JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0)
search filter icon
search icon

Document Information

Preface

Part I Directory Server Administration

1.  Directory Server Tools

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

6.  Directory Server Access Control

7.  Directory Server Password Policy

Password Policies and Worksheet

Password Policy Settings

Policy for Account Lockout

Policy for Password Changes

Policy for Password Content

Policy for Password Expiration

Policy for Tracking Last Authentication Time

Worksheet for Defining Password Policy

Managing the Default Password Policy

Correlation Between Password Policy Attributes and dsconf Server Properties

To View Default Password Policy Settings

To Change Default Password Policy Settings

Preventing Binds With No Password

Managing Specialized Password Policies

Which Password Policy Applies

To Create a Password Policy

To Assign a Password Policy to an Individual Account

To Assign a Password Policy Using Roles and CoS

To Set Up a First Login Password Policy

Modifying Passwords From the Command Line When pwdSafeModify Is TRUE

Resetting Expired Passwords

To Reset a Password With the Password Modify Extended Operation

To Allow Grace Authentications When Passwords Expire

Setting Account Properties

To Set the Look-Through Limit for an Account

To Set the Size Limit for an Account

To Set the Time Limit for an Account

To Set the Idle Timeout for an Account

Manually Locking Accounts

To Check Account Status

To Render Accounts Inactive

To Reactivate Accounts

Password Policy Compatibility

Setting the Compatibility Mode

Guidelines for Choosing a Compatibility Mode

New Directory Server 11g Release 1 (11.1.1.5.0) Deployment

Migrating a Deployment to Directory Server 11g Release 1 (11.1.1.5.0)

Administrative Password Reset Classification

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration

Index

Managing the Default Password Policy

The default password policy applies to all users in the directory instance who do not have a specialized policy defined. However, the default password policy does not apply to the Directory Manager. See Which Password Policy Applies for details on policy scope.

The default password policy is the one policy that you can configure using the dsconf command. You can also view default password policy by reading cn=Password Policy,cn=config.

This section shows the policy attributes for each policy area and the related dsconf server properties. It also explains how to view and change default password policy settings.

Correlation Between Password Policy Attributes and dsconf Server Properties

The following table shows the password policy attributes and related dsconf server properties for each password policy area.

Policy Area
Policy Attribute
dsconf Server Property
Account Lockout
pwdFailureCountInterval
pwd-failure-count-interval
pwdLockout
pwd-lockout-enabled
pwdLockoutDuration
pwd-lockout-duration
pwdMaxFailure
pwd-max-failure-count
Password Changes
passwordRootdnMayBypassModsChecks
pwd-root-dn-bypass-enabled
pwdAllowUserChange
pwd-user-change-enabled
pwdInHistory
pwd-max-history-count
pwdMinAge
pwd-min-age
pwdMustChange
pwd-must-change-enabled
pwdSafeModify
pwd-safe-modify-enabled
Password Content
pwdCheckQuality
pwd-check-enabled, pwd-accept-hashed-password-enabled, pwd-strong-check-dictionary-path, pwd-strong-check-enabled, pwd-strong-check-require-charset
pwdMinLength
pwd-min-length
passwordStorageScheme
pwd-storage-scheme
Password Expiration
pwdExpireWarning
pwd-expire-warning-delay
pwdGraceAuthNLimit
pwd-grace-login-limit
pwdMaxAge
pwd-max-age
Tracking Last Authentication Time
pwdKeepLastAuthTime
pwd-keep-last-auth-time-enabled

Note - The properties that correlate to pwdCheckQuality configure the Password Check plug-in. Therefore, the five properties apply to the entire server instance. The five properties thus also apply to other password policies where pwdCheckQuality: 2.


To View Default Password Policy Settings

You can view default password policy settings with the dsconf command.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

To Change Default Password Policy Settings

You can change the default password policy by setting server properties with the dsconf command.


Note - Before completing this procedure, read and complete the Worksheet for Defining Password Policy.


You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Translate the settings from your worksheet into dsconf command property settings.
  2. Use the dsconf set-server-prop command to change default password policy properties appropriately.

    For example, the following command allows the Directory Manager to violate the default policy when modifying passwords:

    $ dsconf set-server-prop -h host -p port pwd-root-dn-bypass-enabled:on

    The following command enables the policy that requires changing the password after a reset:

    # dsconf set-server-prop  -p 20390 pwd-must-change-enabled:on

Preventing Binds With No Password

Directory Server prevents authentication with a null password. All non-anonymous binds must therefore specify a password to bind to the directory. Otherwise, Directory Server returns an authentication error, LDAP_INAPPROPRIATE_AUTH.

You can disable this feature by setting the server property require-bind-pwd-enabled to off using the dsconf set-server-prop command.

The default value of the Require Bind on Authentication feature is on. Check this by using the following command:

# dsconf get-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled
require-bind-pwd-enabled  :  on

Authenticating with a null password results in the following error message:

# ldapsearch -D cn=altrootdn -w '' -p 20390 -b cn=config 'objectclass=*' dn
ldap_simple_bind: Inappropriate authentication
ldap_simple_bind: additional info: binds with a dn require a password

Note that this feature does not block anonymous binds:

# ldapsearch -p 20390 -b cn=config 'objectclass=*' dn
version: 1
dn: cn=SNMP,cn=config

Disable this feature by setting it to off:

# dsconf set-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled:off
# dsconf get-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled
require-bind-pwd-enabled  :  off

This time authenticating with a null password succeeds:

# ldapsearch -D cn=altrootdn -w '' -p 20390 -b cn=config 'objectclass=*' dn
version: 1
dn: cn=SNMP,cn=config