Changes between Version 1 and Version 2 of ALL__security_passwd_policy


Ignore:
Timestamp:
12/03/14 10:40:28 (10 years ago)
Author:
lttoth@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • ALL__security_passwd_policy

    v1 v2  
    1 # 20081104 elm         iPlanet Password Policies 
     1= iPlanet Password Policies = 
     2    Original Author:  Beth Mercer - 20081104 
    23 
    3 Note: Thoughout this document are references to ldap_*<Inst> commands.  Those are  
     4== Definitions == 
     5Thoughout this document are references to ldap_*<Inst> commands.  Those are  
    46simply scripted invocations of the associated ldap* utilities that make it possible  
    57to search the directory, and to add, modify and delete directory data using the  
     
    1113"policy" throughout this document. 
    1214 
    13 iPlanet supports one default password policy at the config level.  The default  
     15== Default Password Policy == 
     16iPlanet supports one default password policy at the /config level.  The default  
    1417password policy dictates the behavior of any directory record not explicitly  
    1518associated with another, non-default password policy. 
     
    1720The settings for the default policy in all Enterprise Directory instances (test,  
    1821prep and production) are the same.  They can be seen/modified via the iPlanet console  
    19 or they can be seen and updated by using command line utilities 
     22or they can be seen and updated by using command line utilities. 
    2023 
     24=== Query the LDAP Configuration for an Instance === 
     25The following example queries PROD: 
     26{{{ 
    2127        iplanet@egegik> ldap_queryConfigProd "(cn=Password Policy)"      
    2228        dn: cn=Password Policy,cn=config 
     
    4349        passwordMinAge: 0 
    4450        passwordRootdnMayBypassModsChecks: on 
     51}}} 
    4552 
     53=== Modify LDAP Password Policy for an Instance === 
     54{{{ 
    4655        iplanet@egegik> ldap_modifyProd "(cn=Password Policy)"      
    4756        dn: cn=Password Policy,cn=config 
     
    4958        replace: passwordMaxAge 
    5059        passwordMaxAge: <some new value> 
     60}}} 
    5161 
    52  
     62== Creating Additional Password Policies == 
    5363iPlanet supports creation of additional password policies but those policies must  
    5464be manually associated with a directory account much like any other piece of directory  
    5565data.  Additional password policies can be created using ldapadd and associated with  
    56 individual directory records using ldapmodify. 
     66individual directory records using iPlanet ''ldapmodify'' command.  The following three examples show how one might create a new policy that is associated with a directory.  
    5767 
     68=== First Delete the Instance Default Password === 
     69{{{ 
    5870        iplanet@egegik> ldap_deleteTest  
    5971        inst: test 
     
    7082        deleting entry cn=Password Policy,ou=resource,dc=alaska,dc=edu 
    7183        entry removed 
     84}}} 
    7285 
     86=== Create a New Password Policy for the Instance === 
     87{{{ 
    7388        iplanet@egegik> cat create_resource_password_policyTest.20070220             
    7489        dn: cn=Password Policy,ou=resource,dc=alaska,dc=edu 
     
    93108        passwordMaxFailure: 5 
    94109        passwordLockoutDuration: 1800 
    95  
     110}}} 
     111=== Add the Password Policy to the Instance === 
     112{{{ 
    96113        iplanet@egegik> ldap_addTest -f create_resource_password_policyTest.20070220 
    97114        inst: test 
     
    145162        adding new entry cn=Password Policy,ou=resource,dc=alaska,dc=edu 
    146163        modify complete 
     164}}} 
    147165 
     166=== Modify a Resource Using a Script to Invoke iPlanet '''ldapmodify''' === 
     167Once a password policy exists, modifying it is accomplished in the usual way.  In the example below, the script, ldap_modifyTest does the invocation for the usual iPlanet ''ldapmodify'' command that can be run from the command line. 
     168{{{ 
    148169        iplanet@egegik> ldap_modifyTest 
    149170        dn: uid=fake03,dc=resource,dc=alaska,dc=edu 
     
    152173        passwordPolicySubentry: cn=Password Policy,ou=resource,dc=alaska,dc=edu 
    153174        <ctrl+d> 
     175}}} 
    154176 
    155177Changes to max age impact only future password changes.  If a password expiration  
     
    157179until the next time the password is changed. 
    158180 
    159 Note: Work on an additional password policy that might someday be applied to  
     181''Note:'' Work on an additional password policy that might someday be applied to  
    160182ou=resource records can be found on egegik under ~iplanet/local/ldap/schema/POLICY. 
    161  
    162 # eof