Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
Previous |
Next |
Password policies are sets of rules that govern how passwords are used. This chapter contains these topics:
This section contains these topics:
Directory Server Verification of Password Policy Information
Overview: Establishing a Password Policy for an Identity Management Realm
Password polices are sets of rules that govern how passwords are used. They can specify, for example:
The maximum length of time a given password is valid
The minimum number of characters a password must contain
The number of numeric characters required in a password
That users change their passwords periodically
That users cannot reuse previously used passwords
That users are locked out after a certain number of login attempts
The default password policy for Oracle Internet Directory enforces:
Password expiration in 60 days
Account lockout after 10 login failures. Except for the super user account, all accounts remain locked for a duration of 24 hours unless the passwords are reset by the directory administrator. A user account stays locked even after the lockout duration has passed unless the user binds with the correct password
If the super user account, cn=orcladmin
, becomes locked, it stays locked until it is unlocked by using the OID Database Password utility. This utility prompts you for the ODS user password. After you enter the ODS password, it unlocks the account.
See Also: The "oidpasswd" command-line tool reference in Oracle Identity Management User Reference for information on unlocking a super user account |
A minimum password length of five characters with at least one numeric character
Beginning in Oracle Internet Directory, Release 9.0.4, the password policy entry in the Root Oracle Context applies to the super user, but only the password policy governing account lockout is enforced on that account.
Note: Oracle Identity Management has two distinct types of privileged user. Both privileged user accounts can be locked if certain password policies are activated.The first type of privileged user, the super user with the DN
The second privileged user, a realm-specific privileged user, governs capabilities such as creation and deletion of users and groups within a realm and all the functionality related to Oracle Delegated Administration Services. This account is represented by an entry with the DN |
During Oracle Internet Directory installation, the Oracle Universal Installer creates for each identity management realm a password policy entry. This entry contains all password policy information applicable to all users in that realm.
The installer places this entry as shown in Figure 15-1—namely, immediately below the common
entry, which resides under the products
entry, which, in turn, resides under the Oracle Context specific to the identity management realm.
The Oracle Internet Directory password policy is applicable to simple binds (based on the userpassword
attribute), compare operations on the userpassword
attribute, and SASL binds. It does not apply to SSL and proxy binds.
To enforce this password policy, set to the appropriate value the orclcommonusersearchbase
attribute in the common
entry of the realm-specific Oracle Context. Otherwise, no password policy modification can take effect.
To ensure that the user password meets the requirements of a given policy, the directory server verifies:
That the password policy is enabled. It does this by checking the value of the attribute orclpwdpolicyenable
in the password policy entry. A value of 1 indicates that the password policy is enabled. A value of 0 indicates that it is disabled.
Correctness of password policy syntax information, which includes, for example, the correct number of alphabetic and numeric characters, or the correct password length. The directory server checks the syntax during ldapadd
and ldapmodify
operations.
Password policy state information, which, for example, includes:
The timestamp of the user password creation or modification
The timestamp of consecutive failed login attempts by the user
The time at which the user account was locked
Indicator that the password has been reset and must be changed by the user on first authentication
A history of user's previously used passwords
Time stamps of grace logins
The directory server checks the state information during ldapbind
and ldapcompare
operations, but does so only if the orclpwdpolicyenable
attribute is set to 1.
To enable password value syntax checking, set the attributes orclpwdpolicyenable
and pwdchecksyntax
in the password policy entry to TRUE
.
In general, establishing a password policy requires doing the following:
Creating a password policy entry, associating it with the pwdpolicy
object class, and populating the corresponding attributes.
Setting values for the pwdPolicy
object class that contains password policy information for the entire directory. Do this during installation when the entry of this object class is created.
Verifying that the orclpwdpolicyenable
attribute in the password policy entry is set to 1
.
See Also: "Object Class Reference" in Oracle Identity Management User Reference for a list and descriptions of the attributes of thepwdPolicy object class, and those of the top object class that pertain to password policies
|
This section contains these topics:
Managing Password Policies by Using Oracle Directory Manager
Managing Password Policies by Using the Self-Service Console
Table 15-1 lists the administrative tasks related to password policies and the tools you use to perform each one, and points you to the corresponding information.
Table 15-1 Tasks and Tools for Managing Password Polices
When you create the base entry for an identity management realm—whether during an Oracle Internet Directory installation or later—you also create a password policy entry for that realm. Later, you can use Oracle Directory Manager to view, refresh, and modify those policies.
This section contains these topics:
Viewing Password Policies of an Identity Management Realm by Using Oracle Directory Manager
Modifying Password Policies of an Identity Management Realm by Using Oracle Directory Manager
To view the password policies for a particular identity management realm, in the navigator pane, expand Oracle Internet Directory Servers, then directory server instance, then Password Policy Management. The navigator pane displays the password policy entries for the identity management realm. The right pane displays a table with two columns:
The Path to Password Policy Entry column listing the full DN of each password policy entry
The Password Policy Entry column listing the corresponding RDNs of those policies
To get the latest updates to realm-specific password policies, choose Refresh.
To get the password polices of a particular realm, in the navigator pane, choose the realm-specific password policy you want to view. The policies appear in the right pane.
See Also: "Password Policy Fields in Oracle Directory Manager" for a description of each password policy displayed in Oracle Directory Manager |
To modify the password policies for a particular identity management realm:
In the navigator pane, expand in succession Oracle Internet Directory Servers, directory server instance, Password Policy Management.
In the navigator pane, choose the realm-specific password policy you want to modify. The corresponding tab pages appear in the right pane.
In the General tab page, modify the editable attribute fields as needed. These fields are described in Table A-10.
Select the Account Lockout tab page and, to modify the fields, select Global Lockout. Modify the editable attribute fields as needed. These fields are described in Table A-11.
Select the IP Lockout tab page and, to modify the fields, select IP Lockout. Modify the editable attribute fields as needed. These fields are described in Table A-12.
Select the Password Syntax tab page and, to modify the fields, select Check Password Syntax. Modify the editable attribute fields as needed. These fields are described in Table A-13.
When you are finished, choose Apply.
This section contains these topics:
Example: Setting Password Policies by Using Command-Line Tools
Examples: Managing the Password Policies of an Identity Management Realm by Using Command-Line Tools
Example: Enabling and Disabling Accounts by Using Command-Line Tools
Example: Forcing a Password Change by Using Command-Line Tools
The following example disables the pwdLockout
attribute, changing it from its default setting of 1
.
The file my_file.ldif
contains:
dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com changetype:modify replace: pwdlockout pwdlockout: 0
The following command loads this file into the directory:
ldapmodify -p 389 -h myhost -f my_file.ldif
Look at the following examples to learn how to view and modify the password policies of a realm by using command-line tools.
The following example retrieves a specific password policy entry.
ldapsearch -p 389 -h my_host \ -b "cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext, \ o=my_company,dc=com" \ -s base "objectclass=*"
The following example retrieves all password policy entries:
ldapsearch -p 389 -h my_host -b "" -s sub "objectclass=pwdpolicy"
The following example modifies a password policy entry.
ldapmodify -p 389 -h my_host -v <<EOF dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com changetype: modify replace: pwdMaxAge pwdMaxAge: 100000 EOF
You can temporarily disable a user's account, then enable it once again, by using command-line tools.
To permanently disable the account by setting the orclisenabled
attribute to DISABLED
. Setting this attribute to any other value enables the account.
To enable the account after you have disabled it, delete this attribute from the entry.
To enable the account for a specific period, set the orclActiveStartDate
and orclActiveEndDate
attributes in the user entry to the proper value in UTC (Coordinated Universal Time) format. For example:
cn=John Doe,cn=users,o=my_company,dc=com orclactivestartdate:20030101000000z orclactiveenddate: 20031231000000z
In this example, John Doe can log in only between January 1, 2003 and December 31, 2003. He cannot login prior to January 1, 2003 or after December 31, 2003. If you want to disable his account for a period of time between these dates, then set the orclisenabled
attribute to FALSE
.
If you are a member of the Security Administrators Group, then you can unlock an account without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in using the old password.
To unlock an account, set the orclpwdaccountunlock
attribute to 1.
The following example unlocks the account for user John Doe.
ldapmodify -p port_number -h host_name -D cn=orcladmin -w welcome -v <<EOF dn: cn=John Doe,cn=users,o=my_company,dc=com changetype: modify add: orclpwdaccountunlock orclpwdaccountunlock: 1 EOF
You can force users to change their passwords when they log in for the first time. To do this, set the pwdMustChange
attribute in the pwdpolicy
entry to TRUE
, and then reset the password. If you do this, you must explicitly tell the user the new password so that the user can login to change that password.
See Also: "Resetting Your Own Password by Using the Oracle Internet Directory Self-Service Console" for instructions on resetting passwords |
This section explains how to use the Oracle Internet Directory Self-Service Console to:
Enable and disable accounts
Unlock accounts
Reset your own password
You can temporarily disable a user's account, then enable it once again, by using the Oracle Internet Directory Self-Service Console.
See Also: The section on managing accounts in Oracle Identity Management Guide to Delegated Administration for instructions on enabling and disabling accounts by using the Oracle Internet Directory Self-Service Console |
If you are a member of the Security Administrators Group, then, if an account becomes locked, you can unlock it without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in by using the old password.
See Also: The section on managing accounts in Oracle Identity Management Guide to Delegated Administration for instructions on using the Oracle Internet Directory Self-Service Console to unlock accounts |
If you forget your password or become locked out of your account, then you can reset your password. This involves identifying yourself to the server by providing values for a set of password validation attributes. This takes the form of answering a password hint question to which you had earlier specified an answer.
See Also: The section on resetting your password if you forget it in Oracle Identity Management Guide to Delegated Administration for instructions on using the Oracle Internet Directory Self-Service Console to reset your password |
Whenever there are password policy violations, the directory server sends to the client various error and warning messages. In Oracle Internet Directory, 10g Release 2 (10.1.2), the directory server can send these messages as LDAP controls only if the client sends a password policy request control as a part of an ldapbind or ldapcompare operation. If the client does not send the request control, then the directory server does not send the response controls. Instead, it sends errors and warnings as part of additional information.
See: "Troubleshooting Password Policies" for a list of the messages and information about how to resolve them |