30 Managing Password Policies

This chapter describes how Oracle Internet Directory manages password policies, which are sets of rules that govern how passwords are used. Specifically, it describes password policies including default policies and fine-grained policies and how to manage password policies using Oracle Directory Services Manager (ODSM) and LDAP command-line utilities. The following sections describe managing password policies:

Note:

All references to Oracle Delegated Administration Services in this guide refer to Oracle Delegated Administration Services 10g (10.1.4.3.0) or later.

30.1 Overview of Managing Password Policies

A password policy is a set of rules governing how passwords are used. When a user attempts to bind to the directory, the directory server ensures that the password meets the various requirements set in the password policy.

When you establish a password policy, you set the following types of rules, to mention just a few:

  • The maximum length of time a given password is valid

  • The minimum number of characters a password must contain

  • The number of numeric characters required in a password

This section contains these topics:

30.1.1 Introduction to Password Policy Rules

Password polices are sets of rules that govern password syntax and how passwords are used.

Password policies enforced by Oracle Internet Directory include:

  • The maximum length of time a given password is valid

  • The minimum number of characters a password must contain

  • The minimum number of numeric characters required in a password

  • The minimum number of alphabetic characters

  • The minimum number of repeated characters

  • The use of uppercase and lowercase

  • The minimum number of non-alphanumeric characters (that is, special characters)

  • That users change their passwords periodically

  • The minimum and maximum time between password changes

  • The grace period for logins after password expiration, by time or by number of logins

  • That users cannot reuse previously used passwords

30.1.2 Creating and Applying a Password Policy

In general, establishing a password policy requires the following steps:

  1. Create a password policy entry in the appropriate container and associate it with the pwdpolicy object. (Default entries exists when you first install Oracle Internet Directory.)
  2. Create the desired policy by setting values for attributes defined under the pwdpolicy object class for the entry created in step 1.
  3. Enable the policy by setting the orclepwdpolicynable attribute to 1. If this is not set to 1, Oracle Internet Directory ignores the policy.
  4. Determine the subtree to be governed by the policy. Add and populate a pwdpolicysubentry attribute with the policy's DN, at the root of that subtree.

    See Also:

    LDAP Object Class Reference in Reference for Oracle Identity Management for a list and descriptions of the attributes of the pwdPolicy object class, and those of the top object class that pertain to password policies

30.1.3 About Fine-Grained Password Policies

In 10g (10.1.4.0.1) and later, Oracle Internet Directory supports multiple password policies in each realm. You can apply these policies to any subtree within that realm. This means that you can have entry-specific password policies. You can specify password policies as realm-specific or directory-wide in scope.

To achieve the desired scope, you must create the password policy entry in the appropriate container.Password policies are populated under a "cn=pwdPolicies" container created under the "cn=common" entry in each realm. By default these containers contain a password policy with the RDN "cn=default". The directory specific default password policy, for example, has the DN: cn=default,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext.

You can create other policies under the pwdPolicies container, with different RDNs. Figure 30-1 illustrates this scenario.

Figure 30-1 Location of Password Policy Entries

This illustration is described in the text.

Figure 30-2 pwdPolicy subentry Attributes Populated with DN of Password Policy

Figure described in text

At run time, Oracle Internet Directory resolves the applicable password policy on an entry by looking for a populated pwdpolicysubentry attribute in the entry and applying the policy pointed to by its value. If a populated pwdPolicysubentry attribute does not exist, Oracle Internet Directory traverses up the directory tree until it finds the nearest ancestor entry with a populated pwdPolicysubentry. Oracle Internet Directory applies the password policy pointed to by the value at that entry.

Note:

  • Password policies applied to groups are not automatically applied to group members. You must apply the policy to individual entries or to an ancestor entry.

  • You can disable a password policy by setting orclpwdpolicyenable to 0. Doing so leaves that portion of the directory without an applicable password policy. Oracle Internet Directory does not traverse up the DIT to find an enabled policy that is applicable. Setting this attribute to 0 enables you to leave portions of the directory free of password policies when necessary. However you should consider the implications of making such a change before doing so.

  • You must protect password policy entries from anonymous access using Oracle Internet Directory's ACI infrastructure, described in Managing Directory Access Control. This is particularly important when a password policy is weak, as that information can assist an attacker in compromising the directory.

30.1.4 About Default Password Policy

The default password policy for Oracle Internet Directory enforces:

  • Password expiration in 120 days

  • Account lockout after 10 login failures. Except for the superuser account, all accounts remain locked for a duration of 24 hours unless the passwords are reset by the directory administrator. A user account stays locked even after the lockout duration has passed unless the user binds with the correct password

    If the superuser account, cn=orcladmin, becomes locked, it stays locked until you unlock it by using the OID Database Password utility. This utility prompts you for the ODS user password. After you enter the ODS password, it unlocks the account.

    See Also:

  • A minimum password length of five characters with at least one numeric character

  • Password expiry warning seven days before expiry

  • Five grace logins allowed after password expiry

Beginning in Oracle Internet Directory, Release 9.0.4, the password policy entry in the Root Oracle Context applies to the superuser, but only the password policy governing account lockout is enforced on that account.

Note:

Oracle Identity Management has two distinct types of privileged user. Both privileged user accounts can be locked if certain password policies are activated.

The first type of privileged user, the superuser with the DN cn=orcladmin, is represented as a special user entry found within the default identity management realm. It enables directory administrators to make any modifications to the DIT and any changes to the configuration of Oracle Internet Directory servers. If the superuser (orcladmin) account is locked—for example, as a result of too many attempts to bind with an incorrect password—then an administrator with DBA privileges to the Oracle Internet Directory repository can unlock it by using the oidpasswd tool. To unlock the orcladmin account execute the command:

oidpasswd connect="connt_String" unlock_su_acct=TRUE

The second privileged user, a realm-specific privileged user, governs capabilities such as creation and deletion of users and groups within a realm. This account is represented by an entry with the DN cn=orcladmin,cn=users,realm DN. Note that, in contrast to the single superuser account, each realm has its own realm-specific privileged user. To unlock the realm-specific privileged account, the first type of privileged user, cn=orcladmin, can modify the account password by using Oracle Directory Services Manager.

The Oracle Internet Directory password policy is applicable to simple binds (based on the userpassword attribute), compare operations on the userpassword attribute, and SASL binds. It does not apply to SSL and proxy binds.

30.1.5 Attributes for Password Policy

The attributes that affect the password policy are listed here:

The following attributes affect password policy:

Table 30-1 Password Policy Attributes

Name Function

pwdMinAge

The number of seconds that must elapse between user modifications to the password. The default is 0.

pwdMaxAge

The maximum time, in seconds, that a password can be valid. Upon reaching this age, the password is considered to have expired. The default is 10368000 seconds (120 days).

pwdLockout

When this is true, the server locks out a user after a number of consecutive invalid login attempts. The number is specified by pwdMaxFailure. The default value of pwdLockout is 1 (true).

orclpwdIPLockout

When this is true, the server locks out a user after a number of consecutive invalid login attempts from the same IP address. The number is specified by orclpwdIPMaxFailure.The default is false.

pwdLockoutDuration

The time period in seconds to lock out a user account when the threshold of invalid login attempts is reached. The default is 86400 seconds (24 hours).

orclpwdIPLockoutDuration

The time period in seconds to lock out a user account when the threshold of invalid login attempts from the same IP address is reached. The default is 0.

pwdMaxFailure

The maximum number of invalid login attempts the server should allow before locking out a user account. The default value is 10.

orclpwdIPMaxFailure

The maximum number of invalid login attempts the server should allow from a particular IP address before locking the user account. The default is 0.

pwdFailureCountInterval

The time in seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If the value is 0, failure times are never purged. The default is 0.

pwdExpireWarning

The maximum number of seconds before a password is due to expire that expiration warning messages are returned to an authenticating user. The default value is 604800 seconds (seven days).

pwdCheckSyntax

Enables or disables password syntax check

0–Disable all syntax checks

1–Enable password syntax value checks, except for encrypted passwords (default)

pwdMinLength

The minimum length of a password governed by this policy. The default is 5 characters

pwdGraceLoginLimit

The maximum number of grace logins allowed after a password expires. The default is 5. The maximum is 250.

orclpwdGraceLoginTimeLimit

The maximum period in seconds where grace logins are allowed after a password expires. If orclpwdGraceLoginTimeLimit is nonzero, then pwdGraceloginLimit must be zero. If pwdGraceloginLimit is nonzero, then orclpwdGraceLoginTimeLimit must be zero (the default).

pwdMustChange

Requires users to reset their password upon their first login after account creation or after a password has been reset by the administrator. The default is 0 (false).

orclpwdIllegalValues

A list of values that are not allowed as passwords.

orclpwdAlphaNumeric

The minimum number of numeric characters required i in a password. The default is 1.

orclpwdMinAlphaChars

The minimum number of alphabetic characters required in a password. The default is 0.

orclpwdMinSpecialChars

The minimum number of non-alphanumeric characters (that is, special characters) required in a password. The default is 0.

orclpwdMinUppercase

The minimum number of uppercase characters required in a password. The default is 0.

orclpwdMinLowercase

The minimum number of lowercase characters required in a password. The default is 0.

orclpwdMaxRptChars

The maximum number of repeated characters allowed in a password. The default is 0.

pwdInHistory

The maximum number of used passwords stored in the pwdHistory attribute of a given entry. Passwords stored in pwdHistory cannot be used as a new password until they are purged from it. The default is 0.

pwdAllowUserChange

Not currently used.

orclpwdPolicyEnable

When this is true, the server evaluates this policy. Otherwise, the policy is ignored and not enforced. The default is 1 (true).

orclpwdEncryptionEnable

When set to true, enables password encryption. The default is 0 (false).

orclpwdAllowHashCompare

Enables or disables logins using the hashed password value. 0 = disabled (default). 1 = enabled.

orclPwdTrackLogin

Enables or disables tracking of user's last login time. 0 = disabled (default). 1= enabled.

orclpwdmaxinactivitytime

Amount of inactive time, in seconds, before an account is automatically expired. 0=disabled (default). The attribute orclPwdTrackLogin must be enabled if orclpwdmaxinactivitytime is non-zero.

See Determining Expired Users in Oracle Internet Directory by Using Command-Line Tools.

30.1.6 Operational Attributes of User Entry

The Oracle Internet Directory server stores user-specific password policy-related information in operational attributes of the user entry. Only the server can modify these attributes.

They are shown in Table 30-2.

Table 30-2 Password Policy-Related Operational Attributes

Attribute Description

orcllastlogintime

Timestamp of last successful login. Tracked only if the password policy attribute orclPwdTrackLogin is enabled.

pwdfailuretime

A space-delimited set of timestamps of failed login attempts, cleared upon successful login.

orclpwdipaccountlockedtime

Time when account was locked for logins from this IP address. This can be a multivalued attribute.

orclpwdipfailuretime

A space-delimited set of timestamps of failed login attempts from a specific IP address, cleared upon successful login. This can be a multivalued attribute.

pwdaccountlockedtime

Time when account was locked.

pwdchangedtime

Time of last password change.

pwdexpirationwarned

Time when user was warned of password expiration.

pwdgraceusetime

A space-delimited set of timestamps of logins during the grace period.

pwdreset

If the value is 1, the user must reset the password at the next login.

pwdhistory

List of previously used passwords.

To determine the last successful login timestamp of a user, tracking of a user's last login time must be enabled. That is, the PwdTrackLogin attribute must be set to 1 for the relevant password policy. This value is not set by default. Then, check the orcllastlogintime attribute of the user entry for the timestamp of the last login.

To determine time of the last login attempt of a user, compare the user's orcllastlogintime attribute with the last timestamp in pwdfailuretime. The most recent of these values is the time of the user's last login attempt.

30.1.7 About Directory Server Verification of Password Policy Information

Oracle Internet Directory determines the applicable policy for an entry by locating the appropriate populated pwdPolicysubentry.

As explained in About Fine-Grained Password Policies, Oracle Internet Directory determines the applicable policy for an entry by locating the appropriate populated pwdPolicysubentry. To ensure that the user password meets the requirements of a given policy, the directory server verifies:

  • That the password policy is enabled. It does this by checking the value of the attribute orclpwdpolicyenable in the password policy entry. A value of 1 indicates that the password policy is enabled. A value of 0 indicates that it is disabled.

  • Correctness of password policy syntax information, which includes, for example, the correct number of alphabetic and numeric characters, or the correct password length. The directory server checks the syntax during ldapadd and ldapmodify operations on the userpassword attribute.

  • Password policy state information, which, for example, includes:

    • The timestamp of the user password creation or modification

    • That the minimum password age is greater than the current time minus the time of password creation

    • The timestamp of consecutive failed login attempts by the user

    • The time at which the user account was locked

    • Indicator that the password has been reset and must be changed by the user on first authentication

    • A history of user's previously used passwords

    • Time stamps of grace logins

    If the grace login is set by time period, the server checks the time discrepancy between the current time and the expiration.

    The directory server checks the state information during ldapbind and ldapcompare operations, but does so only if the orclpwdpolicyenable attribute is set to 1.

    To enable password value syntax checking, set the attributes orclpwdpolicyenable and pwdchecksyntax in the password policy entry to TRUE.

30.1.8 About Password Policy Error Messages

Whenever there are password policy violations, the directory server sends to the client various error and warning messages.

In Oracle Internet Directory, 10g (10.1.4.0.1) or later, the directory server can send these messages as LDAP controls only if the client sends a password policy request control as a part of an LDAP bind or compare operation. If the client does not send the request control, then the directory server does not send the response controls. Instead, it sends errors and warnings as part of additional information.

See:

Troubleshooting Password Policies for a list of the messages and information about how to resolve them

30.2 Managing Password Policies by Using Oracle Directory Services Manager

You can use Oracle Directory Services Manager to create, assign, and modify password policies.

This section describes managing password policies:

30.2.1 Viewing Password Policies by Using Oracle Directory Services Manager

To view password policies by using Oracle Directory Services Manager, perform the following steps:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
  2. From the task selection bar, select Security.
  3. Expand Password Policy in the left pane. All of the password policies appear in the left pane, listed by relative DN. Mouse over an entry to see the full DN.
  4. Select a password policy to display its information in the right pane.

30.2.2 Modifying Password Policies by Using Oracle Directory Services Manager

To modify the password policies, perform the following steps:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
  2. From the task selection bar, select Security.
  3. Expand Password Policy in the left pane. All of the password policies appear in the left pane.
  4. Select the password policy you want to modify. Five tab pages appear in the right pane.
  5. In the General tab page, modify the editable attribute fields as needed.
  6. Select the Account Lockout tab page and, to modify the fields, select Global Lockout. Modify the editable attribute fields as needed.
  7. Select the IP Lockout tab page and, to modify the fields, select IP Lockout. Modify the editable attribute fields as needed.
  8. Select the Password Syntax tab page and, to modify the fields, select Check Password Syntax. Modify the editable attribute fields as needed.
  9. Select the Effective Subtree tab page to modify the subtree to which the policy applies. To add a subtree, select the Add icon. Either enter the DN, or select Browse, then use the Select Distinguished Name (DN) Path window to navigate to the subtree to which you want the policy to apply.
  10. When you are finished, choose Apply.

30.2.3 Creating a Password Policy and Assigning it to a Subtree by Using ODSM

To create a new password policy, perform the following steps:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
  2. From the task selection bar, select Security.
  3. Expand Password Policy in the left pane. All of the password policies appear in the left pane.
  4. To create a new policy, select Create. Alternatively, select an existing password policy in the left pant and select Create Like.
  5. In the General tab page, set or modify the editable attribute fields as needed.
  6. Select the Account Lockout tab page and, to modify the fields, select Global Lockout. Modify the editable attribute fields as needed.
  7. Select the IP Lockout tab page and, to modify the fields, select IP Lockout. Modify the editable attribute fields as needed.
  8. Select the Password Syntax tab page and, to modify the fields, select Check Password Syntax. Modify the editable attribute fields as needed.
  9. To assign the password policy to a subtree, select the Effective Subtree tab page, then select Add. Either enter the DN, or select Browse, then use the Select Distinguished Name (DN) Path window to navigate to the subtree to which you want the policy to apply.
  10. When you are finished, choose Apply.

30.3 Managing Password Policies by Using Command-Line Tools

This section describes managing password policies using command-line tools in detail:

30.3.1 Viewing Password Policies by Using Command-Line Tools

The following example retrieves password policies under a specific password policy container:

ldapsearch -p port -h host \
           -b "cn=pwdPolicies,cn=common,cn=products,cn=OracleContext, \
               o=my_company,dc=com" \
           -s sub "(objectclass=pwdpolicy)"

The following example retrieves all password policy entries:

ldapsearch -p port -h host -b " " -s sub "(objectclass=pwdpolicy)"

30.3.2 Creating a New Password Policy by Using Command-Line Tools

You create a new password policy by adding a policy entry to the appropriate container.

A good way to do this is as follows:

  1. Dump the contents of the default entry, cn=default,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext, to an LDIF file, using ldapmodify. For example:
    ldapsearch -p port -h host -D cn=orcladmin -q -L \
       -b 'cn=default,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext' \
       -s base '(objectclass=pwdpolicy)' >> pwdpolicy.ldif 
    

    As an alternative to ldapsearch, you could use ldifwrite. Ensure DOMAIN_HOME is set, then type:

    ldifwrite connect="conn_str" \
      baseDN="cn=default,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext" \
      ldiffile="pwpolicy.ldif"
  2. Modify the LDIF file so that it has the common name and desired values for the new policy. For example, you might change cn=default to cn=policy1 and change pwdMaxFailure from 10 to 5.
  3. Add the new entry by using ldapadd. You would use a command line of the form:
    ldapadd -p port_number -h host -D cn=orcladmin -q -f pwdpolicy.ldif

30.3.3 Applying a Password Policy to a Subtree by Using Command-Line Tools

You can use Command-Line Tools to apply password policy to a subtree.

To apply the new password policy to the subtree "dn: cn=accounting,c=us" you would use a command line such as:

ldapmodify -D "cn=orcladmin" -q -p port -h host -f my_file.ldif

with an LDIF file such as this:

dn: cn=accounting,c=us
changetype: modify
replace: pwdPolicysubentry
pwdPolicysubentry:cn=policy1,cn=pwdPolicies,cn=common,cn=products,
 cn=OracleContext,o=my_company,dc=com

30.3.4 Setting Password Policies by Using Command-Line Tools

The following example disables the pwdLockout attribute in the default password policy.

The following example disables the pwdLockout attribute in the default password policy. It changes the attribute from its default setting of 1 to 0.

The file my_file.ldif contains:

dn: cn=default,cn=pwdPolicies,cn=common,cn=products,cn=OracleContext,
 o=my_company,dc=com
changetype:modify
replace: pwdlockout
pwdlockout: 0

The following command loads this file into the directory:

ldapmodify -D "cn=orcladmin" -q -p port -h host -f my_file.ldif

The following example modifies pwdMaxAge in the default password policy entry.

ldapmodify -D "cn=orcladmin" -q -p port -h host -q -f file

where file contains:

dn: cn=default,cn=pwdPolicies,cn=common,cn=products,cn=OracleContext,
 o=my_company,dc=com
changetype: modify
replace: pwdMaxAge
pwdMaxAge: 10000

30.3.5 Making a Password Policy Entry Specific by Using Command-Line Tools

If the password policy is reset for a large number of users, Oracle Internet Directory server must refresh its passwordPolicySubentry cache, which can affect performance by causing a large number of SQL query requests to the Oracle database.

Beginning with Oracle Internet Directory 11g Release 1 (11.1.1.7.0), you can make a password policy entry specific by subtyping the entrylevel. For example, the following command adds a password policy to A_user:

ldapmodify -D "cn=orcladmin" -q -p port -h host -q -f pwdpolicy.ldif

where pwdpolicy.ldif contains:

dn: A_user,cn=users,dc=us,dc=mycompany,dc=com
changetype: modify
add: pwdpolicysubentry;entrylevel
pwdpolicysubentry;entrylevel: cn=pwdpolicies,dc=us,dc=mycompany,dc=com

The password policy applies only to A_user. If the entrylevel subtype is missing in the entry for the pwdpolicysubentry attribute, then the password policy applies to the entire subtree.

30.3.6 Determining Expired Users in Oracle Internet Directory by Using Command-Line Tools

In some situations, you might want to determine expired users and then take a specific action, such as deleting those users from the directory.

Note:

Oracle Internet Directory expired users are not indicated by a specific attribute. An expired user is in a transient state that depends on the system time, the maximum inactive time allowed, and the user's last successful login time. The expired state is determined during a bind or password compare operation for the user.

To determine the expired users, your Oracle Internet Directory deployment must be configured as follows:

  • The tracking of each user's last successful login time must be enabled by setting the orclPwdTrackLogin attribute to 1.

  • The orclpwdmaxinactivitytime attribute must be set to a value other than 0 (the default). This attribute specifies the inactive time in seconds before a user's account is automatically considered to be expired.

To determine if a user's account is considered to be expired:

  1. Determine the time stamp of the user's last successful login from the orcllastlogintime attribute. For example:
    ldapsearch -h oid_host p oid_port -D "cn=orcladmin" -q -s base \
    -b "cn=jdoe,cn=users,o=oracle" "(objectclass=*)" orcllastlogintime
    
  2. Subtract the user's orcllastlogintime value from the current system time. If the result is greater than the orclpwdmaxinactivitytime value, then the user is considered to be in the expired state.
  3. If you wish, delete the expired user from the directory.