24.1 Understanding Password Management

The Password Management feature is only supported when the identity store used is an LDAP directory.

When enabled, Password Management can be used for the following scenarios.

  • When a user account is disabled by an administrator, the user is not allowed to enter the system. An appropriate error message is displayed if the user requests access.

  • When a user account is locked by an administrator (whether permanently or temporarily due to incorrect passwords or challenges), the user is not allowed to enter the system. An appropriate error message is displayed if the user requests access.

  • A user can be forced by the administrator to change a password if specific values are set in the user's LDAP entry.

  • When a user has to change a soon-to-be expiring password, a screen is displayed from which the user can choose one of the following options: change the password now or continue to the requested page without changing the password.

  • If a user submits a password with invalid characters during a password reset operation, an error message can be displayed with the password creation rules that the user must follow.

Oracle-Provided Password Forms has screenshots of the error messages discussed.

Caveats for Integrated Deployments

When you are using Oracle Identity Management and Oracle Access Management with Oracle Internet Directory, there are two sets of password policy definitions and enforcement. Password Policy Definition can be configured in both Oracle Identity Management and in Oracle Internet Directory. Password Policy Enforcement occurs according to the following:

  • Oracle Access Management enforces state policies (incorrect password, for example) during Web access; Oracle Internet Directory enforces its own state policies as well as LDAP operations (bind and compare, for example).

  • Oracle Identity Management enforces value policies (characteristics of the password) during user creation of the password update; Oracle Internet Directory enforces it's own value policies as well for policies for LDAP operations (add, modify for example).

Password Policy is only certified when the configured Identity Store is an LDAP directory. It is not certified with a virtualized LDAP directory (for example, Oracle Virtual Directory fronting another data repository) or a non LDAP directory

Any LDAP directory (such as Oracle Internet Directory) has a way to configure password policies that define lexical constraints to which the user password must conform (minimum characters, maximum length of time the password is valid, use of special characters, etc.) This password policy gets applied when the user's password is changed in the LDAP directory. To make sure that this LDAP directory password policy does not conflict with the password policy configured in OAM, the administrator has to manually study the LDAP password policy and do one of the following.

  1. Make the backend LDAP identity store policies weaker or the same strength as the Oracle Identity Management and Oracle Access Management policies. However, this leads to a double enforcement.

  2. Disable native LDAP password policy validation, which unfortunately leaves no enforcement for direct LDAP operations.