# 20081104 elm         iPlanet Password Policies

Note: Thoughout this document are references to ldap_*<Inst> commands.  Those are 
simply scripted invocations of the associated ldap* utilities that make it possible 
to search the directory, and to add, modify and delete directory data using the 
Directory Manager credentials.  The ldap_*<Inst> scripts can be found on the "e" 
boxes under ~iplanet/local/ldap/scripts.

Although "only regents can set policy", iPlanet refers to a set of password/account 
configuration settings as a "Password Policy".  That is the intent of the term 
"policy" throughout this document.

iPlanet supports one default password policy at the config level.  The default 
password policy dictates the behavior of any directory record not explicitly 
associated with another, non-default password policy.

The settings for the default policy in all Enterprise Directory instances (test, 
prep and production) are the same.  They can be seen/modified via the iPlanet console 
or they can be seen and updated by using command line utilities

	iplanet@egegik> ldap_queryConfigProd "(cn=Password Policy)"     
	dn: cn=Password Policy,cn=config
	objectClass: top
	objectClass: passwordPolicy
	cn: Password Policy
	passwordInHistory: 5
	passwordStorageScheme: SSHA
	passwordUnlock: on
	passwordMustChange: on
	passwordNonRootMayResetUserpwd: off
	passwordWarning: 604800
	passwordExpireWithoutWarning: on
	passwordLockout: on
	passwordMinLength: 8
	passwordMaxFailure: 5
	passwordMaxAge: 34560000
	passwordResetFailureCount: 600
	passwordisglobalpolicy: on
	passwordChange: on
	passwordExp: on
	passwordLockoutDuration: 1800
	passwordCheckSyntax: on
	passwordMinAge: 0
	passwordRootdnMayBypassModsChecks: on

	iplanet@egegik> ldap_modifyProd "(cn=Password Policy)"     
	dn: cn=Password Policy,cn=config
	changetype: modify
	replace: passwordMaxAge
	passwordMaxAge: <some new value>


iPlanet supports creation of additional password policies but those policies must 
be manually associated with a directory account much like any other piece of directory 
data.  Additional password policies can be created using ldapadd and associated with 
individual directory records using ldapmodify.

	iplanet@egegik> ldap_deleteTest 
	inst: test
	port: 13338
	
	
	ldapdelete: started Tue Nov  4 07:19:30 2008
	
	ldap_init( egegik, 13338 )
	ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getdonglefilename -- (null)
	cn=Password Policy,ou=resource,dc=alaska,dc=edu
	deleting entry cn=Password Policy,ou=resource,dc=alaska,dc=edu
	entry removed

	iplanet@egegik> cat create_resource_password_policyTest.20070220            
	dn: cn=Password Policy,ou=resource,dc=alaska,dc=edu
	objectClass: top
	objectClass: passwordPolicy
	objectClass: LDAPsubentry
	cn: Password Policy
	passwordStorageScheme: SSHA
	passwordChange: on
	passwordMinAge: 0
	passwordUnlock: on
	passwordResetFailureCount: 600
	passwordMustChange: off
	passwordInHistory: 10
	passwordExp: off
	passwordMaxAge: 0
	passwordWarning: 604800
	passwordCheckSyntax: on
	passwordRootdnMayBypassModsChecks: on
	passwordMinLength: 8
	passwordLockout: off
	passwordMaxFailure: 5
	passwordLockoutDuration: 1800

	iplanet@egegik> ldap_addTest -f create_resource_password_policyTest.20070220
	inst: test
	port: 13338
	
	
	ldapmodify: started Mon Nov  3 15:58:15 2008
	
	ldap_init( egegik, 13338 )
	ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getdonglefilename -- (null)
	add objectClass:
	        top
	        passwordPolicy
	        LDAPsubentry
	add cn:
	        Password Policy
	add passwordStorageScheme:
	        SSHA
	add passwordChange:
	        on
	add passwordMinAge:
	        0
	add passwordUnlock:
	        on
	add passwordResetFailureCount:
	        600
	add passwordMustChange:
	        off
	add passwordInHistory:
	        10
	add passwordExp:
	        off
	add passwordMaxAge:
	        0
	add passwordWarning:
	        604800
	add passwordCheckSyntax:
	        on
	add passwordRootdnMayBypassModsChecks:
	        on
	add passwordMinLength:
	        8
	add passwordLockout:
	        off
	add passwordMaxFailure:
	        5
	add passwordLockoutDuration:
	        1800
	adding new entry cn=Password Policy,ou=resource,dc=alaska,dc=edu
	modify complete

	iplanet@egegik> ldap_modifyTest
	dn: uid=fake03,dc=resource,dc=alaska,dc=edu
	changetype: modify
	replace: passwordPolicySubentry
	passwordPolicySubentry: cn=Password Policy,ou=resource,dc=alaska,dc=edu
	<ctrl+d>

Changes to max age impact only future password changes.  If a password expiration 
has already been established for a directory record, that expiration remains in effect 
until the next time the password is changed.

Note: Work on an additional password policy that might someday be applied to 
ou=resource records can be found on egegik under ~iplanet/local/ldap/schema/POLICY.

# eof