To Assign a Password Policy Using Roles and CoS (Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide)

Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide

To Assign a Password Policy Using Roles and CoS

This procedure assigns an existing specialized password policy to a set of users by applying roles and class of service (CoS). See Chapter 9, Directory Server Groups, Roles, and CoS for more information about roles and CoS.

Note –

To complete this procedure, you must have a specialized password policy to assign. See To Create a Password Policy.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Example data shown here is from Example.ldif unless stated otherwise.

Create a role for the entries to be governed by the password policy.

For example, the following commands create a filtered role for temporary employees at Example.com:

$ cat tmp.ldif
dn: cn=TempFilter,ou=people,dc=example,dc=com
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: TempFilter
nsRoleFilter: (&(objectclass=person)(status=contractor))
description: filtered role for temporary employees

$ ldapmodify -a -D uid=kvaughan,ou=people,dc=example,dc=com -w - -f tmp.ldif
Enter bind password: 
modifying entry cn=TempFilter,ou=people,dc=example,dc=com

$

As shown in Example.ldif, kvaughan is a Human Resources manager who has access to modify dc=example,dc=com entries. Vaughan's bind password, as shown in Example.ldif, is bribery.

Create a class of service to generate the DN of the password policy entry.

The DN is the value of the pwdPolicySubentry attribute of users who have the role that you created.

For example, the following commands create a filtered role for temporary employees at Example.com. The commands assign cn=TempPolicy,dc=example,dc=com to users who have the role.

$ cat cos.ldif
dn: cn=PolTempl,dc=example,dc=com
objectclass: top
objectclass: nsContainer

dn: cn="cn=TempFilter,ou=people,dc=example,dc=com",
 cn=PolTempl,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: LDAPsubentry
objectclass: costemplate
cosPriority: 1
pwdPolicySubentry: cn=TempPolicy,dc=example,dc=com

dn: cn=PolCoS,dc=example,dc=com
objectclass: top
objectclass: LDAPsubentry
objectclass: cosSuperDefinition
objectclass: cosClassicDefinition
cosTemplateDN: cn=PolTempl,dc=example,dc=com
cosSpecifier: nsRole
cosAttribute: pwdPolicySubentry operational

$ ldapmodify -a -D uid=kvaughan,ou=people,dc=example,dc=com -w - -f cos.ldif
Enter bind password: 
modifying entry cn=TempFilter,ou=people,dc=example,dc=com

$

Users whose status is contractor now become subject to the password policy cn=TempPolicy,dc=example,dc=com.