17
Password Policies

This chapter discusses password policies--that is, sets of rules that govern how passwords are used.

This chapter contains these topics:

About Password Policies

Password polices are sets of rules that govern how passwords are used. The directory server enforces the password policy syntax checks during ldapadd and ldapmodify to ensure that the user password meets the requirements set in that policy. The password policy state checks are enforced by the directory server during ldapbind and ldapcompare. When you establish a password policy, you set the following types of rules, to mention just a few:

The maximum length of time a given password is valid
The minimum number of characters a password must contain
The number of numeric characters required in a password

During Oracle Internet Directory installation, the Oracle Universal Installer creates for each subscriber a password policy entry containing all the necessary password policy information. It places this entry as shown in Figure 17-1: immediately below the common entry, which resides under the products entry, which, in turn, resides under the subscriber or default subscriber Oracle context. This password policy is applicable to all users under a given subscriber. The Oracle Internet Directory password policy is applicable only to the userpassword attribute. The orclcommonusersearchbase attribute in the common entry of the subscriber Oracle context must be set to the appropriate value for the password policy to be enforced. This attribute must be set before any password policy modification can take effect.

Figure 17-1 Location of Password Policy Entries

Text description of pwdpolia.gif follows

Text description of the illustration pwdpolia.gif

You establish a password policy by assigning values to the following attributes:

Policy	Attribute	Description
Password Expiry Time	`pwdMaxAge`	The maximum length of time, in seconds, that a given password is valid. If this attribute is not present, or if the value is `0` (zero), then the password does not expire. By default, the passwords expire in 60 days.
Password Expiration Warning	`pwdExpireWarning`	The number of seconds before password expiration that the directory server sends the user a warning. If password expiration is enabled, then, by default, the directory server sends no warnings before the password expires. The directory server sends the warning at each logon. If the user does not modify the password before it expires, the user is locked out until the password is changed by the administrator. For this feature to work, the client application must support it. The default is 0, which means no warnings are sent.
Grace Login Limit	pwdGraceLoginLimit	Maximum number of grace logins allowed after a password expires. By default, no grace logins.are allowed. The default value is 0.
Password Lockout	`pwdLockout`	Specification for whether users are locked out of the directory after the number of consecutive failed bind attempts specified by `pwdmaxFailure`. If the value of this policy attribute is 1, then users are locked out. If this attribute is not present, or if the value is 0, then users are not locked out and the value of `pwdMaxFailure` is ignored. By default, account lockout is enforced. The account is locked after three consecutive login failures.
Password Maximum Failure	`pwdMaxFailure`	The number of consecutive failed bind attempts after which a user account is locked. If this attribute is not present, or if the value is `0` (zero), then the account is not locked due to failed bind attempts, and the value of the password lockout policy is ignored. The default is 4.
Password Failure Count Interval	`pwdFailureCountInterval`	The number of seconds after which the password failure times are purged from the user entry. If this attribute is not present, or if it has a value of `0`, then failure times are never purged. The default is 0.
Lockout Duration	`pwdLockoutDuration`	The number of seconds a user is locked out of the directory if both of the following are true: Account lockout is enabled The user has been unable to bind successfully to the directory for at least the number of times specified by `pwdMaxFailure` You can set user lockout for a specific duration, or until the administrator resets the user's password. A default value of `0` (zero) means that the user is locked out forever.
Check Password Syntax	pwdCheckSyntax	Specification for whether syntax checking is enforced. If 1, then syntax checking is enforced. The default is enabled.
Minimum Number of Characters of Password	pwdMinLength	The minimum number of characters required in a password. By default, the minimum length is 5; however, the value for this attribute must be at least `1`.
Number of Numeric Characters in Password	orclpwdAlphaNumeric	Number of numeric characters required in a password. By default, one numeric character is required. That is, the default value is 1.
Old Password Can Be New Password	orclpwdToggle	Specification for whether a user's old password can become the new one. By default, it can. The default value is 1.
Illegal Values	orclpwdIllegalValues	Multivalued attribute containing the common words and attribute types whose values cannot be used as a valid password. By default, all words are acceptable password values.

Note:

All user passwords are assumed to be single-valued, as mentioned in the July 2001 version of the IETF draft: http://ietf.org/internet-drafts/draft-behera-ldap-password-policy-05.txt

To establish a password policy, you use the pwdPolicy auxiliary object class, which contains password policy information for the entire directory. You set these values during installation. An entry of this object class is created during installation. It has this DN: cn=pwdpolicyentry,cn=my_application,cn=products,cn=Oracle Context,o=my_company,dc=com. In Release 9.2, the policy specified applies to the DIT of a given subscriber. Each subscriber can have their own password policy.

This object class contains the following attributes.

pwdMaxAge
pwdGraceLoginLimit
orclpwdAlphaNumeric
pwdLockout
pwdMinLength
orclpwdToggle
pwdLockoutDuration
pwdCheckSyntax
orclpwdIllegalValues
pwdMaxFailure
pwdFailureCountInterval
pwdExpireWarning

The default value for each of these attributes is 0 (zero). These attributes are single-valued, except orclpwdIllegalValues, which is multi-valued.

In addition, the object class top contains these operational attributes, to maintain the user-password state information for each user entry.

pwdChangedtime: The timestamp of the user password creation or modification
pwdExpirationWarned: The time at which the first password expiration warning is been sent to the user
pwdFailuretime: The timestamp of consecutive failed login attempts by the user
pwdAccountLockedTime: The time at which the user account was locked
pwdReset: Requirement for the user to change the password, if this attribute is enabled
pwdGraceUseTime: The time stamps of each grace login by the user

See Also:
The July 2001 version of the following IETF draft: http://ietf.org/internet-drafts/draft-behera-ldap-password-policy-05.txt

Managing Password Policies by Using Oracle Directory Manager

During Oracle Internet Directory installation, a password policy entry is created for each subscriber. Table 17-1 lists and describes the password policy fields in Oracle Directory Manager.

Table 17-1 Password Policy Fields in Oracle Directory Manager

Field	Description
Password Policy Entry	This field displays the RDN of the password policy entry. You cannot edit this field.
Password Expiry Time	Enter the number of seconds that a given password is valid. If this attribute is not present, or if the value is 0, then the password does not expire. By default, user passwords never expire.
Account Lockout	From the list, select Enable or Disable.
Account Lockout Duration	Enter the number of seconds a user is locked out of the directory if both of the following are true: Account lockout is enabled The user has been unable to bind successfully to the directory for at least the number of times specified by `pwdMaxFailure` You can set user lockout for a specific duration, or until the administrator resets the user's password. A default value of `0` (zero) means that the user is locked out forever.
Password Maximum Failure	Enter the number of consecutive failed bind attempts after which a user account is locked.
Password Failure Count Interval	Enter the number of seconds after which the password failure times are purged from the user entry.
Password Expiration Warning	Enter the length of time before password expiration that the directory server sends the user a warning. By default, no warnings are sent. The directory server sends the warning at each logon. If the user does not modify the password before it expires, then the directory server enforces the modification. This means that the user is locked out until the password is changed by the administrator. For this feature to work, the client application must support it.
Check Password Syntax	Specify whether syntax checking is enforced. If 1, then syntax checking is enforced.
Need to Supply Old Password When Modifying Password	Specify whether user must supply old password with new one when modifying password. By default, the old password is not required.
Minimum Number of Characters of Password	Specify the minimum number of characters required in a password.
Number of Numeric Characters in Password	Specify the number of numeric characters required in a password.
Old Password Can Be New Password	Specify whether a user's old password can become the new one. If you choose Enable from the list, then the old password can become the new one.

When you create a subscriber, you also configure that subscriber's password policies. Later, you can use Oracle Directory Manager to view, refresh, and modify those policies. However, you cannot add or delete them.

Viewing a Subscriber's Password Policies by Using Oracle Directory Manager

To view a subscriber's password policies, in the navigator pane, expand Oracle Internet Directory Servers > directory_server_instance > Password Policy Management. The navigator pane displays the subscriber password policy entries. The right pane displays a table with two columns:

The Path to Password Policy Entry column lists the full DN of each password policy entry
The Password Policy Entry column lists the corresponding RDNs of those policies

For the latest updates to a subscriber's password policies, choose Refresh.

For a particular subscriber's password polices, in the navigator pane, choose the subscriber password policy you want to view.

Modifying a Subscriber's Password Policies by Using Oracle Directory Manager

To modify a subscriber's password policies:

In the navigator pane, expand Oracle Internet Directory Servers > directory_server_instance > Password Policy Management.
In the navigator pane, choose the subscriber password policy you want to modify.
In the right pane, modify the attribute fields for that policy.
When you are finished, choose Apply.

Managing Password Policies by Using Command-Line Tools

This section contains these topics:

Setting Password Policies by Using Command-Line Tools

The following example enables the pwdLockout attribute, changing it from its default setting of 0 (zero).

The file my_file.ldif contains:

dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com
changetype:modify
replace: pwdlockout
pwdlockout: 1

The following command loads this file into the directory:

ldapmodify -p 389 -h myhost -f my_file.ldif

Managing a Subscriber's Password Policies Using Command-Line Tools

Examine the following examples to learn how to view and modify a subscriber's password policies by using command-line tools.

Example: Viewing a Subscriber's Password Policies Using Command-Line Tools

The following example retrieves a specific password policy entry.

ldapsearch -p 389 -h my_host -b 
"cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com" 
-s base "objectclass=*"

The following example retrieves all password policy entries:

ldapsearch -p 389 -h my_host -b "" -s sub "objectclass=pwdpolicy"

Example: Modifying a Subscriber's Password Policies Using Command-Line Tools

The following example modifies a password policy entry.

ldapmodify -p 389 -h my_host -v <<EOF
dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com
changetype: modify
replace: pwdMaxAge
pwdMaxAge: 100000

Error Messages

See:

"Password Policy Violation Error Messages"

17 Password Policies