Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Upgrade and Migration Guide 11 g Release 1 (11.1.1.5.0) |
Part I Patching Directory Server Enterprise Edition 7 to 11g Release 1 (11.1.1.5.0)
2. Patching Directory Server Enterprise Edition 7 to Version 11g Release 1 (11.1.1.5.0)
Part II Upgrading Directory Server Enterprise Edition 6 to 11g Release 1 (11.1.1.5.0)
3. Upgrading Directory Server Enterprise Edition 6 to Version 11g Release 1 (11.1.1.5.0)
Part III Migrating Directory Server Enterprise Edition 5.2 to Version 11g Release 1 (11.1.1.5.0)
4. Overview of the Migration Process for Directory Server
5. Automated Migration Using the dsmig Command
6. Migrating Directory Server Manually
7. Migrating a Replicated Topology
8. Architectural Changes in Directory Server Since Version 5.2
Changes in the Administration Framework
Removal of the ServerRoot Directory
Removal of the o=netscapeRoot Suffix
Changes to the Installed Product Layout
Administration Utilities Previously Under ServerRoot
Binaries Previously Under ServerRoot/bin
Libraries and Plug-Ins Previously Under ServerRoot/lib
Online Help Previously Under ServerRoot/manual
Plug-Ins Previously Under ServerRoot/plugins
Utilities Previously Under ServerRoot/shared/bin
Silent Installation and Uninstallation Templates
Server Instance Scripts Previously Under ServerRoot/slapd-ServerID
Server Instance Subdirectories
9. Migrating Directory Proxy Server
Directory Server11g Release 1 (11.1.1.5.0) implements a password policy that uses the standard object class and attributes described in the “Password Policy for LDAP Directories” Internet-Draft.
The password policy provides the following new features:
A grace login limit, specified by the pwdGraceAuthNLimit attribute. This attribute specifies the number of times an expired password can be used to authenticate. If it is not present or if it is set to 0, authentication will fail.
Safe password modification, specified by the pwdSafeModify attribute. This attribute specifies whether the existing password must be sent when changing a password. If the attribute is not present, the existing password does not need to be sent.
In addition, the password policy provides the following controls:
LDAP_CONTROL_PWP_[REQUEST|RESPONSE]
LDAP_CONTROL_ACCOUNT_USABLE_[REQUEST|RESPONSE]
These controls enable LDAP clients to obtain account status information.
The LDAP_CONTROL_PWP control provides account status information on LDAP bind, search, modify, add, delete, modDN, and compare operations.
The following information is available, using the OID 1.3.6.1.4.1.42.2.27.8.5.1 in the search:
Period of time before the password expires
Number of grace login attempts remaining
The password has expired
The account is locked
The password must be changed after being reset
Password modifications are allowed
The user must supply his/her old password
The password quality (syntax) is insufficient
The password is too short
The password is too young
The password already exists in history
The LDAP_CONTROL_PWP control indicates warning and error conditions. The control value is a BER octet string, with the format {tii}, which has the following meaning:
t is a tag defining which warning is set, if any. The value of t can be one of the following:
LDAP_PWP_WARNING_RESP_NONE (0x00L) LDAP_PWP_WARNING_RESP_EXP (0x01L) LDAP_PWP_WARNING_RESP_GRACE (0x02L)
The first i indicates warning information.
The warning depends on the value set for t as follows:
If t is set to LDAP_PWP_WARNING_RESP_NONE, the warning is -1.
If t is set to LDAP_PWP_WARNING_RESP_EX, the warning is the number of seconds before expiration.
If t is set to LDAP_PWP_WARNING_RESP_GRACE, the warning is the number of remaining grace logins.
The second i indicates error information. If t is set to LDAP_PWP_WARNING_RESP_NONE, the error contains one of the following values:
pwp_resp_no_error (-1) pwp_resp_expired_error (0) pwp_resp_locked_error (1) pwp_resp_need_change_error (2) pwp_resp_mod_not_allowed_error (3) pwp_resp_give_old_error (4) pwp_resp_bad_qa_error (5) pwp_resp_too_short_error (6) pwp_resp_too_young_error (7) pwp_resp_in_hist_error (8)
The LDAP_CONTROL_ACCOUNT_USABLE control provides account status information on LDAP search operations only.
For information about password policy compatibility issues, see Oracle Directory Server Enterprise Edition Administration Guide