Managing Password Policies

30 Managing Password Policies

A password policy is a set of rules governing the use of passwords in the system and it is an integral component of any security strategy employed for your directory. Oracle Unified Directory includes a default password policy for general users and a default password policy for root users. These default password policies reside in the directory server's configuration and they can be modified.

In addition to default password policies, Oracle Unified Directory supports multiple password policies, which allows you to create and configure specialized password policies for a specific set of users. Customized password policies can be defined as LDAP subentries and stored with the user data, which allows the policies to be replicated across servers.

Oracle Unified Directory uses the dsconfig utility and Oracle Unified Directory Services Manager (OUDSM) to configure and manage password policies.

Topics:

30.1 Understanding Password Policy Components

Review this topic for the various components that are configurable in all password policies.

All password policies involve the following configurable components:

Password complexity requirements. Specifies the password's composition and required number of characters. Typically, you would specify the minimum number of characters used in a password, the type of characters allowed, and the required number of numeric characters. For example, many institutions require a minimum of seven or eight characters, one numeral, one special character, as well as a mix of uppercase and lowercase letters.
Password history. Determines the number of unique passwords that users must use before they can reuse an old password.
Maximum password age. Determines how long users can use a password before they are allowed, or required, to change it.
Minimum password age. Determines how long users must keep a new password before they can change it.
First Login. Determines if users are required to change their password when they first log in to the system.
Authorized password change. Refers to the conditions under which users can change their password. For example, you can configure the server so that before users can change their password, they must enter their current password to authenticate their identity before entering a new password.
Account lockout. Determines under which conditions an account is disabled for access by the user. For example, you can configure the server to that if a user fails to properly authenticate after three attempts, then the account will be locked on the fourth attempt. After which, an administrator must manually unlock the account for that user.
Password storage scheme. Determines how to encrypt the password and store it on the server. You can configure storage schemes for certain accounts on the server. For example, root user passwords require strong encryption due to the importance of the account and its privileges. Thus, you can configure the use the SSHA-512 storage scheme to store root user passwords.

Note:

Oracle Unified Directory provides a Password Expiration Time virtual attribute that can dynamically compute the exact time when a user's password will expire, based on information contained in both the user entry and the applicable password policy.

For more information about virtual attributes, see Configuring Virtual Attributes.

Password validation is not handled directly in the password policy, but by specific password validator entries, the DNs of which are present in the password policy. For more information, see Managing Password Validators.

30.2 Working with the Default Password Policy Properties

Review these topics for a list of the default password policy properties and how to manage these properties.

30.2.1 Default Password Policy Properties

Review this topic for a list of all the properties in a default password policy and their descriptions.

The following table lists the default password policy properties:

Table 30-1 Default Password Policy Properties

Property	Description
`account-status-notification-handler`	Sends messages when events occur during password policy processing. Use this property to specify the DNs of the account status notification handlers to use for this password policy.
`allow-expired-password-changes`	Not recommended. Indicates whether users are allowed to change their passwords after the passwords have expired. The user must issue the request anonymously and include the current password in the request. If enabled, this feature uses the Password Modify Extended Operation, which is enabled by default at initial configuration.
`allow-user-password-changes`	Indicates whether users are allowed to change their own passwords if they have access control rights to do so.
`default-password-storage-scheme`	Specifies the password storage scheme that is used to encode clear-text passwords for this password policy. See password storage scheme.
`deprecated-password-storage-scheme`	Specifies the DNs for password storage schemes that are considered deprecated for this password policy. If a user with this password policy authenticates to the server and his password is encoded with any deprecated schemes, those values are removed and replaced with values encoded using the default password storage scheme.
`expire-password-without-warning`	Indicates whether user passwords are allowed to expire even if the user has not yet seen a password expiration warning. If this is set to `false`, the user is always guaranteed to see at least one warning message even if the password expiration time has passed. The expiration time will be reset to the current time plus the warning interval (`ds-cfg-password-expiration-warning-interval`).
`force-change-on-add`	Indicates whether users are required to change their passwords the first time they use their accounts and before they are allowed to perform any other operation.
`force-change-on-reset`	Indicates whether users are required to change their passwords after an administrative password reset and before they are allowed to perform any other operation.
`grace-login-count`	Specifies the maximum number of grace login that a user should be given. A grace login makes it possible for a user to authenticate to the server even after the password has expired, but the user is not allowed to do anything else until he has changed his password.
`idle-lockout-interval`	Specifies the maximum length of time that a user account can remain idle (that is, that the user may go without authenticating to the directory) before the server locks the account. This action is enforced if `last login time` tracking is enabled and if the `idle lockout interval` is set to a nonzero value.
`last-login-time-attribute`	Specifies the name of the attribute in the user's entry that is used to hold the last login time for the user. If this is provided, the specified attribute must either be defined as an operational attribute in the server schema, or it must be allowed by at least one of the object classes in the user's entry. The `ds-pwp-last-login` operational attribute has been defined for this purpose. Last login time tracking is only enabled if the `ds-cfg-last-login-time-attribute` and `ds-cfg-last-login-time-format` attributes have been configured for the password policy.
`last-login-time-format`	Specifies the format string that should be used to generate the last login time values, which can be any valid format string that can be used with the `java.text.SimpleDateFormat` class. Note: For performance reasons, it might be desirable to configure this attribute so that it only stores the date (format: `yyyyMMdd`) and not the time of the last login. Then, it must only be updated once per day, rather than each time the user may authenticate. Last login time tracking is only enabled if the `ds-cfg-last-login-time-attribute` and `ds-cfg-last-login-time-format` attributes have been configured for the password policy.
`last-login-time-zone`	Specifies the Time Zone String that should be used to generate the last login time value, which can be any valid time zone string. Based on the `last-login-time-zone` that you specify, the `last-login-time` is generated in the same time zone. For example, if you set this attribute to `EST`, the `last-login-time` value is generated in `EST`.
`lockout-duration`	Specifies the length of time that a user account should remain locked due to failed authentication attempts before it is automatically unlocked. A value of "`0 seconds`" indicates that any locked accounts are not automatically unlocked and must be reset by an administrator.
`lockout-failure-count`	Specifies the number of authentication failures required to lock a user account, either temporarily or permanently. A value of zero indicates that automatic lockout is not enabled.
`lockout-failure-expiration-interval`	Specifies the maximum length of time that a previously failed authentication attempt should be counted toward a lockout failure. Note: The record of all previous failed attempts is always cleared upon a successful authentication. A value of "`0 seconds`" indicates that failed attempts are never automatically expired.
`lockout-soft-duration-count`	Specifies the length of time that an account is temporarily locked after too many authentication failures. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account must never be locked temporarily.
`lockout-soft-failure-count`	Specifies the maximum number of authentication failures that a user is allowed before the account is locked temporarily. A value of 0 indicates that accounts are never locked temporarily due to failed attempts.
`max-password-age`	Specifies the maximum length of time that a user is allowed to keep the same password before choosing a new one. This is often known as the password expiration interval. A value of "`0 seconds`" indicates that passwords never expire. If the `ds-cfg-expire-passwords-without-warning` attribute is set to `false`, the effective password expiration time is recalculated to be the time at which the first warning is received, plus the warning interval (`ds-cfg-password-expiration-warning-interval`). This behavior ensures that a user always has the full configured warning interval to change his password.
`max-password-reset-age`	Specifies the maximum length of time that users are allowed to change their passwords after they have been administratively reset and before they are locked out. This is only applicable if the `ds-cfg-force-change-on-reset` attribute is set to `true`. A value of "`0 seconds`" indicates that there are no limits on the length of time that users have to change their passwords after administrative resets.
`min-password-age`	Specifies the minimum length of time that a user is required to have a password value before it can be changed again. Providing a nonzero value ensures that users are not allowed to repeatedly change their passwords to flush their previous password from the history so it can be reused.
`password-attribute`	Specifies the attribute in the user's entry that holds the encoded passwords for the user. The specified attribute must be defined in the server schema, and it must have either the user password syntax or the authentication password syntax. Typically, you enter "userPassword" for the User Password syntax (OID: `1.3.6.1.4.1.26027.1.3.1`). You can also specify, if your server supports it, the value `authPassword` for the authenticated password syntax (OID: `1.3.6.1.4.1.4203.1.1.2`).
`password-change-requires-current-password`	Indicates whether users are required to provide their current password when setting a new password. If this is set to `true`, then users are required to provide their current password when changing their existing password. This may be done using the password modify extended operation, or using a standard LDAP modify operation by deleting the existing password value and adding the new password value in the same modify operation.
`password-expiration-warning-interval`	Specifies the length of time before the password expires that the users should start to receive notification that it is about to expire. This must be given a nonzero value if the `ds-cfg-expire-passwords-without-warning` attribute is set to `false`.
`password-generator`	Specifies the DN for the password generator that should be used with this password policy. The password generator is used with the password modify extended operation to provide a new password for cases in which the client did not include one in the request. If no password generator DN is specified, then the password modify extended operation does not automatically generate passwords for users.
`password-history-count`	Specifies the maximum number of password values that should be maintained in the password history. Whenever a user's password is changed, the server checks the proposed new password against the current password and all passwords stored in the history. If a match is found, then the user is not allowed to use that new password. A value of zero indicates either that the server should not maintain a password history (that is, the password history duration has a value of "`0 seconds`") or that the password history list should be based entirely on duration and no maximum count should be enforced (that is, the password history duration has a value other than "`0 seconds`"). Note: If an administrator reduces the configured password history count to a smaller (but still nonzero) value, each user entry containing password history state information is not impacted until a password change is processed for that user. At that time, any excess history state values is purged from the entry. If the history count is reduced to zero and the password history duration is also set to "0 seconds," any state information in the user's entry is retained in case the feature is reenabled.
`password-history-duration`	Specifies the maximum length of time that a formerly used password should remain in effect in the user's password history. Whenever a user's password is changed, the server checks the proposed new password against the current password and all passwords stored in the history. If a match is found, the user is not allowed to use that new password. A value of "`0 seconds`" indicates either that the server should not maintain a password history (that is, the password history count has a value of "`0`") or that the password history list should be based entirely on count and no maximum duration should be enforced (that is, the password history count has a value other than "`0`").
`password-validator`	Specifies the DNs for password validators that should be used with this password policy. The password validators are invoked whenever a user attempts to provide a new password to determine whether that new password is acceptable.
`previous-last-login-time`	Indicates the next-to-last time that the user authenticated to the server using a `BIND` operation. When the user logs in, Oracle Unified Directory copies the existing `last-login-time` value (in the format that was used when it was written, and only at that time) to `previous-last-login-time`, and then updates the `last-login-time` value to reflect the newer login time.
`previous-last-login-time-format`	Specifies the format string that was used in the past for older last login time values. This value is not necessary unless the `last-login-time` option is enabled and the format in which the values are stored has been changed.
`require-change-by-time`	Specifies a time by which all users with this password policy are required to change their passwords. This option works independently of password expiration (that is, force all users to change their passwords at some point even if password expiration is disabled).
`require-secure-authentication`	Indicates whether users with this password policy are required to authenticate in a secure manner using a secure communication mechanism like SSL, or a secure SASL mechanism like DIGEST-MD5, EXTERNAL, or GSSAPI that does not expose the password in the clear.
`require-secure-password-changes`	Indicates whether users with this password policy are required to make password changes in a secure manner, such as over a secure communication channel like SSL.

30.2.2 Viewing the Properties of the Default Password Policy

You can either use Oracle Unified Directory Services Manager or the dsconfig command to display the properties of the default password policy.

30.2.2.1 Viewing Default Password Policy Properties Using `dsconfig`

To view the properties using dsconfig, run the following command:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  get-password-policy-prop --policy-name "Default Password Policy"

Property                                  : Value(s)
------------------------------------------:--------------------------
account-status-notification-handler       : -
allow-expired-password-changes            : false
allow-user-password-changes               : true
default-password-storage-scheme           : Salted SHA-1
deprecated-password-storage-scheme        : -
expire-passwords-without-warning          : false
force-change-on-add                       : false
force-change-on-reset                     : false
grace-login-count                         : 0
idle-lockout-interval                     : 0 s
last-login-time-attribute                 : -
last-login-time-format                    : -
last-login-time-zone                      : UTC
lockout-duration                          : 0 s
lockout-failure-count                     : 0
lockout-failure-expiration-interval       : 0 s
max-password-age                          : 0 s
max-password-reset-age                    : 0 s
min-password-age                          : 0 s
password-attribute                        : userpassword
password-change-requires-current-password : false
password-expiration-warning-interval      : 5 d
password-generator                        : Random Password Generator
password-history-count                    : 0
password-history-duration                 : 0 s
password-validator                        : -
previous-last-login-time-format           : -
require-change-by-time                    : -
require-secure-authentication             : false
require-secure-password-changes           : false

To view any advanced properties, include the --advanced option, as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  get-password-policy-prop --policy-name "Default Password Policy" --advanced

30.2.2.2 Viewing Default Password Policy Properties Using OUDSM

To view the properties using OUDSM:

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy element.
Select Default Password Policy.

The password policy properties, and their values, are displayed in the right-hand pane.

30.2.3 Modifying the Default Password Policy

You can either use Oracle Unified Directory Services Manager or the dsconfig command to modify the different properties of the default password policy.

30.2.3.1 Modifying Default Password Policy Properties Using `dsconfig`

To modify the properties by using dsconfig, run the following command:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-policy-prop --policy-name "Default Password Policy" \
  --set allow-expired-password-changes:true

30.2.3.2 Modifying Default Password Policy Properties Using OUDSM

To modify the properties by using OUDSM:

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy element.
Select Default Password Policy.

The password policy properties, and their values, are displayed in the right-hand pane.
Modify the required property and click Apply.

You cannot display or modify advanced properties by using OUDSM.

30.3 Attributes for Password Policy State Information

Password policy state information must be maintained for each user. This information is stored in each user entry as a set of operational attributes, which are typically declared with the NO-USER-MODIFICATION flag to prevent them from being directly modified by end users or administrators.

The password policy includes many operational attributes to maintain the state information, as described in the following table.

Table 30-2 Password Policy Operational Attributes

Attribute	Description
`pwdChangedTime`	This attribute holds the time stamp (in generalized time format) of the last time that the user's password was changed, either by that user or by an administrator. It is automatically set on an add, modify, or password modify operation that sets or alters the user's password, and it should never be cleared or unset. It will be used to determine when the user's password was last changed for the purposes of enforcing the minimum and maximum password ages, and to determine whether to generate expiration warning notifications. It will also be used with the `pwdReset` attribute to enforce the maximum password reset age.
`pwdGraceUseTime`	This attribute holds the time stamps (in generalized time format) of the times that a user authenticated with a grace login after that user's password had expired, to ensure that the maximum number of grace login is enforced. This is automatically set whenever the user authenticates using one of the grace logins, and it is cleared whenever the user's password is changed by that user or reset by an administrator.
`pwdFailureTime`	This attribute holds the time stamps (in generalized time format) of the times that an authentication attempt failed for the user because the wrong password was provided. It is used to enforce the maximum failure account, so that an account may be locked as a result of too many failed attempts. This is set automatically whenever such an authentication failure occurs, and is cleared whenever the user authenticates successfully (whether before the lockout occurs or after the account has been locked and the lockout duration has passed) or whenever the user's password is changed by that user or reset by an administrator.
`pwdHistory`	This attribute holds previous passwords with a time stamp (in generalized time format). It is used if you have set `ds-cfg-password-history-duration`, `ds-cfg-password-history-count`, or both. This is set automatically when you change passwords.
`pwdAccountLockedTime`	This attribute holds the time stamp (in generalized time form) of the time that the user's account was locked after too many failed authentication attempts. It is used to indicate that the account is locked, and to provide information about when the account may be automatically unlocked through the password lockout duration. It is automatically cleared if the user's password is reset by an administrator, or on any authentication attempt (regardless of its success or failure) after the lockout duration has passed. Note: The Oracle Unified Directory password policy implementation does vary from the behavior specified in the password policy draft in one significant way. In the Oracle Unified Directory implementation, this attribute will always hold the time that the account was locked, regardless of whether the account lockout is temporary or permanent. The password policy draft states that in the event that the account should not be automatically unlocked after some period of time, it should be given a special value of `00000101000000Z`. There are several justifications for this variation, but the primary reasons are that the time specified in the draft is actually illegal (the Gregorian calendar does not have a year `0`), and this special value is unnecessary because the determination about whether the account is locked temporarily or permanently may be made based on the value of the `ds-cfg-lockout-duration` attribute (a value of `0` seconds indicates that the account should not be automatically unlocked).
`pwdPolicySubEntry`	This attribute holds the password policy for a given entry. Each object that is controlled by password policy advertises the subentry that is being used to control its policy in its `pwdPolicySubentry` attribute. Users wishing to examine or manage password policy for an object may interrogate the `pwdPolicySubentry` for that object to arrive at the proper `pwdPolicy` subentry.
`ds-pwp-password-policy-dn`	This attribute holds the DN of the configuration entry for the password policy that should be enforced for the associated user. If it is defined, then it must refer to a valid existing password policy definition configuration entry or subentry. If this attribute exists in a user's entry, but does not refer to a valid configuration entry or subentry, then the user is not allowed to authenticate. You can use the `pwdPolicySubentry` operational attribute to verify which policy is in effect for each specific user entry.
`pwdReset`	This attribute holds a Boolean value of `true` if the user's password has been reset by an administrator and must be changed before the user is allowed to perform any other kind of operation. It will be automatically set to `true` when the user's account is added if the `ds-cfg-force-change-on-add` attribute is set to `true`, or on an administrative modify or password modify operation that resets the user's password if the `ds-cfg-force-change-on-reset` attribute is set to `true`. It is automatically cleared whenever the user's password is changed by that user.
`ds-pwp-account-disabled`	This attribute holds a Boolean value of `true` if the user's account has been manually disabled by an administrator, in which case that user is not allowed to authenticate to the directory server. This attribute is never automatically set or cleared by the directory server, but must be manually specified by the administrator, or may be generated as a virtual attribute.
`ds-pwp-last-login-time`	This attribute is provided for use as the default attribute for holding last login time information if that feature should be enabled. If that feature is enabled, then there is no requirement that this attribute be used, and an alternate attribute may be configured if the administrator so chooses.
`ds-pwp-password-changed-by-required-time`	This attribute may hold a generalized time value that is equal to the value of the `ds-cfg-require-change-by-time` attribute in the password policy configuration entry. It is used to indicate whether the user's password has been changed in accordance with that configuration. This attribute is automatically set to the value of the `ds-cfg-require-change-by-time` attribute whenever the user's password is changed (by the end user or an administrator) any time that configuration attribute has a value that is different from the value currently held in the `ds-pwp-password-changed-by-required-time` attribute.
`ds-pwp-warned-time`	This attribute holds a time stamp (in generalized time form) that indicates when the user was first warned about an upcoming password expiration. It is used with the `ds-cfg-expire-passwords-without-warning` configuration attribute to determine whether a user has seen an expiration warning and if so what the new adjusted expiration time should be. It is automatically set by the directory server the first time that a warning notification is sent to indicate that a password is about to expire, and it is cleared whenever the user's password is changed (either by that user or an administrator).

30.4 Attributes Used in the `pwdPolicy` Object Class

The pwdPolicy object class contains the attributes that define a password policy in effect for a set of users.

The following schema definition for the pwdPolicy object class depicts the attributes supported by the LDAP subentry pwdPolicy:

( 1.3.6.1.4.1.42.2.27.8.2.1
         NAME 'pwdPolicy'
         SUP top
         AUXILIARY
         MUST ( pwdAttribute )
         MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
         pwdMinLength $ pwdExpireWarning $
         pwdGraceAuthNLimit $ pwdLockout $
         pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
         pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )

Table 30-3 describes the attributes supported by the pwdPolicy objectclass.

Table 30-3 Attributes Supported by the pwdPolicy ObjectClass

Attribute	Description
`pwdAttribute`	This holds the name of the attribute to which the password policy is applied. For example, the password policy may be applied to the `userPassword` attribute.
`pwdMinAge`	This attribute holds the number of seconds that must elapse between modifications to the password. If this attribute is not present, `0` seconds is assumed.
`pwdMaxAge`	This attribute holds the number of seconds after which a modified password will expire. If this attribute is not present, or if the value is `0` the password does not expire. If not `0`, then the value must be greater than or equal to the value of the `pwdMinAge`.
`pwdInHistory`	This attribute specifies the maximum number of used passwords stored in the `pwdHistory` attribute. If this attribute is not present, or if the value is `0`, then the used passwords are not stored in the `pwdHistory` attribute and thus may be reused.
`pwdCheckQuality`	This attribute indicates how the password quality will be verified while being modified or added. If this attribute is not present, or if the value is `0`, then quality checking is not enforced. A value of `1` indicates that the server will check the quality, and if the server cannot check it (due to a hashed password or other reasons) it will be accepted. A value of `2` indicates that the server will check the quality, and if the server cannot verify it, it will return an error refusing the password.
`pwdMinLength`	When quality checking is enabled, this attribute holds the minimum number of characters that must be used in a password. If this attribute is not present, no minimum password length will be enforced. If the server cannot check the length (due to a hashed password or otherwise), the server will, depending on the value of the `pwdCheckQuality` attribute, either accept the password without checking it (`0` or `1`) or refuse it (`2`).
`pwdExpireWarning`	This attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user. If this attribute is not present, or if the value is `0` no warnings will be returned. If not `0`, then the value must be smaller than the value of the `pwdMaxAge` attribute.
`pwdGraceAuthNLimit`	This attribute specifies the number of times an expired password can be used to authenticate. If this attribute is not present or if the value is `0`, authentication will fail.
`pwdLockout`	This attribute indicates, when its value is `TRUE`, that the password may not be used to authenticate after a specified number of consecutive failed bind attempts. The maximum number of consecutive failed bind attempts is specified in `pwdMaxFailure` attribute. If this attribute is not present, or if the value is `FALSE`, the password may be used to authenticate when the number of failed bind attempts has been reached.
`pwdLockoutDuration`	This attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts. If this attribute is not present, or if the value is `0` the password cannot be used to authenticate until reset by a password administrator.
`pwdMaxFailure`	This attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate. If this attribute is not present, or if the value is `0`, this policy is not checked, and the value of `pwdLockout` will be ignored.
`pwdFailureCountInterval`	This attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If this attribute is not present, or if its value is `0`, the failure counter is only reset by a successful authentication.
`pwdMustChange`	This attribute specifies with a value of `TRUE` that users must change their passwords when they first bind to the directory after a password is reset by a password administrator. If this attribute is not present, or if the value is `FALSE`, users are not required to change their password upon binding after the password administrator resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.
`pwdAllowUserChange`	This attribute indicates whether users can change their own passwords, although the change operation is still subject to access control. If this attribute is not present, a value of `TRUE` is assumed. This attribute is intended to be used in the absence of an access control mechanism.
`pwdSafeModify`	This attribute specifies whether the existing password must be sent along with the new password when being changed. If this attribute is not present, a `FALSE` value is assumed.

30.5 Understanding Password Policies, Password Validators, and Password Generators in a Replicated Environment

You can understand about the policies governing password in a replicated environment. The password policies, password validators, or password generators that reside in the directory server configuration (under cn=config) are not replicated. Configuration information in general is not replicated and is specific to each directory server instance.

If you modify the default password policies, password validators, or password generators, you must make the same changes on each directory server instance in a replicated topology. Similarly, specialized password policies, password validators, or password generators under cn=config are not replicated to other directory servers.

Password policies/Password Validators/Password Generators that are created as subentries (that is, as part of the data) are replicated.

For information about creating password policies as subentries, see Defining a Password Policy as an LDAP Subentry

For information about creating password validators as subentries, see Defining a Password Validator as an LDAP Subentry

For information about creating password generators as subentries, see Defining a Password Generator as an LDAP Subentry

Additional considerations for using password policies in replicated environments include the following:

The directory server replicates all password information (current password, password history, password expiration) that is stored in the user entry.
If a user changes his password, the new password might take a while to be updated on all replicas.
A user might receive multiple password expiration warnings, one from each replicated server.

30.6 Managing Password Policies by Using the Command Line

The easiest way to configure a password policy is by using the command line. Use the dsconfig command to manage the existing password policies and to modify the password policy properties.

This section contains the following topics:

30.6.1 Configuring the Default Password Policy

Use the dsconfig command to modify various properties of the default password policy.

30.6.1.1 Account Lockout Features

The following table lists the account lockout features:

Table 30-4 Account lockout features

Features	Description
Lockout failure count.	he `lockout-failure-count` property specifies the number of authentication failures required to lock a user account
Lockout soft failure count.	The `lockout-soft-failure-count` property specifies the number of authentication failures required to soft lock a user account
Lockout duration.	The `lockout-duration` property determines the length of time that the account is in a locked state after failed authentication attempts. A value of zero indicates that the account is not automatically unlocked
Soft Lockout duration	The `lockout-soft-duration` property determines the length of time that the account is in a soft-locked state after failed authentication attempts. After the soft lockout duration expires, the account is automatically unlocked.
Lockout failure expiration interval.	The `lockout-failure-expiration-interval` property determines the maximum length of time that a previously failed authentication attempt should be counted toward a lockout failure. A value of zero indicates that failed attempts never automatically expire
Idle lockout interval.	The `idle-lockout-interval` property specifies the maximum length of time that a user account can go without authenticating to the directory before the server locks the account. This property is enforced if the `last-login-time` is enabled and `idle-lockout-interval` is set to a nonzero value.

The following command sets the account lockout properties for the default password policy.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-policy-prop \
  --policy-name "Default Password Policy" --set "lockout-soft-failure-count:3" \
  --set "lockout-duration:15 minutes" --set "idle-lockout-interval:90 days" \
  --set "lockout-failure-expiration-interval:10 minutes"

The following command sets the account lockout properties for a password policy using a hard account lock.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-policy-prop \
  --policy-name "Default Password Policy" --set "lockout-failure-count:9"\
  --set "lockout-soft-failure-count:3" --set "lockout-duration:0 seconds"\
  --set "lockout-soft-duration:10 minutes"\
  --set "idle-lockout-interval:90 days"\
  --set "lockout-failure-expiration-interval:10 minutes"

In this example, if the user fails to log in twice, the system times out on the third failed attempt.

After the lockout-soft-duration period expires, the user again fails three attempts to log in. The user account is locked for the lockout-soft-duration of 10 minutes.

After the lockout-failure-expiration-interval of 10 minutes elapses, an authentication failure is no longer counted against a user for the purposes of account lockout. This helps to prevent unauthorized people from trying to guess your password using multiple login attempts over a short period of time.

After the second lockout-soft-duration period expires, the user again fails three attempts to log in. The user account is now hard locked, and the account must be manually unlocked by an administrator.

30.6.1.2 Configuring Last Login

Last login is a basic security feature that helps the user to keep track of the login history. The directory server provides an operational attribute, ds-pwp-last-login, that holds the user's last login time. If you specify another attribute, the operational attribute must be defined in the server schema, or it must be allowed by at least one of the object classes in the user's entry.

The last-login-time-format property determines the time format, for example yyyMMdd or 20140922. If the time format has changed, and last-login is enabled, the previous-last-login-time-format property might be used to decode a user's login time, if the latter does not match the last-login-time-format syntax.

The last-login-time-zone property determines the time zone, for example EST. Based on the last-login-time-zone that you specify, the last-login-time is generated in the same time zone. For example, if the last-login-time-zone property is set to EST, the last-login-time value is generated in EST.

The previous-last-login-time property attribute holds the user's next-to-last login time. Oracle Unified Directory obtains this value from the last-login-time value, and displays the previous-last-login-time value in whatever format was used when it was written, and only at that time. When a new login occurs, Oracle Unified Directory copies the existing last-login-time value to previous-last-login-time, and updates the last-login-time value to reflect the newer login time.

The following command sets the last login properties for the default password policy.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-policy-prop \
  --policy-name "Default Password Policy" \
  --set "last-login-time-attribute:ds-pwp-last-login-time" \
  --set "last-login-time-format:yyyyMMdd" \
  --set "last-login-time-zone:EST"\
  --set "previous-last-login-time-format:yyyyMMdd"
  --set "previous-last-login-time-attribute:ds-pwp-last-login-time" \

30.6.1.3 Configuring Password History Count and Duration

The password-history-count property specifies the number of past passwords that should be maintained in the history. A value of zero indicates that the server does not maintain a password history.

The password-history-duration property specifies the maximum length of time that a previously used password should remain in the user's password history. A value of 0 seconds indicates that the server should not maintain a password history.

The following command configures password history count and duration for the default password policy.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-policy-prop \
  --policy-name "Default Password Policy" --set "password-history-count:3" \
  --set "password-history-duration:5 seconds"

30.6.2 Creating a New Password Policy

You can configure and store multiple password policies with different configuration options. When you set up a directory server instance, the instance uses the default password policy and applies it to all user entries, except root users (for example, the cn=Directory Manager account).

You can change the default password policy or you can create new password policies for specific groups in your directory. If a specific property is not present in a password policy, the server reads that property from the default password policy, in other words, all password policies inherit their default values from the default password policy.

The following command creates a new password policy and sets the default-password-storage-scheme, lockout-duration, lockout-failure-count, and password-change-requires-current-password properties. The remaining properties are inherited from the default Password Policy.

Use the dsconfig command to create a new password policy, as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  create-password-policy \
  --policy-name "Temp Password Policy" --set password-attribute:userPassword \
  --set default-password-storage-scheme:"Salted SHA-1" \
  --set lockout-duration:300s --set lockout-failure-count:3 \
  --set password-change-requires-current-password:true

For more information about these properties, see Working with the Default Password Policy Properties.

30.6.3 Creating a First Login Password Policy

The First Login Password Policy is a specialized password policy that requires a user to change his password when first logging in to the system. Typically, an administrator sets up a new temporary password for newly created accounts, and the user is required to create his password after first logging in with the temporary password.

Use the dsconfig command to create a first login password policy.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
create-password-policy --policy-name "First Login Password Policy" \
--set password-attribute:userpassword \
--set default-password-storage-scheme:"Salted SHA-1" \
--set allow-user-password-changes:true \
--set force-change-on-add:true \
--set force-change-on-reset:true \
--set expire-passwords-without-warning:false \
--set password-expiration-warning-interval:"1 days" \
--set min-password-age:"0 seconds" \
--set max-password-age:"3 days" \
--set lockout-duration:"1 hours" \
--set lockout-failure-count:3 \
--set password-change-requires-current-password:true

For more information about these properties, see Working with the Default Password Policy Properties.

30.6.4 Assigning a Password Policy to an Individual Account

Assign a password policy to an individual by adding the ds-pwp-password-policy-dn attribute to the user's entry. The server then uses the configured password policy for that user.

Use ldapmodify to add the ds-pwp-password-policy-dn attribute.

$ ldapmodify --h localhost -p 1389 -D "cn=Directory Manager" \
-j pwd-file -X -n \
dn: uid=mgarcia,ou=Contractors,dc=example,dc=com
changetype: modify
add: ds-pwp-password-policy-dn
ds-pwp-password-policy-dn: cn=Temp Password Policy,cn=Password Policies,cn=config

Verify the entry by using ldapsearch.

$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -j pwd-file -X -n \
  -b "dc=example,dc=com" -s sub "(uid=mgarcia)" ds-pwp-password-policy-dn

30.6.5 Preventing Password Policy Modifications

You must add an Access Control Instruction (ACI) to the root entry to prevent users from modifying their password policy.

Use the ldapmodify command with the specific ACI.

$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -j pwd-file -X -n \
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr != "ds-pwp-password-policy-dn")(version 3.0; acl "Allow self 
modification except for ds-pwp-password-policy-dn"; 
allow (write) (userdn = "ldap:///self");)

30.6.6 Assigning a Password Policy to a Group of Users

You can assign a password policy to a group of users by adding a virtual attribute that automatically assigns the ds-pwp-password-policy-dn attribute to all the existing user entries that match the criteria associated with that virtual attribute. The criteria can be based entirely or in part on the group membership for a user.

Use dsconfig to create a virtual attribute that adds a password policy to a group of users.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  create-virtual-attribute \
  --name "Add PWPolicy to Admins" --type user-defined --set enabled:true \
  --set attribute-type:ds-pwp-password-policy-dn \
  --set group-dn:cn=Admins,ou=Groups,dc=example,dc=com \
  --set conflict-behavior:real-overrides-virtual \
  --set value:"cn=Admins PWPolicy,cn=Password Policies,cn=config"

30.6.7 Defining a Password Policy as an LDAP Subentry

LDAP subentries are special entries that hold operational data for the server. They are similar to operational attributes in that they are not returned to clients unless explicitly requested by including a Subentries Control request control.

You can define a password policy as an LDAP subentry, which means that the password policy is stored along with the user data, and can therefore be replicated.

Subentry password policies override the default password policy that is defined in the configuration. Settings that are not included in the subentry password policy are inherited from the default password policy.

When more than one password policy is defined under the same parent node with overlapping scope, the election of the password policy subentry that will apply to an entry within that scope cannot be determined. You must therefore ensure that the password policies are defined in such a way that they do not conflict with each other.

Subentry password policies must rely on standard password policy properties only. A subentry password policy cannot contain password policy extension that are specific to Oracle Unified Directory.

To define a subentry password policy, create the password policy in an LDIF file, and add it to the data by using ldapmodify. You can specify the entries to which the password policy should be applied by including an LDAP filter in the subentry subtree specification.

The following example creates a password policy that applies only to a group of administrators. This password policy specifies the following:

The user's account will be locked after a three successive failed password attempts.
A failure interval of 300 seconds, after which a previously failed authentication attempt is no longer counted toward a lockout failure.
A lockout duration of 300 seconds, after which it is automatically unlocked.
Users to which this password policy applies can change their own passwords.
Users with this password policy must change their password in a secure manner that does not expose the credentials.

Create an LDIF file (admin-pwp.ldif) that includes the entry specifying the password policy.

dn: cn=Admins Password Policy,dc=example,dc=com
objectClass: top
objectClass: subentry
objectClass: pwdPolicy
cn: Admins Password Policy
pwdAttribute: userPassword
pwdLockout: TRUE
pwdMaxFailure: 3
pwdFailureCountInterval: 300
pwdLockoutDuration: 300
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
subtreeSpecification: {relativeBase "ou=people", specificationFilter
  "(isMemberOf=cn=Admins,ou=Groups,dc=example,dc=com)" }

Use the ldapmodify command to add the entry to the directory.

$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \
  --defaultAdd --filename admin-pwp.ldif 
Processing ADD request for cn=Admins Password Policy,dc=example,dc=com
ADD operation successful for DN cn=Admins Password Policy,dc=example,dc=com

30.6.8 Deleting a Password Policy

You can delete any password policy, except the default password policy and the Default Root User Policy, from the directory when it is no longer needed.

In practice, first check the users who have the password policy you plan to delete, move them to a new password policy, and then remove the old password policy. If a password policy is deleted, any users who have a deleted password policy continue to have the ds-pwd-password-policy-dn pointing to the old password policy. The server returns an error when any requests to access the entry occur.

Use dsconfig to delete a password policy.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  delete-password-policy --policy-name "Temp Password Policy"

30.7 Managing Password Policies Using OUDSM

Use Oracle Unified Directory Services Manager (OUDSM) to manage the existing password policies and to modify the password policy properties.

The topics below provide step-by-step information to manage password policies using OUDSM:

30.7.1 Listing the Configured Password Policy Subentries

Use Oracle Unified Directory Services Manager (OUDSM) to display all password policy subentries that are configured in the server.

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy Subentry element.

The DNs of all password policy subentries are listed.
To display the details of a password policy subentry, select its DN.

The password policy subentry properties are displayed in the right hand pane.
To modify any aspect of the password policy subentry, change the required value and click Apply.

For a description of all possible properties and their values, see "Password Policy" in the Configuration Reference for Oracle Unified Directory.

30.7.2 Creating a Password Policy Subentry

Use Oracle Unified Directory Services Manager (OUDSM) to create a new password policy subentry.

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy Subentry element.
Click the Add icon.

The password policy subentry properties are displayed in the right hand pane.
On the Create new password policy subentry screen, complete the required fields.

For a description of all possible properties, and their values, see "Password Policy" in the Configuration Reference for Oracle Unified Directory.
When you have completed configuring the password policy subentry, click Create.

30.7.3 Creating a Password Policy Subentry Based on an Existing Password Policy Subentry

Use Oracle Unified Directory Services Manager (OUDSM) to create a new password policy subentry that is based on an existing password policy subentry.

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy Subentry element.
Select the password policy subentry on which you want to base the new subentry.
Click the Add like icon.

The properties of the original password policy subentry are displayed in the right hand pane.
Modify the required values.

For a description of all possible properties, and their values, see "Password Policy" in the Configuration Reference for Oracle Unified Directory.
When you have completed configuring the new password policy subentry, click Create.

30.7.4 Deleting a Password Policy Subentry

Use Oracle Unified Directory Services Manager (OUDSM) to delete a password policy subentry.

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy Subentry element.
Select the password policy subentry that you want to deleted.
Click the Delete icon.

You are prompted to confirm the deletion. Click OK.

30.7.5 Displaying the Configured Password Policies

Use Oracle Unified Directory Services Manager (OUDSM) to display the list of password policies.

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy element.

The list of configured password policies is displayed.
Select a password policy to display its properties in the right hand pane.

For a description of all possible properties and their values, see "Password Policy" in the Configuration Reference for Oracle Unified Directory.

30.7.6 Modifying a Password Policy

Use Oracle Unified Directory Services Manager (OUDSM) to modify a configured password policy.

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy element.

The list of configured password policies is displayed.
Select the password policy whose properties you want to modify.

Note:

You can also use OUDSM to modify the Default Password Policy. See Modifying the Default Password Policy for more information.
For a description of all possible password policy properties, and their values, see "Password Policy" in the Configuration Reference for Oracle Unified Directory.

30.7.7 Creating a Password Policy

Use Oracle Unified Directory Services Manager (OUDSM) to create a new password policy.

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy element.
Click the Add icon.
On the Create New Password Policy screen, configure the required properties.

For a description of all possible properties, and their values, see "Password Policy" in the Configuration Reference for Oracle Unified Directory.
When you have configured the new password policy, click Create.

30.7.8 Creating a Password Policy Based on an Existing Password Policy

Use Oracle Unified Directory Services Manager (OUDSM) to create a new password policy that is based on an existing password policy.

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy element.
Select the password policy on which you want to base the new policy.
Click the Add like icon.
On the Create New Password Policy screen, modify the properties to create the new policy.

For a description of all possible properties, and their values, see "Password Policy" in the Configuration Reference for Oracle Unified Directory.
When you have configured the new password policy, click Create.

30.7.9 Deleting a Password Policy

Use Oracle Unified Directory Services Manager (OUDSM) to delete a password policy.

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy element.
Select the password policy that you want to delete.
Click the Delete icon.
Click OK to confirm the deletion.

30.7.10 Displaying the Supported Password Storage Schemes

A password storage scheme provides a mechanism for encoding user passwords for storage in the server. In most cases, the password is encoded in a manner that prevents users from determining what the clear-text password is, while still allowing the server to determine whether the user-supplied password is correct.

Oracle Unified Directory supports several password storage schemes. See password storage scheme.

To display the list of password storage schemes using OUDSM:

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Storage element.
The list of password storage schemes is displayed.

30.7.11 Enabling or Disabling a Password Storage Scheme

You can use Oracle Unified Directory Services Manager to enable or disable a password storage scheme.

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Storage element.
Select the password storage scheme that you want to enable or disable.
In the right hand pane, check or uncheck the Enabled box, as required.
Click Apply to save your changes.

30.8 Managing Password Validators

Password validators provide a mechanism to determine whether a provided plain text password is acceptable for use. Validation prevents users from choosing trivial passwords that are weak and might be easily guessed.

Types of validation that might be performed include:

Ensuring that a password has at least a specified minimum number of characters.
Ensuring that a password has no more than a specified maximum number of characters.
Ensuring that a password contains at least a specified number of characters from different character sets (for example, lowercase letters, uppercase letters, numeric digits, and symbols).
Ensuring that a user is not allowed to reuse a password that has been previously used by that user (that is, that the password is not contained in a history of previous passwords).
Ensuring that a user is not allowed to choose a password that matches the value of another attribute in the user's entry.
Ensuring a password is not contained in a specified dictionary.

The password policy for a user specifies the set of password validators that should be used whenever that user provides a new password. To activate a password validator, you must enable the corresponding configuration entry, and include the DN of that entry in the password-validator attribute of the password policy in which you want that validator active.

The following password validators are available in the server by default:

Attribute Value Password Validator

This validator attempts to determine whether a proposed password is acceptable for use by determining whether that password is contained in any attribute within the user's entry.You can configure the validator to look in all attributes or in a specified subset of attributes.
Character Set Password Validator

This validator determines whether a proposed password is acceptable by checking whether it contains enough characters from one or more user-defined character sets.For example, the validator can ensure that passwords must have at least one lowercase letter, one uppercase letter, one digit, and one symbol.

This validator also ensures that a proposed password contains characters from a minimum number of character sets (with use-any-of property) rather than characters from all configured character sets. For example, if four character sets are configured and the use-any-of property is set to 3, proposed passwords must contain characters from at least three of the four character sets. If users prefer, passwords can also contain characters from all four of the configured character sets.

See the example in Configuring the Values of a Password Validator.
Dictionary Password Validator

This validator determines whether a proposed password is acceptable based on whether the password value appears in a provided dictionary file.A large dictionary file is provided with the server, but you can supply an alternate dictionary. In this case, the dictionary must be a plain-text file with one word per line.
Length Based Password Validator

This validator determines whether a proposed password is acceptable based on whether the number of characters it contains falls within an acceptable range of values.Both upper and lower bounds can be defined.
Repeated Characters Password Validator

This validator determines whether a proposed password is acceptable based on the number of times any character appears consecutively in a password value.It ensures that user passwords do not contain strings of the same character repeated several times, like "aaaaaa" or "aaabbb".
Similarity Based Password Validator

This validator determines whether a proposed password is acceptable by measuring how similar it is to the user's current password.In particular, it uses the Levenshtein Distance algorithm to determine the minimum number of changes (where a change may be inserting, deleting, or replacing a character) to transform one string into the other. It can be used to prevent users from making only minor changes to their current password when setting a new password.

Note:

For this password validator to be effective, it must have access to the user's current password. Therefore, to enable this password validator, the password-change-requires-current-password property in the password policy configuration must also be set to true.
Unique Characters Password Validator

This validator determines whether a proposed password is acceptable based on the number of unique characters that it contains.It can be used to prevent simple passwords that contain only a few characters like "aabbcc" or "abcabc".

30.8.1 Managing Password Validators by Using the Command Line

Use the dsconfig command to manage password validators and their properties.

The following topics provide a step-by-step information to manage password validators by using the dsconfig command:

30.8.1.1 Displaying the Available Password Validators

To view a list of available password validators:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  list-password-validators
Password Validator                  : Type                : enabled
------------------------------------:---------------------:--------
Attribute Value                     : attribute-value     : true
Character Set                       : character-set       : true
Dictionary                          : dictionary          : false
Length-Based Password Validator     : length-based        : true
Repeated Characters                 : repeated-characters : true
Similarity-Based Password Validator : similarity-based    : true
Unique Characters                   : unique-characters   : true

30.8.1.2 Displaying the Properties of a Password Validator

To view the properties of a password validator:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  get-password-validator-prop --validator-name "Length-Based Password Validator"
Property            : Value(s)
--------------------:---------
enabled             : true
max-password-length : 0
min-password-length : 8

30.8.1.3 Enabling or Disabling a Password Validator

All of the password validators, except the Dictionary validator, are enabled by default. You must enable a validator before it can be associated with a specific password policy.

Use the dsconfig command to set the enabled property to true or false. For example, to disable the Length-Based password validator, set the enabled property as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-validator-prop --validator-name "Length-Based Password Validator" \
  --set enabled:false

30.8.1.4 Configuring the Values of a Password Validator

Use the dsconfig command to configure properties of a password validator. For example, to specify that passwords must be at least eight characters long, set the min-password-length property as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-validator-prop --validator-name "Length-Based Password Validator" \
  --set min-password-length:8

To specify that passwords must contain characters from at least three of four configured character sets, use dsconfig, as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-validator-prop --validator-name "Character Set" \
  --set enabled:true
  --set allow-unclassified-characters:false
  --set character-set:3:ABCDEFGHIJKLMNOPQRSTUVWXYZ
  --set character-set:3:abcdefghijklmnopqrstuvwxyz
  --set character-set:2:0123456789
  --set character-set:2:~!@#$%^&*()-_=+[]{}|;:,.<>/?
  --set use-any-of:3

In this example, passwords can also contain characters from all four of the configured character sets, if users prefer.

30.8.1.5 Associating a Password Validator With a Password Policy

A password validator is only taken into account when it is associated with a specific password policy.

To associate a password validator with a password policy, set the password-validator property of the password policy.

For example, to specify that the default password policy should check whether passwords conform to a specific number of characters, set the password-validator property of the default password policy as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-policy-prop --policy-name "Default Password Policy" \
  --set password-validator:"Length-Based Password Validator"

30.8.1.6 Defining a Password Validator as an LDAP Subentry

You can define a password validator as an LDAP subentry, which means that the password validator is stored along with the user data, and can therefore be replicated. Subentry password validators can be attached only to Subentry Password Policies.

We can have any number of Subentry Password Validators under the same parent, We need to specify the exact DN while mapping it to a subentry password policy. If no password validator is attached to a subentry password policy it will inherit the validators configured to the Default Password Policy.

To define a subentry password validator, create the password validator in an LDIF file (length-based.ldif), and add it to the data by using ldapmodify.

The following example creates a Length-Based password validator with the following properties. The maximum password length allowed is 25 characters. The minimum password length allowed is 10 characters.

Run the following command:

dn: cn=LengthBasedSubentryPV,ou=people,dc=example,dc=com
changeType: add
objectClass: top
objectClass: ds-cfg-password-validator
objectClass: ds-cfg-length-based-password-validator
objectClass: subentry
ds-cfg-enabled: true
ds-cfg-max-password-length: 25
cn: Length-Based Subentry PV
ds-cfg-java-class: org.opends.server.extensions.LengthBasedPasswordValidator
ds-cfg-min-password-length: 10
subtreeSpecification: {}

Note:

Leave the subtreeSpecification empty, this attribute value will not be taken into account for Password Validators.

Use the ldapmodify command to add the entry to the directory.

ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \
 --defaultAdd --filename length-based.ldif
Processing ADD request for
cn=LengthBasedSubentryPV,ou=people,dc=example,dc=com
ADD operation successful for DN
cn=LengthBasedSubentryPV,ou=people,dc=example,dc=com

Map the above created password validator to a subentry password policy by creating the following LDIF file map-pwp-validator.ldif.

dn: cn=subEntryPasswordPolicy,ou=people,dc=example,dc=com
changeType: modify
add: objectClass
objectClass: oudPwdPolicyAdvanced
-
add: ds-cfg-password-validator
ds-cfg-password-validator:
cn=LengthBasedSubentryPV,ou=people,dc=example,dc=com

Use the ldapmodify command to add the entry to the directory.

ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \
 -a -f map-pwp-validator.ldif
Processing MODIFY request for
cn=subEntryPasswordPolicy,ou=people,dc=example,dc=com
MODIFY operation successful for DN
cn=subEntryPasswordPolicy,ou=people,dc=example,dc=com

Similarly, you can perform modify operations to the subentry password validators using ldapmodify. OUD will perform the referential Integrity checks for the delete operations of subentry password validators. OUD will throw an error if the password validator have been referenced by any of the Subentry Password Policy.

30.8.2 Managing Password Validators Using OUDSM

Use Oracle Unified Directory Services Manager (OUDSM) to manage password validators and their properties.

The following topics provide a step-by-step information to manage password validators by using the OUDSM interface:

30.8.2.1 Displaying the Available Password Validators

To view a list of available password validators:

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Validator element.

The available password validators are displayed.

30.8.2.2 Displaying the Properties of a Password Validator

To display the properties of a password validator:

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Validator element.

The available password validators are displayed.
Click a password validator to display its properties in the right hand pane.

30.8.2.3 Enabling or Disabling a Password Validator

All of the password validators, except the Dictionary validator, are enabled by default. You must enable a validator before it can be associated with a specific password policy.

To enable or disable a password validator:

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Validator element.

The available password validators are displayed.
Click a password validator to display its properties in the right hand pane.
Select the Enabled check box to enable the validator, or deselect this check box to disable the validator.
Click Apply to save the configuration changes.

30.8.2.4 Configuring the Properties of a Password Validator

To configure the properties of a password validator by using OUDSM:

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Validator element.

The available password validators are displayed.
Click a password validator to display its properties in the right hand pane.
Configure any required properties and click Apply to save the configuration change.

30.8.2.5 Associating a Password Validator With a Password Policy

A password validator is only taken into account when it is associated with a specific password policy.

To associate a password validator with a password policy:

Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
Select the Security tab.
Expand the Password Policy element.

The available password policies are displayed.
Click a password policy to display its properties in the right hand pane.
Expand the Syntax element in the right hand pane.
From the Password Validator list, select the password validators that you want to associate with this password policy.
Click Apply to save the configuration changes.

30.9 Managing Password Generators

Password generators are used to generate passwords for user accounts. A password generator is used with the password modify extended operation to provide a new password for cases in which the client did not include a password in its request.

If no password generator is associated with the password policy that is in force, the password modify extended operation does not automatically generate passwords for users.

The passwords that are created by a password generator are not subject to validation. You should configure password generators so that the passwords they create are in-line with the requirements of the associated password validators.

By default one password generator is configured on a directory server instance - the random password generator. The following sections describe how to manage password generators by using dsconfig:

30.9.1 Displaying the Configured Password Generators

Use the dsconfig command to list the configured password generators.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  list-password-generators
Password Generator        : Type   : enabled
--------------------------:--------:--------
Random Password Generator : random : true

30.9.2 Displaying the Properties of a Password Generator

Use the dsconfig command to display the properties of a password generator.

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  get-password-generator-prop --generator-name "Random Password Generator"
Property               : Value(s)
-----------------------:-----------------------------------------------------
enabled                : true
password-character-set : alpha:abcdefghijklmnopqrstuvwxyz, numeric:0123456789
password-format        : "alpha:3,numeric:2,alpha:3"

The password character set is a multi-valued property, with each value defining a different character set. The format of the character set is the name of the set followed by a colon and the characters that are in that set. For example, the value "alpha:abcdefghijklmnopqrstuvwxyz" defines a character set named "alpha" containing all of the lower-case ASCII alphabetic characters.

The password format is a comma-delimited list of elements in which each of those elements consists of the name of a character set defined in the password-character-set property, a colon, and the number of characters to include from that set. For example, the default value of "alpha:3,numeric:2,alpha:3" generates an 8-character password in which the first three characters are from the "alpha" set, the next two are from the "numeric" set, and the final three are from the "alpha" set.

30.9.3 Enabling or Disabling a Password Generator

The random password generator is enabled by default. A validator must be enabled before it can be associated with a specific password policy. Use the dsconfig command to set the enabled property to true or false.

For example, to disable the random password generator, set the enabled property as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-generator-prop --generator-name "Random Password Generator" \
  --set enabled:false

30.9.4 Configuring the Properties of a Password Generator

Use the dsconfig command to configure properties of a password generator.

For example, to specify that passwords generated by the random password generator must be of the form, three letters, three numbers, and two defined special characters, set the corresponding properties as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-generator-prop --generator-name "Random Password Generator" \
  --add password-character-set:special:\!@#\$%^&*\(\) 
  --set password-format:alpha:3,numeric:3,special:2

30.9.5 Associating a Password Generator With a Password Policy

A password generator is only taken into account when it is associated with a specific password policy. Set the password-generator property of the password policy to associate a password generator with a password policy by using dsconfig.

For example, to specify that the default password policy should use a new password generator, named Special Generator, set the password-generator property of the default password policy as follows:

$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
  set-password-policy-prop --policy-name "Default Password Policy" \
  --set password-generator:"Special Generator"

30.9.6 Defining a Password Generator as an LDAP Subentry

You can define a password generator as an LDAP subentry, which means that the password generator is stored along with the user data, and can therefore be replicated. Subentry password generator can be attached only to Subentry Password Policies.

You can have any number of Subentry Password generator under the same parent. You need to specify the exact DN while mapping it to a subentry password policy. If no password generator is attached to a subentry password policy it will inherit the generator configured to the Default Password Policy.

To define a subentry password generator, create the password generator in an LDIF file (length-based.ldif), and add it to the data by using ldapmodify.

The following example creates a random password generator:

dn: cn=RandomPassGenerator,ou=people,dc=example,dc=com
changetype: add
objectClass: ds-cfg-random-password-generator
objectClass: top
objectClass: ds-cfg-password-generator
objectClass: subentry
ds-cfg-enabled: true
ds-cfg-password-format: alpha:3,numeric:2,alpha:3
cn: RandomPassGenerator
ds-cfg-java-class: org.opends.server.extensions.RandomPasswordGenerator
ds-cfg-password-character-set: alpha:abcdefghijklmnopqrstuvwxyz
ds-cfg-password-character-set: numeric:0123456789
subtreeSpecification: {}

Note:

Leave the subtreeSpecification empty, this attribute value will not be taken into account for Password Validators.

Use the ldapmodify command to add the entry to the directory.

ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \
 --defaultAdd --filename random-generator.ldif
Processing ADD request for
cn=RandomPassGenerator,ou=people,dc=example,dc=com
ADD operation successful for DN
cn=RandomPassGenerator,ou=people,dc=example,dc=com

Map the above created password generator a subentry password policy by creating the following LDIF file map-pwp-generator.ldif.

dn: cn=subEntryPasswordPolicy,ou=people,dc=example,dc=com
changeType: modify
add: objectClass
objectClass: oudPwdPolicyAdvanced
-
add: ds-cfg-password-generator
ds-cfg-password-generator:
cn=RandomPassGenerator,ou=people,dc=example,dc=com

Use the ldapmodify command to add the entry to the directory.

ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \
 -a -f map-pwp-generator.ldif
Processing MODIFY request for
cn=subEntryPasswordPolicy,ou=people,dc=example,dc=com
MODIFY operation successful for DN
cn=subEntryPasswordPolicy,ou=people,dc=example,dc=com

Similarly, you can perform modify operations to the subentry password generator using ldapmodify. OUD will perform the referential Integrity checks for the delete operations of subentry password generator. OUD will throw an error if the password generator have been referenced by any of the Subentry Password Policy.

Note:

The OUDSM support for Subentry Password Validator and Subentry Password Generator is not available.

30.1 Understanding Password Policy Components

30.2 Working with the Default Password Policy Properties

30.2.1 Default Password Policy Properties

30.2.2 Viewing the Properties of the Default Password Policy

30.2.2.1 Viewing Default Password Policy Properties Using dsconfig

30.2.2.2 Viewing Default Password Policy Properties Using OUDSM

30.2.3 Modifying the Default Password Policy

30.2.3.1 Modifying Default Password Policy Properties Using dsconfig

30.2.3.2 Modifying Default Password Policy Properties Using OUDSM

30.3 Attributes for Password Policy State Information

30.4 Attributes Used in the pwdPolicy Object Class

30.5 Understanding Password Policies, Password Validators, and Password Generators in a Replicated Environment

30.6 Managing Password Policies by Using the Command Line

30.6.1 Configuring the Default Password Policy

30.6.1.1 Account Lockout Features

30.6.1.2 Configuring Last Login

30.6.1.3 Configuring Password History Count and Duration

30.6.2 Creating a New Password Policy

30.6.3 Creating a First Login Password Policy

30.6.4 Assigning a Password Policy to an Individual Account

30.6.5 Preventing Password Policy Modifications

30.6.6 Assigning a Password Policy to a Group of Users

30.6.7 Defining a Password Policy as an LDAP Subentry

30.6.8 Deleting a Password Policy

30.7 Managing Password Policies Using OUDSM

30.7.1 Listing the Configured Password Policy Subentries

30.7.2 Creating a Password Policy Subentry

30.7.3 Creating a Password Policy Subentry Based on an Existing Password Policy Subentry

30.7.4 Deleting a Password Policy Subentry

30.7.5 Displaying the Configured Password Policies

30.7.6 Modifying a Password Policy

30.7.7 Creating a Password Policy

30.7.8 Creating a Password Policy Based on an Existing Password Policy

30.7.9 Deleting a Password Policy

30.7.10 Displaying the Supported Password Storage Schemes

30.7.11 Enabling or Disabling a Password Storage Scheme

30.8 Managing Password Validators

30.8.1 Managing Password Validators by Using the Command Line

30.8.1.1 Displaying the Available Password Validators

30.8.1.2 Displaying the Properties of a Password Validator

30.8.1.3 Enabling or Disabling a Password Validator

30.8.1.4 Configuring the Values of a Password Validator

30.8.1.5 Associating a Password Validator With a Password Policy

30.8.1.6 Defining a Password Validator as an LDAP Subentry

30.8.2 Managing Password Validators Using OUDSM

30.8.2.1 Displaying the Available Password Validators

30.8.2.2 Displaying the Properties of a Password Validator

30.8.2.3 Enabling or Disabling a Password Validator

30.8.2.4 Configuring the Properties of a Password Validator

30.8.2.5 Associating a Password Validator With a Password Policy

30.9 Managing Password Generators

30.9.1 Displaying the Configured Password Generators

30.9.2 Displaying the Properties of a Password Generator

30.9.3 Enabling or Disabling a Password Generator

30.9.4 Configuring the Properties of a Password Generator

30.9.5 Associating a Password Generator With a Password Policy

30.9.6 Defining a Password Generator as an LDAP Subentry

30.2.2.1 Viewing Default Password Policy Properties Using `dsconfig`

30.2.3.1 Modifying Default Password Policy Properties Using `dsconfig`

30.4 Attributes Used in the `pwdPolicy` Object Class