A password policy is a set of rules governing the use of passwords in the system and is an integral component of any security strategy employed for your directory.
Oracle Unified Directory includes a default password policy for general users and a default root users password policy. These default password policies reside in the directory server's configuration and can be modified.
Oracle Unified Directory supports multiple password policies, so you can create and configure specialized password policies for a specific set of users in addition to using the default password policies. Customized password policies can be defined as LDAP subentries, and stored with the user data, which allows them to be replicated across servers.
This chapter outlines the components of password policies and provides procedures to configure and manage password policies. The chapter covers the following topics:
Section 24.3, "Password Policies in a Replicated Environment"
Section 24.4, "Configuring Password Policies by Using the Command Line"
Section 24.5, "Configuring Password Policies by Using Oracle Directory Services Manager"
All password policies involve the following configurable components:
Password complexity requirements. Specifies the composition of the password and its required number of characters. Typically, you would specify the minimum number of characters used in a password, the type of characters allowed, and the required number of numeric characters. For example, many institutions require a minimum of seven or eight characters, one numeral, one special character, as well as a mix of uppercase and lowercase letters.
Password history. Determines the number of unique passwords a user must use before an old password can be reused.
Maximum password age. Determines how long a password can be used before the user is allowed or required to change it.
Minimum password age. Determines how long a new password must be kept before the user can change it.
First Login. Determines if the user will be required to change his password upon first logging in to the system.
Authorized password change. Refers to the conditions under which a user can change his password. For example, before a user can change his password, the server can be configured to require the user to enter his current password to authenticate his identity before entering a new password.
Account lockout. Determines the conditions under which an account is disabled for access by the user. For example, if a user fails to properly authenticate after three attempts, then the server can be configured to lock the account on the fourth attempt. The administrator will be required to manually unlock the account for user.
Password storage scheme. Determines how the password is to be encrypted and stored on the server. You can configure storage schemes for certain accounts on the server. For example, root user passwords require strong encryption due to the importance of the account and its privileges. Thus, you can configure the use the SSHA-512 storage scheme to store root user passwords.
Password validation is not handled directly in the password policy, but by specific password validator entries, the DNs of which are present in the password policy. For more information, see Section 24.6, "Password Validators".
The Default Password Policy includes a number of configurable properties. These are listed in the following table.
Property | Description |
---|---|
|
The account status notification handler is used to send messages when events occur during the course of password policy processing. This property specifies the DNs of the account status notification handlers that should be used for this password policy. |
|
Not recommended. Indicates whether users are allowed to change their passwords after the passwords have expired. The user needs to issue the request anonymously and include the current password in the request. If this property is enabled, this feature uses the Password Modify Extended Operation, which is enabled by default at initial configuration. |
|
Indicates whether users are allowed to change their own passwords if they have access control rights to do so. |
|
Specifies the DNs for the password storage schemes that are used to encode clear-text passwords for this password policy. |
|
Specifies the DNs for password storage schemes that are considered deprecated for this password policy. If a user with this password policy authenticates to the server and his password is encoded with any deprecated schemes, those values are removed and replaced with values encoded using the default password storage scheme. |
|
Indicates whether user passwords are allowed to expire even if the user has not yet seen a password expiration warning. If this is set to |
|
Indicates whether users are required to change their passwords the first time they use their accounts and before they are allowed to perform any other operation. |
|
Indicates whether users are required to change their passwords after an administrative password reset and before they are allowed to perform any other operation. |
|
Specifies the maximum number of grace login that a user should be given. A grace login makes it possible for a user to authenticate to the server even after the password has expired, but the user is not allowed to do anything else until he has changed his password. |
|
Specifies the maximum length of time that a user account can remain idle (that is, that the user may go without authenticating to the directory) before the server locks the account. This action is enforced if |
|
Specifies the name of the attribute in the user's entry that is used to hold the last login time for the user. If this is provided, the specified attribute must either be defined as an operational attribute in the server schema, or it must be allowed by at least one of the object classes in the user's entry. The |
|
Specifies the format string that should be used to generate the last login time values. This can be any valid format string that can be used in conjunction with the |
|
Specifies the length of time that a user account should remain locked due to failed authentication attempts before it is automatically unlocked. A value of " |
|
Specifies the number of authentication failures required to lock a user account, either temporarily or permanently. A value of zero indicates that automatic lockout is not enabled. |
|
Specifies the maximum length of time that a previously failed authentication attempt should be counted toward a lockout failure. Note that the record of all previous failed attempts is always cleared upon a successful authentication. A value of " |
|
Specifies the maximum length of time that a user is allowed to keep the same password before choosing a new one. This is often known as the password expiration interval. A value of " |
|
Specifies the maximum length of time that users are allowed to change their passwords after they have been administratively reset and before they are locked out. This is only applicable if the |
|
Specifies the minimum length of time that a user is required to have a password value before it can be changed again. Providing a nonzero value ensures that users are not allowed to repeatedly change their passwords in order to flush their previous password from the history so it can be reused. |
|
Specifies the attribute in the user's entry that holds the encoded passwords for the user. The specified attribute must be defined in the server schema, and it must have either the user password syntax or the authentication password syntax. Typically, you enter "userPassword" for the User Password syntax (OID: |
|
Indicates whether users are required to provide their current password when setting a new password. If this is set to |
|
Specifies the length of time before the password expires that the users should start to receive notification that it is about to expire. This must be given a nonzero value if the |
|
Specifies the DN for the password generator that should be used in conjunction with this password policy. The password generator is used in conjunction with the password modify extended operation to provide a new password for cases in which the client did not include one in the request. If no password generator DN is specified, then the password modify extended operation does not automatically generate passwords for users. |
|
Specifies the maximum number of password values that should be maintained in the password history. Whenever a user's password is changed, the server checks the proposed new password against the current password and all passwords stored in the history. If a match is found, then the user is not allowed to use that new password. A value of zero indicates either that the server should not maintain a password history (that is, the password history duration has a value of " |
|
Specifies the maximum length of time that a formerly used password should remain in effect in the user's password history. Whenever a user's password is changed, the server checks the proposed new password against the current password and all passwords stored in the history. If a match is found, the user is not allowed to use that new password. A value of " |
|
Specifies the DNs for password validators that should be used in conjunction with this password policy. The password validators are invoked whenever a user attempts to provide a new password in order to determine whether that new password is acceptable. |
|
Specifies the format string that was used in the past for older last login time values. This value is not necessary unless the last login time feature is enabled and the format in which the values are stored has been changed. |
|
Specifies a time by which all users with this password policy are required to change their passwords. This option works independently of password expiration (that is, force all users to change their passwords at some point even if password expiration is disabled). |
|
Indicates whether users with this password policy are required to authenticate in a secure manner using a secure communication mechanism like SSL, or a secure SASL mechanism like DIGEST-MD5, EXTERNAL, or GSSAPI that does not expose the password in the clear. |
|
Indicates whether users with this password policy are required to make password changes in a secure manner, such as over a secure communication channel like SSL. |
You can view the properties of the default password policy by using the dsconfig
command, or by using ODSM.
To view the properties by using dsconfig
, run the following command:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ get-password-policy-prop --policy-name "Default Password Policy" Property : Value(s) ------------------------------------------:-------------------------- account-status-notification-handler : - allow-expired-password-changes : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : false force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 0 s max-password-reset-age : 0 s min-password-age : 0 s password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : Random Password Generator password-history-count : 0 password-history-duration : 0 s password-validator : - previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : false
To view any advanced properties, include the --advanced
option, as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ get-password-policy-prop --policy-name "Default Password Policy" --advanced
To view the properties of the default password policy by using ODSM, do the following:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy element.
Select Default Password Policy.
The password policy properties, and their values, are displayed in the right-hand pane.
You can modify the properties of the default password policy by using the dsconfig
command, or by using ODSM.
To modify the properties by using dsconfig
, run the following command:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ set-password-policy-prop --policy-name "Default Password Policy" \ --set allow-expired-password-changes:true
To modify the properties of the default password policy by using ODSM, do the following:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy element.
Select Default Password Policy.
The password policy properties, and their values, are displayed in the right-hand pane.
Modify the required property and click Apply.
You cannot display or modify advanced properties by using ODSM.
The password policies that reside in the directory server configuration (under cn=config
) are not replicated. Configuration information in general is not replicated and is specific to each directory server instance. If you modify the default password policy, you must make the same changes on each directory server instance in a replicated topology. Similarly, specialized password policies under cn=config
are not replicated to other directory servers.
Password policies that are created as subentries (that is, as part of the data) are replicated. For information about creating password policies as subentries, see Section 24.4.7, "To Define a Password Policy as an LDAP Subentry".
Additional considerations for using password policies in replicated environments include the following:
The directory server replicates all password information (current password, password history, password expiration) that is stored in the user entry.
If a user changes his password, the new password might take a while to be updated on all replicas.
A user might receive multiple password expiration warnings, one from each replicated server.
The easiest way to configure a password policy is by using the dsconfig
command to manage the existing password policies and to modify the password policy properties.
This section covers the following topics:
Section 24.4.4, "To Assign a Password Policy to an Individual Account"
Section 24.4.6, "To Assign a Password Policy to a Group of Users"
Section 24.4.7, "To Define a Password Policy as an LDAP Subentry"
The following examples use dsconfig
to modify various properties of the default password policy.
Example 24-1 Configuring Account Lockout
The following account lockout features can be configured:
Lockout failure count. Specifies the number of authentication failures required to lock a user account.
Lockout duration. Determines the length of time that the account is in a locked state after failed authentication attempts. After the duration time, the account is automatically unlocked. A value of zero indicates that the account is not be automatically unlocked.
Lockout failure expiration interval. Determines the maximum length of time that a previously failed authentication attempt should be counted toward a lockout failure. A value of zero indicates that failed attempts never automatically expire.
Idle lockout interval. Specifies the maximum length of time that a user account can go without authenticating to the directory before the server locks the account. This property is enforced if the last-login-time
is enabled and idle-lockout-interval
is set to a nonzero value.
The following command sets the account lockout properties for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -n \ set-password-policy-prop \ --policy-name "Default Password Policy" --set "lockout-failure-count:3" \ --set "lockout-duration:15 minutes" --set "idle-lockout-interval:90 days" \ --set "lockout-failure-expiration-interval:10 minutes"
Example 24-2 Configuring Last Login
Last login is a basic security feature that helps the user to keep track of the login history. The directory server provides an operational attribute, ds-pwp-last-login
, that holds the user's last login time. If you specify another attribute, the operational attribute must be defined in the server schema, or it must be allowed by at least one of the object classes in the user's entry.
The last-login-time-format
property determines the time format. If the time format has changed and last login is enabled, the previous-last-login-time-format
property is used.
The following command sets the last login properties for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -n \ set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "last-login-time-attribute:ds-pwp-last-login-time" \ --set "last-login-time-format:yyyyMMdd" \ --set "previous-last-login-time-format:yyyyMMdd"
Example 24-3 Configuring Password History Count and Duration
The password-history-count
property specifies the number of past passwords that should be maintained in the history. A value of zero indicates that the server does not maintain a password history.
The password-history-duration
property specifies the maximum length of time that a previously used password should remain in the user's password history. A value of 0 seconds
indicates that the server should not maintain a password history.
The following command configures password history count and duration for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -n \ set-password-policy-prop \ --policy-name "Default Password Policy" --set "password-history-count:3" \ --set "password-history-duration:5 seconds"
You can configure and store multiple password policies with different configuration options. When you set up a directory server instance, the instance uses the default password policy and applies it to all user entries, except root users (for example, the cn=Directory Manager
account).
You can change the default password policy or you can create new password policies for specific groups in your directory. If a specific property is not present in a password policy, the server reads that property from the default password policy, in other words, all password policies inherit their default values from the default password policy.
The following command creates a new password policy and sets the default-password-storage-scheme
, lockout-duration
, lockout-failure-count
, and password-change-requires-current-password
properties. The remaining properties are inherited from the default Password Policy.
Use the dsconfig
command to create a new password policy, as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ create-password-policy \ --policy-name "Temp Password Policy" --set password-attribute:userPassword \ --set default-password-storage-scheme:"Salted SHA-1" \ --set lockout-duration:300s --set lockout-failure-count:3 \ --set password-change-requires-current-password:true
The First Login Password Policy is a specialized password policy that requires a user to change his password when first logging in to the system. Typically, an administrator sets up a new temporary password for newly created accounts, and the user is required to create his password after first logging in with the temporary password.
Use the dsconfig
command to create a first login password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ create-password-policy --policy-name "First Login Password Policy" \ --set password-attribute:userpassword \ --set default-password-storage-scheme:"Salted SHA-1" \ --set allow-user-password-changes:true --set force-change-on-add:true \ --set force-change-on-reset:true \ --set expire-password-without-expiration:false \ --set password-expiration-warning-interval:86400 \ --set min-password-age:0 --set max-password-age:259200 \ --set lockout-duration:3600 --set lockout-failure-count:3 \ --set password-change-requires-current-password:true
You can assign a password policy to an individual by adding the ds-pwp-password-policy-dn
attribute to the user's entry. The server then uses the configured password policy for that user.
Use ldapmodify
to add the ds-pwp-password-policy-dn
attribute.
$ ldapmodify --h localhost -p 1389 -D "cn=Directory Manager" -j pwd-file \ dn: uid=mgarcia,ou=Contractors,dc=example,dc=com changetype: modify add: ds-pwp-password-policy-dn ds-pwp-password-policy-dn: cn=Temp Password Policy,cn=Password Policies,cn=config
Verify the entry by using ldapsearch
.
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -j pwd-file \ -b "dc=example,dc=com" -s sub "(uid=mgarcia)" ds-pwp-password-policy-dn
To prevent users from modifying their password policy, you must add an ACI to the root entry.
Use the ldapmodify
command with the specific ACI.
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -j pwd-file \ dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr != "passwordPolicySubentry")(version 3.0; acl "Allow self modification except for passwordPolicySubentry"; allow (write) (userdn = "ldap:///self");)
You can assign a password policy to a group of users by adding a virtual attribute that automatically assigns the ds-pwp-password-policy-dn
attribute to all user entries that match the criteria associated with that virtual attribute. The criteria can be based entirely or in part on the group membership for a user.
Use dsconfig
to create a virtual attribute that adds a password policy to a group of users.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ create-virtual-attribute \ --name "Add PWPolicy to Admins" --type user-defined --set enabled:true \ --set attribute-type:ds-pwp-password-policy-dn \ --set group-dn:cn=Admins,ou=Groups,dc=example,dc=com \ --set conflict-behavior:real-overrides-virtual \ --set value:"cn=Admins PWPolicy,cn=Password Policies,cn=config"
LDAP subentries are special entries that hold operational data for the server. They are similar to operational attributes in that they are not returned to clients unless explicitly requested by including a Subentries Control request control.
You can define a password policy as an LDAP subentry, which means that the password policy is stored along with the user data, and can therefore be replicated.
Subentry password policies override the default password policy that is defined in the configuration. Settings that are not included in the subentry password policy are inherited from the default password policy.
When more than one password policy is defined under the same parent node with overlapping scope, the election of the password policy subentry that will apply to an entry within that scope cannot be determined. You must therefore ensure that the password policies are defined in such a way that they do not conflict with each other.
Subentry password policies must rely on standard password policy properties only. A subentry password policy cannot contain password policy extension that are specific to Oracle Unified Directory.
For subentry password policies, password validators and password generators are always inherited from the default server password policy. You cannot define password validators or password generators for individual password policy subentries.
To define a subentry password policy, create the password policy in an LDIF file, and add it to the data by using ldapmodify
. You can specify the entries to which the password policy should be applied by including an LDAP filter in the subentry subtree specification.
The following example creates a password policy that applies only to a group of administrators. This password policy specifies the following:
The user's account will be locked after a three successive failed password attempts.
A failure interval of 300 seconds, after which a previously failed authentication attempt is no longer counted toward a lockout failure.
A lockout duration of 300 seconds, after which it is automatically unlocked.
Users to which this password policy applies can change their own passwords.
Users with this password policy must change their password in a secure manner that does not expose the credentials.
Create an LDIF file (admin-pwp.ldif
) that includes the entry specifying the password policy.
dn: cn=Admins Password Policy,dc=example,dc=com objectClass: top objectClass: subentry objectClass: pwdPolicy cn: Admins Password Policy pwdAttribute: userPassword pwdLockout: TRUE pwdMaxFailure: 3 pwdFailureCountInterval: 300 pwdLockoutDuration: 300 pwdAllowUserChange: TRUE pwdSafeModify: TRUE subtreeSpecification: {relativeBase "ou=people", specificationFilter "(isMemberOf=cn=Admins,ou=Groups,dc=example,dc=com)" }
Use the ldapmodify
command to add the entry to the directory.
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --defaultAdd --filename admin-pwp.ldif Processing ADD request for cn=Admins Password Policy,dc=example,dc=com ADD operation successful for DN cn=Admins Password Policy,dc=example,dc=com
You can delete any password policy, except the Default Password Policy and the Default Root User Policy, from the directory when it is no longer needed.
In practice, first check the users who have the password policy you plan to delete, move them to a new password policy, and then remove the old password policy. If a password policy is deleted, any users who have a deleted password policy continue to have the ds-pwd-password-policy-dn
pointing to the old password policy. The server returns an error when any requests to access the entry occur.
Use dsconfig
to delete a password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -n \ delete-password-policy --policy-name "Temp Password Policy"
You can use ODSM to manage password policies, as described in the following sections.
You can display all password policy subentries that are configured in the server by using ODSM, as follows:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy Subentry element.
The DNs of all password policy subentries are listed.
To display the details of a password policy subentry, select its DN.
The password policy subentry properties are displayed in the right hand pane.
To modify any aspect of the password policy subentry, change the required value and click Apply.
For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.
You can create a new password policy subentry by using ODSM, as follows:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy Subentry element.
Click the Add icon.
The password policy subentry properties are displayed in the right hand pane.
On the Create new password policy subentry screen, complete the required fields.
For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.
When you have completed configuring the password policy subentry, click Create.
You can create a new password policy subentry that is based on an existing password policy subentry by using ODSM, as follows:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy Subentry element.
Select the password policy subentry on which you want to base the new subentry.
Click the Add like icon.
The properties of the original password policy subentry are displayed in the right hand pane.
Modify the required values.
For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.
When you have completed configuring the new password policy subentry, click Create.
You can delete a password policy subentry by using ODSM, as follows:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy Subentry element.
Select the password policy subentry that you want to deleted.
Click the Delete icon.
You are prompted to confirm the deletion. Click OK.
You can display the list of password policies by using ODSM, as follows:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy element.
The list of configured password policies is displayed.
Select a password policy to display its properties in the right hand pane.
For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.
You can modify a configured password policy by using ODSM, as follows:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy element.
The list of configured password policies is displayed.
Select the password policy whose properties you want to modify.
For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.
You can create a new password policy by using ODSM, as follows:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy element.
Click the Add icon.
On the Create New Password Policy screen, configure the required properties.
For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.
When you have configured the new password policy, click Create.
You can create a new password policy that is based on an existing password policy by using ODSM, as follows:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy element.
Select the password policy on which you want to base the new policy.
Click the Add like icon.
On the Create New Password Policy screen, modify the properties to create the new policy.
For a description of all possible properties, and their values, see "Password Policy" in the Oracle Unified Directory Configuration Reference.
When you have configured the new password policy, click Create.
You can delete a password policy by using ODSM, as follows:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy element.
Select the password policy that you want to delete.
Click the Delete icon.
Click OK to confirm the deletion.
A password storage scheme provides a mechanism for encoding user passwords for storage in the server. In most cases, the password is encoded in a manner that prevents users from determining what the clear-text password is, while still allowing the server to determine whether the user-supplied password is correct. Oracle Unified Directory supports a number of password storage schemes. For more information, see Section D.15.9, "password storage scheme".
You can use ODSM to display the list of password storage schemes, as follows:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Storage element.
The list of password storage schemes is displayed.
You can use ODSM to enable or disable a password storage scheme, as follows:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Storage element.
Select the password storage scheme that you want to enable or disable.
In the right hand pane, check or uncheck the Enabled box, as required.
Click Apply to save your changes.
Password validators provide a mechanism to determine whether a provided plain text password is acceptable for use. Validation prevents users from choosing trivial passwords that are weak and might be easily guessed. Types of validation that might be performed include:
Ensuring that a password has at least a specified minimum number of characters.
Ensuring that a password has no more than a specified maximum number of characters.
Ensuring that a password contains at least a specified number of characters from different character sets (for example, lowercase letters, uppercase letters, numeric digits, and symbols).
Ensuring that a user is not allowed to re-use a password that has been previously used by that user (that is, that the password is not contained in a history of previous passwords).
Ensuring that a user is not allowed to choose a password that matches the value of another attribute in the user's entry.
Ensuring a password is not contained in a specified dictionary.
The password policy for a user specifies the set of password validators that should be used whenever that user provides a new password. To activate a password validator, you must enable the corresponding configuration entry, and include the DN of that entry in the password-validator
attribute of the password policy in which you want that validator active.
The following password validators are available in the server by default:
Attribute Value Password Validator
This validator attempts to determine whether a proposed password is acceptable for use by determining whether that password is contained in any attribute within the user's entry.The validator can be configured to look in all attributes or in a specified subset of attributes.
Character Set Password Validator
This validator determines whether a proposed password is acceptable by checking whether it contains a sufficient number of characters from one or more user-defined character sets.For example, the validator can ensure that passwords must have at least one lowercase letter, one uppercase letter, one digit, and one symbol..
Dictionary Password Validator
This validator determines whether a proposed password is acceptable based on whether the password value appears in a provided dictionary file.A large dictionary file is provided with the server, but you can supply an alternate dictionary. In this case, the dictionary must be a plain-text file with one word per line.
Length Based Password Validator
This validator determines whether a proposed password is acceptable based on whether the number of characters it contains falls within an acceptable range of values.Both upper and lower bounds can be defined.
Repeated Characters Password Validator
This validator determines whether a proposed password is acceptable based on the number of times any character appears consecutively in a password value.It ensures that user passwords do not contain strings of the same character repeated several times, like "aaaaaa" or "aaabbb"..
Similarity Based Password Validator
This validator determines whether a proposed password is acceptable by measuring how similar it is to the user's current password.In particular, it uses the Levenshtein Distance algorithm to determine the minimum number of changes (where a change may be inserting, deleting, or replacing a character) to transform one string into the other. It can be used to prevent users from making only minor changes to their current password when setting a new password. Note that for this password validator to be effective, it is necessary to have access to the user's current password. Therefore, if this password validator is to be enabled, the password-change-requires-current-password
property in the password policy configuration must also be set to true
.
Unique Characters Password Validator
This validator determines whether a proposed password is acceptable based on the number of unique characters that it contains.It can be used to prevent simple passwords that contain only a few characters like "aabbcc" or "abcabc".
You can manage password validators by using the dsconfig
command or by using the ODSM interface, as described in the following sections:
Section 24.6.1.1, "To Display the Available Password Validators"
Section 24.6.1.2, "To Display the Properties of a Password Validator"
Section 24.6.1.3, "To Enable or Disable a Password Validator"
Section 24.6.1.4, "To Configure the Values of a Password Validator"
Section 24.6.1.5, "To Associate a Password Validator With a Password Policy"
Use the dsconfig
command to list the password validators that are available, as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ list-password-validators Password Validator : Type : enabled ------------------------------------:---------------------:-------- Attribute Value : attribute-value : true Character Set : character-set : true Dictionary : dictionary : false Length-Based Password Validator : length-based : true Repeated Characters : repeated-characters : true Similarity-Based Password Validator : similarity-based : true Unique Characters : unique-characters : true
To display the available password validators by using ODSM, do the following:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Validator element.
The available password validators are displayed.
Use the dsconfig
command to display the properties of a particular password validator, as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ get-password-validator-prop --validator-name "Length-Based Password Validator" Property : Value(s) --------------------:--------- enabled : true max-password-length : 0 min-password-length : 6
To display the properties of a password validator by using ODSM, do the following:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Validator element.
The available password validators are displayed.
Click on a password validator to display its properties in the right hand pane.
All of the password validators, except the Dictionary validator, are enabled by default. A validator must be enabled before it can be associated with a specific password policy.
Use the dsconfig
command to set the enabled
property to true
or false
. For example, to disable the Length-Based password validator, set the enabled
property as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ set-password-validator-prop --validator-name "Length-Based Password Validator" \ --set enabled:false
To enable or disable a password validator by using ODSM, do the following:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Validator element.
The available password validators are displayed.
Click on a password validator to display its properties in the right hand pane.
Select the Enabled check box to enable the validator, or deselect this check box to disable the validator.
Click Apply to save the configuration changes.
Use the dsconfig
command to configure properties of a password validator. For example, to specify that passwords must be at least eight characters long, set the min-password-length
property as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ set-password-validator-prop --validator-name "Length-Based Password Validator" \ --set min-password-length:6
To display the properties of a password validator by using ODSM, do the following:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Validator element.
The available password validators are displayed.
Click on a password validator to display its properties in the right hand pane.
Configure any required properties and click Apply to save the configuration change.
A password validator is only taken into account when it is associated with a specific password policy.
To associate a password validator with a password policy by using dsconfig
, set the password-validator
property of the password policy.
For example, to specify that the default password policy should check whether passwords conform to a specific number of characters, set the password-validator
property of the default password policy as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ set-password-policy-prop --policy-name "Default Password Policy" \ --set password-validator:"Length-Based Password Validator"
To associate a password validator with a password policy by using ODSM, do the following:
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Security tab.
Expand the Password Policy element.
The available password policies are displayed.
Click on a password policy to display its properties in the right hand pane.
Expand the Syntax element in the right hand pane.
From the Password Validator list, select the password validators that you want to associate with this password policy.
Click Apply to save the configuration changes.
Password generators are used to generate passwords for user accounts. A password generator is used in conjunction with the password modify extended operation to provide a new password for cases in which the client did not include a password in its request. If no password generator is associated with the password policy that is in force, the password modify extended operation does not automatically generate passwords for users.
The passwords that are created by a password generator are not subject to validation. You should configure password generators so that the passwords they create are in-line with the requirements of the associated password validators.
By default one password generator is configured on a directory server instance - the random password generator. The following sections describe how to manage password generators by using dsconfig
.
Use the dsconfig
command to list the configured password generators, as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ list-password-generators Password Generator : Type : enabled --------------------------:--------:-------- Random Password Generator : random : true
Use the dsconfig
command to display the properties of a password generator, as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ get-password-generator-prop --generator-name "Random Password Generator" Property : Value(s) -----------------------:----------------------------------------------------- enabled : true password-character-set : alpha:abcdefghijklmnopqrstuvwxyz, numeric:0123456789 password-format : "alpha:3,numeric:2,alpha:3"
The password character set is a multi-valued property, with each value defining a different character set. The format of the character set is the name of the set followed by a colon and the characters that are in that set. For example, the value "alpha:abcdefghijklmnopqrstuvwxyz" defines a character set named "alpha" containing all of the lower-case ASCII alphabetic characters.
The password format is a comma-delimited list of elements in which each of those elements is comprised of the name of a character set defined in the password-character-set
property, a colon, and the number of characters to include from that set. For example, the default value of "alpha:3,numeric:2,alpha:3
" generates an 8-character password in which the first three characters are from the "alpha" set, the next two are from the "numeric" set, and the final three are from the "alpha" set.
The random password generator is enabled by default. A validator must be enabled before it can be associated with a specific password policy.
Use the dsconfig
command to set the enabled
property to true
or false
. For example, to disable the random password generator, set the enabled
property as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ set-password-generator-prop --generator-name "Random Password Generator" \ --set enabled:false
Use the dsconfig
command to configure properties of a password generator. For example, to specify that passwords generated by the random password generator must be of the form, three letters, three numbers, and two defined special characters, set the corresponding properties as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ set-password-generator-prop --generator-name "Random Password Generator" \ --add password-character-set:special:\!@#\$%^&*\(\) --set password-format:alpha:3,numeric:3,special:2
A password generator is only taken into account when it is associated with a specific password policy.
To associate a password generator with a password policy by using dsconfig
, set the password-generator
property of the password policy.
For example, to specify that the default password policy should use a new password generator, named Special Generator
, set the password-generator
property of the default password policy as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \ set-password-policy-prop --policy-name "Default Password Policy" \ --set password-generator:"Special Generator"