Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
6. Directory Server Access Control
7. Directory Server Password Policy
Password Policies and Worksheet
Policy for Password Expiration
Policy for Tracking Last Authentication Time
Worksheet for Defining Password Policy
Managing the Default Password Policy
Correlation Between Password Policy Attributes and dsconf Server Properties
To View Default Password Policy Settings
Managing Specialized Password Policies
To Assign a Password Policy to an Individual Account
To Assign a Password Policy Using Roles and CoS
To Set Up a First Login Password Policy
Modifying Passwords From the Command Line When pwdSafeModify Is TRUE
To Reset a Password With the Password Modify Extended Operation
To Allow Grace Authentications When Passwords Expire
To Set the Look-Through Limit for an Account
To Set the Size Limit for an Account
To Set the Time Limit for an Account
To Set the Idle Timeout for an Account
Setting the Compatibility Mode
Guidelines for Choosing a Compatibility Mode
New Directory Server 11g Release 1 (11.1.1.5.0) Deployment
Migrating a Deployment to Directory Server 11g Release 1 (11.1.1.5.0)
Administrative Password Reset Classification
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
The default password policy applies to all users in the directory instance who do not have a specialized policy defined. However, the default password policy does not apply to the Directory Manager. See Which Password Policy Applies for details on policy scope.
The default password policy is the one policy that you can configure using the dsconf command. You can also view default password policy by reading cn=Password Policy,cn=config.
This section shows the policy attributes for each policy area and the related dsconf server properties. It also explains how to view and change default password policy settings.
The following table shows the password policy attributes and related dsconf server properties for each password policy area.
|
Note - The properties that correlate to pwdCheckQuality configure the Password Check plug-in. Therefore, the five properties apply to the entire server instance. The five properties thus also apply to other password policies where pwdCheckQuality: 2.
You can view default password policy settings with the dsconf command.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dsconf get-server-prop -h host -p port -v -i \ -w password-file | grep ^pwd-
The password-file contains the password of directory manager.
pwd-accept-hashed-pwd-enabled : N/A pwd-check-enabled : off pwd-compat-mode : DS5-compatible-mode pwd-expire-no-warning-enabled : on pwd-expire-warning-delay : 1d pwd-failure-count-interval : 10m pwd-grace-login-limit : disabled pwd-keep-last-auth-time-enabled : off pwd-lockout-duration : 1h pwd-lockout-enabled : off pwd-lockout-repl-priority-enabled : on pwd-max-age : disabled pwd-max-failure-count : 3 pwd-max-history-count : disabled pwd-min-age : disabled pwd-min-length : 6 pwd-mod-gen-length : 6 pwd-must-change-enabled : off pwd-root-dn-bypass-enabled : off pwd-safe-modify-enabled : off pwd-storage-scheme : SSHA pwd-strong-check-dictionary-path : instance-path/plugins/words-english-big.txt pwd-strong-check-enabled : off pwd-strong-check-require-charset : lower pwd-strong-check-require-charset : upper pwd-strong-check-require-charset : digit pwd-strong-check-require-charset : special pwd-supported-storage-scheme : CRYPT pwd-supported-storage-scheme : SHA256 pwd-supported-storage-scheme : SHA512 pwd-supported-storage-scheme : SHA pwd-supported-storage-scheme : SSHA pwd-supported-storage-scheme : SSHA256 pwd-supported-storage-scheme : SSHA512 pwd-supported-storage-scheme : CLEAR pwd-user-change-enabled : on
You can change the default password policy by setting server properties with the dsconf command.
Note - Before completing this procedure, read and complete the Worksheet for Defining Password Policy.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
For example, the following command allows the Directory Manager to violate the default policy when modifying passwords:
$ dsconf set-server-prop -h host -p port pwd-root-dn-bypass-enabled:on
The following command enables the policy that requires changing the password after a reset:
# dsconf set-server-prop -p 20390 pwd-must-change-enabled:on
Directory Server prevents authentication with a null password. All non-anonymous binds must therefore specify a password to bind to the directory. Otherwise, Directory Server returns an authentication error, LDAP_INAPPROPRIATE_AUTH.
You can disable this feature by setting the server property require-bind-pwd-enabled to off using the dsconf set-server-prop command.
The default value of the Require Bind on Authentication feature is on. Check this by using the following command:
# dsconf get-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled require-bind-pwd-enabled : on
Authenticating with a null password results in the following error message:
# ldapsearch -D cn=altrootdn -w '' -p 20390 -b cn=config 'objectclass=*' dn ldap_simple_bind: Inappropriate authentication ldap_simple_bind: additional info: binds with a dn require a password
Note that this feature does not block anonymous binds:
# ldapsearch -p 20390 -b cn=config 'objectclass=*' dn version: 1 dn: cn=SNMP,cn=config
Disable this feature by setting it to off:
# dsconf set-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled:off # dsconf get-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled require-bind-pwd-enabled : off
This time authenticating with a null password succeeds:
# ldapsearch -D cn=altrootdn -w '' -p 20390 -b cn=config 'objectclass=*' dn version: 1 dn: cn=SNMP,cn=config