 To Set Up a First Login Password Policy
To Set Up a First Login Password PolicyIn many deployments, the password policy to apply for new accounts differs from the password policy to apply for established accounts. This section demonstrates a first login password policy. The policy gives users three days to use a newly created account, and set their new passwords before that account is locked. The policy is designed to work in the same way for users whose passwords have been reset.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
Create a specialized password policy for newly created accounts.
For example, add a password policy entry that sets expiration time to three days, which is 259,200 seconds.
The global password policy must set pwdMustChange(5dsat) to TRUE, that is, users must change their passwords when they first bind.
| $ dsconf set-server-prop -p port-no pwd-must-change-enabled:true | 
| $ cat firstLogin.ldif dn: cn=First Login,dc=example,dc=com objectClass: top objectClass: LDAPsubentry objectClass: pwdPolicy objectClass: sunPwdPolicy cn: First Login passwordStorageScheme: SSHA pwdAttribute: userPassword pwdInHistory: 0 pwdExpireWarning: 86400 pwdLockout: TRUE pwdMinLength: 6 pwdMaxFailure: 3 pwdMaxAge: 259200 pwdFailureCountInterval: 600 pwdAllowUserChange: TRUE pwdLockoutDuration: 3600 pwdMinAge: 0 pwdCheckQuality: 2 pwdMustChange: TRUE $ ldapmodify -a -D cn=admin,cn=Administrators,cn=config -w - -f firstLogin.ldif Enter bind password: adding new entry cn=First Login,dc=example,dc=com | 
Create a role that includes all newly created accounts.
In creating this role, set up some way to distinguish newly created accounts from established accounts.
Define new accounts as accounts that have a pwdReset(5dsat) attribute set to TRUE.
When a user's password is changed by another user, such as a password administrator, pwdReset is set to TRUE.
Create the role that identifies new accounts.
For example, the following commands create a role for accounts whose passwords have been reset.
| $ cat newRole.ldif dn: cn=First Login Role,ou=people,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsComplexRoleDefinition objectclass: nsFilteredRoleDefinition cn: First Login Role nsRoleFilter: (pwdReset=TRUE) description: Role to assign password policy for new and reset accounts $ ldapmodify -a -D uid=kvaughan,ou=people,dc=example,dc=com -w - -f newRole.ldif Enter bind password: adding new entry cn=First Login Role,ou=people,dc=example,dc=com | 
Assign the password policy for newly created accounts with class of service.
| $ cat newCoS.ldif dn: cn=First Login Template,dc=example,dc=com objectClass: top objectClass: nsContainer dn: cn="cn=First Login Role,ou=people,dc=example,dc=com", cn=First Login Template,dc=example,dc=com objectClass: top objectClass: extensibleObject objectClass: LDAPSubEntry objectClass: CoSTemplate cosPriority: 1 pwdPolicySubentry: cn=First Login,dc=example,dc=com dn: cn=First Login CoS,dc=example,dc=com objectClass: top objectClass: LDAPSubEntry objectClass: CoSSuperDefinition objectClass: CoSClassicDefinition cosTemplateDN: cn=First Login Template,dc=example,dc=com cosSpecifier: nsRole cosAttribute: pwdPolicySubentry operational $ ldapmodify -a -D uid=kvaughan,ou=people,dc=example,dc=com -f newCoS.ldif Enter bind password: adding new entry cn=First Login Template,dc=example,dc=com adding new entry cn="cn=First Login Role,ou=people,dc=example,dc=com", cn=First Login Template,dc=example,dc=com adding new entry cn=First Login CoS,dc=example,dc=com | 
Add a new user that fits the role that you have added. You add the user to verify that new users are subject to the new password policy, but existing users are not.
| $ cat quentin.ldif dn: uid=qcubbins,ou=People,dc=example,dc=com objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: qcubbins givenName: Quentin sn: Cubbins cn: Quentin Cubbins mail: quentin.cubbins@example.com userPassword: ch4ngeM3! description: New account $ ldapmodify -a -D uid=kvaughan,ou=people,dc=example,dc=com -w - -f quentin.ldif Enter bind password: adding new entry uid=qcubbins,ou=People,dc=example,dc=com $ ldapsearch -D uid=kvaughan,ou=people,dc=example,dc=com -w - \ -b dc=example,dc=com uid=qcubbins nsrole pwdPolicySubentry Enter bind password: version: 1 dn: uid=qcubbins,ou=People,dc=example,dc=com nsrole: cn=first login role,ou=people,dc=example,dc=com pwdPolicySubentry: cn=First Login,dc=example,dc=com $ ldapsearch -b dc=example,dc=com uid=bjensen nsrole pwdPolicySubentry version: 1 dn: uid=bjensen, ou=People, dc=example,dc=com | 
Notice that Barbara Jensen's existing account is governed by the default password policy. Quentin Cubbins's new account is governed, however, by the password policy that you defined.
Check the applied password policy settings by typing the following command:
| # ldapsearch -D "cn=directory manager" -w - -b "cn=Password Policy,cn=config" -s base \ '(&(objectClass=ldapsubentry)(cn=Password Policy))' version: 1 dn: cn=Password Policy,cn=config objectClass: top objectClass: ldapsubentry objectClass: pwdPolicy objectClass: sunPwdPolicy objectClass: passwordPolicy cn: Password Policy pwdAttribute: userPassword passwordStorageScheme: SSHA passwordChange: on pwdAllowUserChange: TRUE pwdSafeModify: FALSE passwordRootdnMayBypassModsChecks: off passwordNonRootMayResetUserpwd: on passwordInHistory: 0 pwdInHistory: 0 passwordMinAge: 0 pwdMinAge: 0 passwordCheckSyntax: off pwdCheckQuality: 0 passwordMinLength: 6 pwdMinLength: 6 passwordMustChange: on pwdMustChange: TRUE passwordExp: off passwordMaxAge: 0 pwdMaxAge: 0 passwordWarning: 86400 pwdExpireWarning: 86400 passwordExpireWithoutWarning: on pwdGraceAuthNLimit: 0 pwdKeepLastAuthTime: FALSE passwordLockout: off pwdLockout: FALSE passwordMaxFailure: 3 pwdMaxFailure: 3 passwordResetFailureCount: 600 pwdFailureCountInterval: 600 pwdIsLockoutPrioritized: TRUE passwordUnlock: on passwordLockoutDuration: 3600 pwdLockoutDuration: 3600 |