Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
10. Managing Users and Groups With dsconfig
11. Managing Password Policies
To View the Properties of the Default Password Policy
Password Policies in a Replicated Environment
Configuring Password Policies by Using the Command Line
To Create a New Password Policy
To Create a First Login Password Policy
To Assign a Password Policy to an Individual Account
To Prevent Password Policy Modifications
Configuring Password Policies by Using Oracle Directory Services Manager
List the Configured Password Policy Subentries
Create a Password Policy Subentry
Create a Password Policy Subentry Based on an Existing Password Policy Subentry
Delete a Password Policy Subentry
Display the Configured Password Policies
Create a Password Policy Based on an Existing Password Policy
Display the Supported Password Validators
Enable or Disable a Password Validator
Display the Supported Password Storage Schemes
Enable or Disable a Password Storage Scheme
The easiest way to configure a password policy is to by using the dsconfig command to manage the existing password policies and to modify the password policy properties. The following examples use dsconfig to modify various properties of the password policy.
Example 11-1 Configuring Account Lockout
The following account lockout features can be configured:
Lockout failure count. Specifies the number of authentication failures required to lock a user account.
Lockout duration. Determines the length of time that the account is in a locked state after failed authentication attempts. After the duration time, the account is automatically unlocked. A value of zero indicates that the account is not be automatically unlocked.
Lockout failure expiration interval. Determines the maximum length of time that a previously failed authentication attempt should be counted toward a lockout failure. A value of zero indicates that failed attempts never automatically expire.
Idle lockout interval. Specifies the maximum length of time that a user account can go without authenticating to the directory before the server locks the account. This property is enforced if the last-login-time is enabled and idle-lockout-interval is set to a nonzero value.
The following command sets the account lockout properties for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-password-policy-prop \ --policy-name "Default Password Policy" --set "lockout-failure-count:3" \ --set "lockout-duration:15 minutes" --set "idle-lockout-interval:90 days" \ --set "lockout-failure-expiration-interval:10 minutes"
Example 11-2 Configuring Last Login
Last login is a basic security feature that helps the user to keep track of the login history. The directory server provides an operational attribute, ds-pwp-last-login, that holds the user's last login time. If you specify another attribute, the operational attribute must be defined in the server schema, or it must be allowed by at least one of the object classes in the user's entry.
The last-login-time-format property determines the time format. If the time format has changed and last login is enabled, the previous-last-login-time-format property is used.
The following command sets the last login properties for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "last-login-time-attribute:ds-pwp-last-login-time" \ --set "last-login-time-format:yyyyMMdd" \ --set "previous-last-login-time-format:yyyyMMdd"
Example 11-3 Configuring Password History Count and Duration
The password-history-count property specifies the number of past passwords that should be maintained in the history. A value of zero indicates that the server does not maintain a password history.
The password-history-duration property specifies the maximum length of time that a previously used password should remain in the user's password history. A value of 0 seconds indicates that the server should not maintain a password history.
The following command configures password history count and duration for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-password-policy-prop \ --policy-name "Default Password Policy" --set "password-history-count:3" \ --set "password-history-duration:5 seconds"
You can configure and store multiple password policies with different configuration options. When you set up a directory server instance, the instance uses the default password policy and applies it to all user entries, except root users (for example, the cn=Directory Manager account).
You can change the default password policy or you can create new password policies for specific groups in your directory. If a specific property is not present in a password policy, the server reads that property from the default password policy, in other words, all password policies inherit their default values from the default password policy.
The following command creates a new password policy and sets the default-password-storage-scheme, lockout-duration, lockout-failure-count, and password-change-requires-current-password properties. The remaining properties are inherited from the default Password Policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ create-password-policy \ --policy-name "Temp Password Policy" --set password-attribute:userPassword \ --set default-password-storage-scheme:"Salted SHA-1" \ --set lockout-duration:300s --set lockout-failure-count:3 \ --set password-change-requires-current-password:true
The First Login Password Policy is a specialized password policy that requires a user to change his password when first logging in to the system. Typically, an administrator sets up a new temporary password for newly created accounts, and the user is required to create his password after first logging in with the temporary password.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ create-password-policy \ --policy-name "First Login Password Policy" --set password-attribute:userpassword \ --set default-password-storage-scheme:"Salted SHA-1" \ --set allow-user-password-changes:true --set force-change-on-add:true \ --set force-change-on-reset:true --set expire-password-without-expiration:false \ --set password-expiration-warning-interval:86400 \ --set min-password-age:0 --set max-password-age:259200 --set lockout-duration:3600 \ --set lockout-failure-count:3 --set password-change-requires-current-password:true
You can assign a password policy to an individual by adding the ds-pwp-password-policy-dn attribute to the user's entry. The server then uses the configured password policy for that user.
$ ldapmodify --h localhost -p 1389 -D "cn=Directory Manager" -w password \ dn: uid=mgarcia,ou=Contractors,dc=example,dc=com changetype: modify add: ds-pwp-password-policy-dn ds-pwp-password-policy-dn: cn=Temp Password Policy,cn=Password Policies,cn=config
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b "dc=example,dc=com" -s sub "(uid=mgarcia)" ds-pwp-password-policy-dn
To prevent users from modifying their password policy, you must add an ACI to the root entry.
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr != "passwordPolicySubentry")(version 3.0; acl "Allow self modification except for passwordPolicySubentry"; allow (write) (userdn = "ldap:///self");)
You can assign a password policy to a group of users by adding a virtual attribute that automatically assigns the ds-pwp-password-policy-dn attribute to all user entries that match the criteria associated with that virtual attribute. The criteria can be based entirely or in part on the group membership for a user.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ create-virtual-attribute \ --name "Add PWPolicy to Admins" --type user-defined --set enabled:true \ --set attribute-type:ds-pwp-password-policy-dn \ --set group-dn:cn=Admins,ou=Groups,dc=example,dc=com \ --set conflict-behavior:real-overrides-virtual \ --set value:"cn=Admins PWPolicy,cn=Password Policies,cn=config"
You can delete any password policy, except the Default Password Policy and the Default Root User Policy, from the directory when it is no longer needed.
In practice, first check the users who have the password policy you plan to delete, move them to a new password policy, and then remove the old password policy. If a password policy is deleted, any users who have a deleted password policy continue to have the ds-pwd-password-policy-dn pointing to the old password policy. The server returns an error when any requests to access the entry occur.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ delete-password-policy --policy-name "Temp Password Policy"