Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Initial Version and Version 1 of ALL__security_passwd_policy

Timestamp:: 11/25/14 20:06:57 (10 years ago)
Author:: lttoth@…
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

ALL__security_passwd_policy

                       v1
+# 20081104 elm         iPlanet Password Policies
+Note: Thoughout this document are references to ldap_*<Inst> commands.  Those are
+simply scripted invocations of the associated ldap* utilities that make it possible
+to search the directory, and to add, modify and delete directory data using the
+Directory Manager credentials.  The ldap_*<Inst> scripts can be found on the "e"
+boxes under ~iplanet/local/ldap/scripts.
+Although "only regents can set policy", iPlanet refers to a set of password/account
+configuration settings as a "Password Policy".  That is the intent of the term
+"policy" throughout this document.
+iPlanet supports one default password policy at the config level.  The default
+password policy dictates the behavior of any directory record not explicitly
+associated with another, non-default password policy.
+The settings for the default policy in all Enterprise Directory instances (test,
+prep and production) are the same.  They can be seen/modified via the iPlanet console
+or they can be seen and updated by using command line utilities
+        iplanet@egegik> ldap_queryConfigProd "(cn=Password Policy)"
+        dn: cn=Password Policy,cn=config
+        objectClass: top
+        objectClass: passwordPolicy
+        cn: Password Policy
+        passwordInHistory: 5
+        passwordStorageScheme: SSHA
+        passwordUnlock: on
+        passwordMustChange: on
+        passwordNonRootMayResetUserpwd: off
+        passwordWarning: 604800
+        passwordExpireWithoutWarning: on
+        passwordLockout: on
+        passwordMinLength: 8
+        passwordMaxFailure: 5
+        passwordMaxAge: 34560000
+        passwordResetFailureCount: 600
+        passwordisglobalpolicy: on
+        passwordChange: on
+        passwordExp: on
+        passwordLockoutDuration: 1800
+        passwordCheckSyntax: on
+        passwordMinAge: 0
+        passwordRootdnMayBypassModsChecks: on
+        iplanet@egegik> ldap_modifyProd "(cn=Password Policy)"
+        dn: cn=Password Policy,cn=config
+        changetype: modify
+        replace: passwordMaxAge
+        passwordMaxAge: <some new value>
+iPlanet supports creation of additional password policies but those policies must
+be manually associated with a directory account much like any other piece of directory
+data.  Additional password policies can be created using ldapadd and associated with
+individual directory records using ldapmodify.
+        iplanet@egegik> ldap_deleteTest
+        inst: test
+        port: 13338
+        ldapdelete: started Tue Nov  4 07:19:30 2008
+        ldap_init( egegik, 13338 )
+        ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
+        ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
+        ldaptool_getdonglefilename -- (null)
+        cn=Password Policy,ou=resource,dc=alaska,dc=edu
+        deleting entry cn=Password Policy,ou=resource,dc=alaska,dc=edu
+        entry removed
+        iplanet@egegik> cat create_resource_password_policyTest.20070220
+        dn: cn=Password Policy,ou=resource,dc=alaska,dc=edu
+        objectClass: top
+        objectClass: passwordPolicy
+        objectClass: LDAPsubentry
+        cn: Password Policy
+        passwordStorageScheme: SSHA
+        passwordChange: on
+        passwordMinAge: 0
+        passwordUnlock: on
+        passwordResetFailureCount: 600
+        passwordMustChange: off
+        passwordInHistory: 10
+        passwordExp: off
+        passwordMaxAge: 0
+        passwordWarning: 604800
+        passwordCheckSyntax: on
+        passwordRootdnMayBypassModsChecks: on
+        passwordMinLength: 8
+        passwordLockout: off
+        passwordMaxFailure: 5
+        passwordLockoutDuration: 1800
+        iplanet@egegik> ldap_addTest -f create_resource_password_policyTest.20070220
+        inst: test
+        port: 13338
+        ldapmodify: started Mon Nov  3 15:58:15 2008
+        ldap_init( egegik, 13338 )
+        ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
+        ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
+        ldaptool_getdonglefilename -- (null)
+        add objectClass:
+                top
+                passwordPolicy
+                LDAPsubentry
+        add cn:
+                Password Policy
+        add passwordStorageScheme:
+                SSHA
+        add passwordChange:
+                on
+        add passwordMinAge:
+        add passwordUnlock:
+                on
+        add passwordResetFailureCount:
+        add passwordMustChange:
+                off
+        add passwordInHistory:
+        add passwordExp:
+                off
+        add passwordMaxAge:
+        add passwordWarning:
+        add passwordCheckSyntax:
+                on
+        add passwordRootdnMayBypassModsChecks:
+                on
+        add passwordMinLength:
+        add passwordLockout:
+                off
+        add passwordMaxFailure:
+        add passwordLockoutDuration:
+        adding new entry cn=Password Policy,ou=resource,dc=alaska,dc=edu
+        modify complete
+        iplanet@egegik> ldap_modifyTest
+        dn: uid=fake03,dc=resource,dc=alaska,dc=edu
+        changetype: modify
+        replace: passwordPolicySubentry
+        passwordPolicySubentry: cn=Password Policy,ou=resource,dc=alaska,dc=edu
+        <ctrl+d>
+Changes to max age impact only future password changes.  If a password expiration
+has already been established for a directory record, that expiration remains in effect
+until the next time the password is changed.
+Note: Work on an additional password policy that might someday be applied to
+ou=resource records can be found on egegik under ~iplanet/local/ldap/schema/POLICY.
+# eof