwords:
$ dsconf set-server-prop -h host -p port pwd-root-dn-bypass-enabled:on |