Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
6. Directory Server Access Control
7. Directory Server Password Policy
Password Policies and Worksheet
Policy for Password Expiration
Policy for Tracking Last Authentication Time
Worksheet for Defining Password Policy
Managing the Default Password Policy
Correlation Between Password Policy Attributes and dsconf Server Properties
To View Default Password Policy Settings
To Change Default Password Policy Settings
Preventing Binds With No Password
Managing Specialized Password Policies
To Assign a Password Policy to an Individual Account
To Assign a Password Policy Using Roles and CoS
To Set Up a First Login Password Policy
Modifying Passwords From the Command Line When pwdSafeModify Is TRUE
To Set the Look-Through Limit for an Account
To Set the Size Limit for an Account
To Set the Time Limit for an Account
To Set the Idle Timeout for an Account
Setting the Compatibility Mode
Guidelines for Choosing a Compatibility Mode
New Directory Server 11g Release 1 (11.1.1.5.0) Deployment
Migrating a Deployment to Directory Server 11g Release 1 (11.1.1.5.0)
Administrative Password Reset Classification
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
When password policy enforces password expiration, some users will not change their passwords in time. This section shows how you can change passwords that have expired.
Note - Directory Server updates the operational attribute pwdChangedTime(5dsat) every time that the password on the entry is modified. As a result, if you wait to enable password expiration, user passwords that have already aged expire immediately when you enable password expiration. Use warnings and grace logins if this behavior is not what you intend.
This section includes procedures for resetting a password with the password modify extended operation and for allowing grace authentications when passwords expire.
The mechanisms described in this section are intended for use by administrators, or by applications that handle the actual user interaction with the directory. You typically rely on an application to ensure that the end user is in fact using the mechanisms in the way you intended.
User accounts are locked when passwords expire. When you reset the password, you unlock the account. The password can be reset by another user such as an administrator. After password reset, Directory Server unlocks the user account. Directory Server provides support for RFC 3062, LDAP Password Modify Extended Operation. The extended operation enables you to allow a directory administrator or a directory application to unlock accounts through password reset.
Be cautious when allowing use of the password modify extended operation, as shown in this procedure. Limit access to administrators and applications that you trust. Do not allow passwords to travel over the network in clear text.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
The following commands set an ACI to allow members of a Password Managers role to use the password modify extended operation when connected over SSL:
$ cat exop.ldif dn: oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 1.3.6.1.4.1.4203.1.11.1 cn: Password Modify Extended Operation aci: (targetattr != "aci") (version 3.0; acl "Password Modify Extended Operation"; allow( read, search, compare, proxy ) (roledn = "ldap:///cn=Password Managers,dc=example,dc=com" and authmethod = "SSL");) $ ldapmodify -a -D cn=admin,cn=Administrators,cn=config -w - -f exop.ldif Enter bind password: adding new entry oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config $
The entry under cn=features,cn=config allows you to manage access to operations that use the password modify extended operation.
This step unlocks the user account, and can be completed with the ldappasswd(1) command.
Users must change their passwords after reset if the password policy that governs their entries includes pwdMustChange: TRUE.
This procedure describes how to give users grace authentications, allowing users to change passwords that have expired.
The grace authentications are intended to be managed by an application that handles password policy request and response controls. The procedure shows a simple example of how to use the control in an application.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
The application should ensure that users handle grace authentications properly.
The following commands set an ACI to allow members of a Password Managers role to use the password policy controls:
$ cat ctrl.ldif dn: oid=1.3.6.1.4.1.42.2.27.8.5.1,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 1.3.6.1.4.1.42.2.27.8.5.1 cn: Password Policy Controls aci: (targetattr != "aci") (version 3.0; acl "Password Policy Controls"; allow( read, search, compare, proxy ) roledn = "ldap:///cn=Password Managers,dc=example,dc=com";) $ ldapmodify -a -D cn=admin,cn=Administrators,cn=config -w - -f ctrl.ldif Enter bind password: adding new entry oid=1.3.6.1.4.1.42.2.27.8.5.1,cn=features,cn=config $
The entry under cn=features,cn=config has the sole purpose of allowing you to manage access to operations that use the password policy request and response controls.
Caution - The DS5–compatibility-mode password policy is deprecated. You must switch to DS6–mode password policy in this version. |