| Version 1 (modified by lttoth@…, 10 years ago) (diff) |
|---|
# 20081104 elm iPlanet Password Policies
Note: Thoughout this document are references to ldap_*<Inst> commands. Those are simply scripted invocations of the associated ldap* utilities that make it possible to search the directory, and to add, modify and delete directory data using the Directory Manager credentials. The ldap_*<Inst> scripts can be found on the "e" boxes under ~iplanet/local/ldap/scripts.
Although "only regents can set policy", iPlanet refers to a set of password/account configuration settings as a "Password Policy". That is the intent of the term "policy" throughout this document.
iPlanet supports one default password policy at the config level. The default password policy dictates the behavior of any directory record not explicitly associated with another, non-default password policy.
The settings for the default policy in all Enterprise Directory instances (test, prep and production) are the same. They can be seen/modified via the iPlanet console or they can be seen and updated by using command line utilities
iplanet@egegik> ldap_queryConfigProd "(cn=Password Policy)" dn: cn=Password Policy,cn=config objectClass: top objectClass: passwordPolicy cn: Password Policy passwordInHistory: 5 passwordStorageScheme: SSHA passwordUnlock: on passwordMustChange: on passwordNonRootMayResetUserpwd: off passwordWarning: 604800 passwordExpireWithoutWarning: on passwordLockout: on passwordMinLength: 8 passwordMaxFailure: 5 passwordMaxAge: 34560000 passwordResetFailureCount: 600 passwordisglobalpolicy: on passwordChange: on passwordExp: on passwordLockoutDuration: 1800 passwordCheckSyntax: on passwordMinAge: 0 passwordRootdnMayBypassModsChecks: on
iplanet@egegik> ldap_modifyProd "(cn=Password Policy)" dn: cn=Password Policy,cn=config changetype: modify replace: passwordMaxAge passwordMaxAge: <some new value>
iPlanet supports creation of additional password policies but those policies must be manually associated with a directory account much like any other piece of directory data. Additional password policies can be created using ldapadd and associated with individual directory records using ldapmodify.
iplanet@egegik> ldap_deleteTest inst: test port: 13338
ldapdelete: started Tue Nov 4 07:19:30 2008
ldap_init( egegik, 13338 ) ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db ldaptool_getdonglefilename -- (null) cn=Password Policy,ou=resource,dc=alaska,dc=edu deleting entry cn=Password Policy,ou=resource,dc=alaska,dc=edu entry removed
iplanet@egegik> cat create_resource_password_policyTest.20070220 dn: cn=Password Policy,ou=resource,dc=alaska,dc=edu objectClass: top objectClass: passwordPolicy objectClass: LDAPsubentry cn: Password Policy passwordStorageScheme: SSHA passwordChange: on passwordMinAge: 0 passwordUnlock: on passwordResetFailureCount: 600 passwordMustChange: off passwordInHistory: 10 passwordExp: off passwordMaxAge: 0 passwordWarning: 604800 passwordCheckSyntax: on passwordRootdnMayBypassModsChecks: on passwordMinLength: 8 passwordLockout: off passwordMaxFailure: 5 passwordLockoutDuration: 1800
iplanet@egegik> ldap_addTest -f create_resource_password_policyTest.20070220 inst: test port: 13338
ldapmodify: started Mon Nov 3 15:58:15 2008
ldap_init( egegik, 13338 ) ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db ldaptool_getdonglefilename -- (null) add objectClass:
top passwordPolicy LDAPsubentry
add cn:
Password Policy
add passwordStorageScheme:
SSHA
add passwordChange:
on
add passwordMinAge:
0
add passwordUnlock:
on
add passwordResetFailureCount:
600
add passwordMustChange:
off
add passwordInHistory:
10
add passwordExp:
off
add passwordMaxAge:
0
add passwordWarning:
604800
add passwordCheckSyntax:
on
add passwordRootdnMayBypassModsChecks:
on
add passwordMinLength:
8
add passwordLockout:
off
add passwordMaxFailure:
5
add passwordLockoutDuration:
1800
adding new entry cn=Password Policy,ou=resource,dc=alaska,dc=edu modify complete
iplanet@egegik> ldap_modifyTest dn: uid=fake03,dc=resource,dc=alaska,dc=edu changetype: modify replace: passwordPolicySubentry passwordPolicySubentry: cn=Password Policy,ou=resource,dc=alaska,dc=edu <ctrl+d>
Changes to max age impact only future password changes. If a password expiration has already been established for a directory record, that expiration remains in effect until the next time the password is changed.
Note: Work on an additional password policy that might someday be applied to ou=resource records can be found on egegik under ~iplanet/local/ldap/schema/POLICY.
# eof
