30 Managing Password Policies
Note:
All references to Oracle Delegated Administration Services in this guide refer to Oracle Delegated Administration Services 10g (10.1.4.3.0) or later.
30.1 Overview of Managing Password Policies
A password policy is a set of rules governing how passwords are used. When a user attempts to bind to the directory, the directory server ensures that the password meets the various requirements set in the password policy.
When you establish a password policy, you set the following types of rules, to mention just a few:
-
The maximum length of time a given password is valid
-
The minimum number of characters a password must contain
-
The number of numeric characters required in a password
This section contains these topics:
30.1.1 Introduction to Password Policy Rules
Password polices are sets of rules that govern password syntax and how passwords are used.
Password policies enforced by Oracle Internet Directory include:
-
The maximum length of time a given password is valid
-
The minimum number of characters a password must contain
-
The minimum number of numeric characters required in a password
-
The minimum number of alphabetic characters
-
The minimum number of repeated characters
-
The use of uppercase and lowercase
-
The minimum number of non-alphanumeric characters (that is, special characters)
-
That users change their passwords periodically
-
The minimum and maximum time between password changes
-
The grace period for logins after password expiration, by time or by number of logins
-
That users cannot reuse previously used passwords
30.1.2 Creating and Applying a Password Policy
In general, establishing a password policy requires the following steps:
30.1.3 About Fine-Grained Password Policies
In 10g (10.1.4.0.1) and later, Oracle Internet Directory supports multiple password policies in each realm. You can apply these policies to any subtree within that realm. This means that you can have entry-specific password policies. You can specify password policies as realm-specific or directory-wide in scope.
To achieve the desired scope, you must create the password policy entry in the appropriate container.Password policies are populated under a "cn=pwdPolicies
" container created under the "cn=common
" entry in each realm. By default these containers contain a password policy with the RDN "cn=default
". The directory specific default password policy, for example, has the DN: cn=default,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext
.
You can create other policies under the pwdPolicies
container, with different RDNs. Figure 30-1 illustrates this scenario.
Figure 30-1 Location of Password Policy Entries
Figure 30-2 pwdPolicy subentry Attributes Populated with DN of Password Policy
At run time, Oracle Internet Directory resolves the applicable password policy on an entry by looking for a populated pwdpolicysubentry
attribute in the entry and applying the policy pointed to by its value. If a populated pwdPolicysubentry
attribute does not exist, Oracle Internet Directory traverses up the directory tree until it finds the nearest ancestor entry with a populated pwdPolicysubentry
. Oracle Internet Directory applies the password policy pointed to by the value at that entry.
Note:
-
Password policies applied to groups are not automatically applied to group members. You must apply the policy to individual entries or to an ancestor entry.
-
You can disable a password policy by setting
orclpwdpolicyenable
to 0. Doing so leaves that portion of the directory without an applicable password policy. Oracle Internet Directory does not traverse up the DIT to find an enabled policy that is applicable. Setting this attribute to0
enables you to leave portions of the directory free of password policies when necessary. However you should consider the implications of making such a change before doing so. -
You must protect password policy entries from anonymous access using Oracle Internet Directory's ACI infrastructure, described in Managing Directory Access Control. This is particularly important when a password policy is weak, as that information can assist an attacker in compromising the directory.
30.1.4 About Default Password Policy
The default password policy for Oracle Internet Directory enforces:
-
Password expiration in 120 days
-
Account lockout after 10 login failures. Except for the superuser account, all accounts remain locked for a duration of 24 hours unless the passwords are reset by the directory administrator. A user account stays locked even after the lockout duration has passed unless the user binds with the correct password
If the superuser account,
cn=orcladmin
, becomes locked, it stays locked until you unlock it by using the OID Database Password utility. This utility prompts you for the ODS user password. After you enter the ODS password, it unlocks the account.See Also:
-
The
oidpasswd
command-line tool reference in Oracle Internet Directory Database Password Utility in Reference for Oracle Identity Management for information on unlocking a superuser account
-
-
A minimum password length of five characters with at least one numeric character
-
Password expiry warning seven days before expiry
-
Five grace logins allowed after password expiry
Beginning in Oracle Internet Directory, Release 9.0.4, the password policy entry in the Root Oracle Context applies to the superuser, but only the password policy governing account lockout is enforced on that account.
Note:
Oracle Identity Management has two distinct types of privileged user. Both privileged user accounts can be locked if certain password policies are activated.
The first type of privileged user, the superuser with the DN cn=orcladmin
, is represented as a special user entry found within the default identity management realm. It enables directory administrators to make any modifications to the DIT and any changes to the configuration of Oracle Internet Directory servers. If the superuser (orcladmin
) account is locked—for example, as a result of too many attempts to bind with an incorrect password—then an administrator with DBA privileges to the Oracle Internet Directory repository can unlock it by using the oidpasswd
tool. To unlock the orcladmin account execute the command:
oidpasswd connect="connt_String" unlock_su_acct=TRUE
The second privileged user, a realm-specific privileged user, governs capabilities such as creation and deletion of users and groups within a realm. This account is represented by an entry with the DN cn=orcladmin,cn=users,
realm DN
. Note that, in contrast to the single superuser account, each realm has its own realm-specific privileged user. To unlock the realm-specific privileged account, the first type of privileged user, cn=orcladmin
, can modify the account password by using Oracle Directory Services Manager.
The Oracle Internet Directory password policy is applicable to simple binds (based on the userpassword
attribute), compare operations on the userpassword
attribute, and SASL binds. It does not apply to SSL and proxy binds.
30.1.5 Attributes for Password Policy
The attributes that affect the password policy are listed here:
The following attributes affect password policy:
Table 30-1 Password Policy Attributes
Name | Function |
---|---|
|
The number of seconds that must elapse between user modifications to the password. The default is 0. |
|
The maximum time, in seconds, that a password can be valid. Upon reaching this age, the password is considered to have expired. The default is 10368000 seconds (120 days). |
|
When this is true, the server locks out a user after a number of consecutive invalid login attempts. The number is specified by |
|
When this is true, the server locks out a user after a number of consecutive invalid login attempts from the same IP address. The number is specified by |
|
The time period in seconds to lock out a user account when the threshold of invalid login attempts is reached. The default is 86400 seconds (24 hours). |
|
The time period in seconds to lock out a user account when the threshold of invalid login attempts from the same IP address is reached. The default is 0. |
|
The maximum number of invalid login attempts the server should allow before locking out a user account. The default value is 10. |
|
The maximum number of invalid login attempts the server should allow from a particular IP address before locking the user account. The default is 0. |
|
The time in seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If the value is 0, failure times are never purged. The default is 0. |
|
The maximum number of seconds before a password is due to expire that expiration warning messages are returned to an authenticating user. The default value is 604800 seconds (seven days). |
|
Enables or disables password syntax check 0–Disable all syntax checks 1–Enable password syntax value checks, except for encrypted passwords (default) |
|
The minimum length of a password governed by this policy. The default is 5 characters |
|
The maximum number of grace logins allowed after a password expires. The default is 5. The maximum is 250. |
|
The maximum period in seconds where grace logins are allowed after a password expires. If |
|
Requires users to reset their password upon their first login after account creation or after a password has been reset by the administrator. The default is 0 (false). |
|
A list of values that are not allowed as passwords. |
|
The minimum number of numeric characters required i in a password. The default is 1. |
|
The minimum number of alphabetic characters required in a password. The default is 0. |
|
The minimum number of non-alphanumeric characters (that is, special characters) required in a password. The default is 0. |
|
The minimum number of uppercase characters required in a password. The default is 0. |
|
The minimum number of lowercase characters required in a password. The default is 0. |
|
The maximum number of repeated characters allowed in a password. The default is 0. |
|
The maximum number of used passwords stored in the |
|
Not currently used. |
|
When this is true, the server evaluates this policy. Otherwise, the policy is ignored and not enforced. The default is 1 (true). |
|
When set to true, enables password encryption. The default is 0 (false). |
|
Enables or disables logins using the hashed password value. 0 = disabled (default). 1 = enabled. |
|
Enables or disables tracking of user's last login time. 0 = disabled (default). 1= enabled. |
|
Amount of inactive time, in seconds, before an account is automatically expired. 0=disabled (default). The attribute See Determining Expired Users in Oracle Internet Directory by Using Command-Line Tools. |
30.1.6 Operational Attributes of User Entry
The Oracle Internet Directory server stores user-specific password policy-related information in operational attributes of the user entry. Only the server can modify these attributes.
They are shown in Table 30-2.
Table 30-2 Password Policy-Related Operational Attributes
Attribute | Description |
---|---|
|
Timestamp of last successful login. Tracked only if the password policy attribute |
|
A space-delimited set of timestamps of failed login attempts, cleared upon successful login. |
|
Time when account was locked for logins from this IP address. This can be a multivalued attribute. |
|
A space-delimited set of timestamps of failed login attempts from a specific IP address, cleared upon successful login. This can be a multivalued attribute. |
|
Time when account was locked. |
|
Time of last password change. |
|
Time when user was warned of password expiration. |
|
A space-delimited set of timestamps of logins during the grace period. |
|
If the value is 1, the user must reset the password at the next login. |
|
List of previously used passwords. |
To determine the last successful login timestamp of a user, tracking of a user's last login time must be enabled. That is, the PwdTrackLogin
attribute must be set to 1 for the relevant password policy. This value is not set by default. Then, check the orcllastlogintime
attribute of the user entry for the timestamp of the last login.
To determine time of the last login attempt of a user, compare the user's orcllastlogintime
attribute with the last timestamp in pwdfailuretime
. The most recent of these values is the time of the user's last login attempt.
30.1.7 About Directory Server Verification of Password Policy Information
Oracle Internet Directory determines the applicable policy for an entry by locating the appropriate populated pwdPolicysubentry
.
As explained in About Fine-Grained Password Policies, Oracle Internet Directory determines the applicable policy for an entry by locating the appropriate populated pwdPolicysubentry
. To ensure that the user password meets the requirements of a given policy, the directory server verifies:
-
That the password policy is enabled. It does this by checking the value of the attribute
orclpwdpolicyenable
in the password policy entry. A value of 1 indicates that the password policy is enabled. A value of 0 indicates that it is disabled. -
Correctness of password policy syntax information, which includes, for example, the correct number of alphabetic and numeric characters, or the correct password length. The directory server checks the syntax during
ldapadd
andldapmodify
operations on the userpassword attribute. -
Password policy state information, which, for example, includes:
-
The timestamp of the user password creation or modification
-
That the minimum password age is greater than the current time minus the time of password creation
-
The timestamp of consecutive failed login attempts by the user
-
The time at which the user account was locked
-
Indicator that the password has been reset and must be changed by the user on first authentication
-
A history of user's previously used passwords
-
Time stamps of grace logins
If the grace login is set by time period, the server checks the time discrepancy between the current time and the expiration.
The directory server checks the state information during
ldapbind
andldapcompare
operations, but does so only if theorclpwdpolicyenable
attribute is set to 1.To enable password value syntax checking, set the attributes
orclpwdpolicyenable
andpwdchecksyntax
in the password policy entry toTRUE
. -
30.1.8 About Password Policy Error Messages
Whenever there are password policy violations, the directory server sends to the client various error and warning messages.
In Oracle Internet Directory, 10g (10.1.4.0.1) or later, the directory server can send these messages as LDAP controls only if the client sends a password policy request control as a part of an LDAP bind or compare operation. If the client does not send the request control, then the directory server does not send the response controls. Instead, it sends errors and warnings as part of additional information.
See:
Troubleshooting Password Policies for a list of the messages and information about how to resolve them
30.2 Managing Password Policies by Using Oracle Directory Services Manager
You can use Oracle Directory Services Manager to create, assign, and modify password policies.
This section describes managing password policies:
30.2.1 Viewing Password Policies by Using Oracle Directory Services Manager
To view password policies by using Oracle Directory Services Manager, perform the following steps:
- Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
- From the task selection bar, select Security.
- Expand Password Policy in the left pane. All of the password policies appear in the left pane, listed by relative DN. Mouse over an entry to see the full DN.
- Select a password policy to display its information in the right pane.
30.2.2 Modifying Password Policies by Using Oracle Directory Services Manager
To modify the password policies, perform the following steps:
- Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
- From the task selection bar, select Security.
- Expand Password Policy in the left pane. All of the password policies appear in the left pane.
- Select the password policy you want to modify. Five tab pages appear in the right pane.
- In the General tab page, modify the editable attribute fields as needed.
- Select the Account Lockout tab page and, to modify the fields, select Global Lockout. Modify the editable attribute fields as needed.
- Select the IP Lockout tab page and, to modify the fields, select IP Lockout. Modify the editable attribute fields as needed.
- Select the Password Syntax tab page and, to modify the fields, select Check Password Syntax. Modify the editable attribute fields as needed.
- Select the Effective Subtree tab page to modify the subtree to which the policy applies. To add a subtree, select the Add icon. Either enter the DN, or select Browse, then use the Select Distinguished Name (DN) Path window to navigate to the subtree to which you want the policy to apply.
- When you are finished, choose Apply.
30.2.3 Creating a Password Policy and Assigning it to a Subtree by Using ODSM
To create a new password policy, perform the following steps:
- Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
- From the task selection bar, select Security.
- Expand Password Policy in the left pane. All of the password policies appear in the left pane.
- To create a new policy, select Create. Alternatively, select an existing password policy in the left pant and select Create Like.
- In the General tab page, set or modify the editable attribute fields as needed.
- Select the Account Lockout tab page and, to modify the fields, select Global Lockout. Modify the editable attribute fields as needed.
- Select the IP Lockout tab page and, to modify the fields, select IP Lockout. Modify the editable attribute fields as needed.
- Select the Password Syntax tab page and, to modify the fields, select Check Password Syntax. Modify the editable attribute fields as needed.
- To assign the password policy to a subtree, select the Effective Subtree tab page, then select Add. Either enter the DN, or select Browse, then use the Select Distinguished Name (DN) Path window to navigate to the subtree to which you want the policy to apply.
- When you are finished, choose Apply.
30.3 Managing Password Policies by Using Command-Line Tools
This section describes managing password policies using command-line tools in detail:
30.3.1 Viewing Password Policies by Using Command-Line Tools
The following example retrieves password policies under a specific password policy container:
ldapsearch -p port -h host \ -b "cn=pwdPolicies,cn=common,cn=products,cn=OracleContext, \ o=my_company,dc=com" \ -s sub "(objectclass=pwdpolicy)"
The following example retrieves all password policy entries:
ldapsearch -p port -h host -b " " -s sub "(objectclass=pwdpolicy)"
30.3.2 Creating a New Password Policy by Using Command-Line Tools
You create a new password policy by adding a policy entry to the appropriate container.
A good way to do this is as follows:
30.3.3 Applying a Password Policy to a Subtree by Using Command-Line Tools
You can use Command-Line Tools to apply password policy to a subtree.
To apply the new password policy to the subtree "dn: cn=accounting,c=us" you would use a command line such as:
ldapmodify -D "cn=orcladmin" -q -p port -h host -f my_file.ldif
with an LDIF file such as this:
dn: cn=accounting,c=us changetype: modify replace: pwdPolicysubentry pwdPolicysubentry:cn=policy1,cn=pwdPolicies,cn=common,cn=products, cn=OracleContext,o=my_company,dc=com
30.3.4 Setting Password Policies by Using Command-Line Tools
The following example disables the pwdLockout
attribute in the default password policy.
The following example disables the pwdLockout
attribute in the default password policy. It changes the attribute from its default setting of 1
to 0
.
The file my_file.ldif
contains:
dn: cn=default,cn=pwdPolicies,cn=common,cn=products,cn=OracleContext, o=my_company,dc=com changetype:modify replace: pwdlockout pwdlockout: 0
The following command loads this file into the directory:
ldapmodify -D "cn=orcladmin" -q -p port -h host -f my_file.ldif
The following example modifies pwdMaxAge in the default password policy entry.
ldapmodify -D "cn=orcladmin" -q -p port -h host -q -f file
where file contains:
dn: cn=default,cn=pwdPolicies,cn=common,cn=products,cn=OracleContext, o=my_company,dc=com changetype: modify replace: pwdMaxAge pwdMaxAge: 10000
30.3.5 Making a Password Policy Entry Specific by Using Command-Line Tools
If the password policy is reset for a large number of users, Oracle Internet Directory server must refresh its passwordPolicySubentry
cache, which can affect performance by causing a large number of SQL query requests to the Oracle database.
Beginning with Oracle Internet Directory 11g Release 1 (11.1.1.7.0), you can make a password policy entry specific by subtyping the entrylevel
. For example, the following command adds a password policy to A_user
:
ldapmodify -D "cn=orcladmin" -q -p port -h host -q -f pwdpolicy.ldif
where pwdpolicy.ldif
contains:
dn: A_user,cn=users,dc=us,dc=mycompany,dc=com changetype: modify add: pwdpolicysubentry;entrylevel pwdpolicysubentry;entrylevel: cn=pwdpolicies,dc=us,dc=mycompany,dc=com
The password policy applies only to A_user
. If the entrylevel
subtype is missing in the entry for the pwdpolicysubentry
attribute, then the password policy applies to the entire subtree.
30.3.6 Determining Expired Users in Oracle Internet Directory by Using Command-Line Tools
In some situations, you might want to determine expired users and then take a specific action, such as deleting those users from the directory.
Note:
Oracle Internet Directory expired users are not indicated by a specific attribute. An expired user is in a transient state that depends on the system time, the maximum inactive time allowed, and the user's last successful login time. The expired state is determined during a bind or password compare operation for the user.
To determine the expired users, your Oracle Internet Directory deployment must be configured as follows:
-
The tracking of each user's last successful login time must be enabled by setting the
orclPwdTrackLogin
attribute to 1. -
The
orclpwdmaxinactivitytime
attribute must be set to a value other than 0 (the default). This attribute specifies the inactive time in seconds before a user's account is automatically considered to be expired.
To determine if a user's account is considered to be expired: