Skip Headers
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2)
B14082-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

15 Password Policies in Oracle Internet Directory

Password policies are sets of rules that govern how passwords are used. This chapter contains these topics:

15.1 About Password Policies

This section contains these topics:

15.1.1 What a Password Policy Is

Password polices are sets of rules that govern how passwords are used. They can specify, for example:

  • The maximum length of time a given password is valid

  • The minimum number of characters a password must contain

  • The number of numeric characters required in a password

  • That users change their passwords periodically

  • That users cannot reuse previously used passwords

  • That users are locked out after a certain number of login attempts

15.1.2 Default Password Policy

The default password policy for Oracle Internet Directory enforces:

  • Password expiration in 60 days

  • Account lockout after 10 login failures. Except for the super user account, all accounts remain locked for a duration of 24 hours unless the passwords are reset by the directory administrator. A user account stays locked even after the lockout duration has passed unless the user binds with the correct password

    If the super user account, cn=orcladmin, becomes locked, it stays locked until it is unlocked by using the OID Database Password utility. This utility prompts you for the ODS user password. After you enter the ODS password, it unlocks the account.


    See Also:

    The "oidpasswd" command-line tool reference in Oracle Identity Management User Reference for information on unlocking a super user account

    "Possible Password Policy Problems"


  • A minimum password length of five characters with at least one numeric character

Beginning in Oracle Internet Directory, Release 9.0.4, the password policy entry in the Root Oracle Context applies to the super user, but only the password policy governing account lockout is enforced on that account.


Note:

Oracle Identity Management has two distinct types of privileged user. Both privileged user accounts can be locked if certain password policies are activated.

The first type of privileged user, the super user with the DN cn=orcladmin, is represented as a special user entry found within the default identity management realm. It enables directory administrators to make any modifications to the DIT and any changes to the configuration of Oracle Internet Directory servers. If the super user (orcladmin) account is locked—for example, as a result of too many attempts to bind with an incorrect password—then an administrator with DBA privileges to the Oracle Internet Directory repository can unlock it by using the oidpasswd tool. To unlock the orcladmin account execute the command:

oidpasswd unlock_su_acct=TRUE

The second privileged user, a realm-specific privileged user, governs capabilities such as creation and deletion of users and groups within a realm and all the functionality related to Oracle Delegated Administration Services. This account is represented by an entry with the DN cn=orcladmin,cn=users,realm DN. Note that, in contrast to the single super user account, each realm has its own realm-specific privileged user. To unlock the realm-specific privileged account, the first type of privileged user, cn=orcladmin, can modify the account password by using Oracle Directory Manager.


During Oracle Internet Directory installation, the Oracle Universal Installer creates for each identity management realm a password policy entry. This entry contains all password policy information applicable to all users in that realm.

The installer places this entry as shown in Figure 15-1—namely, immediately below the common entry, which resides under the products entry, which, in turn, resides under the Oracle Context specific to the identity management realm.

Figure 15-1 Location of Password Policy Entries

This illustration is described in the text.

The Oracle Internet Directory password policy is applicable to simple binds (based on the userpassword attribute), compare operations on the userpassword attribute, and SASL binds. It does not apply to SSL and proxy binds.

To enforce this password policy, set to the appropriate value the orclcommonusersearchbase attribute in the common entry of the realm-specific Oracle Context. Otherwise, no password policy modification can take effect.

15.1.3 Directory Server Verification of Password Policy Information

To ensure that the user password meets the requirements of a given policy, the directory server verifies:

  • That the password policy is enabled. It does this by checking the value of the attribute orclpwdpolicyenable in the password policy entry. A value of 1 indicates that the password policy is enabled. A value of 0 indicates that it is disabled.

  • Correctness of password policy syntax information, which includes, for example, the correct number of alphabetic and numeric characters, or the correct password length. The directory server checks the syntax during ldapadd and ldapmodify operations.

  • Password policy state information, which, for example, includes:

    • The timestamp of the user password creation or modification

    • The timestamp of consecutive failed login attempts by the user

    • The time at which the user account was locked

    • Indicator that the password has been reset and must be changed by the user on first authentication

    • A history of user's previously used passwords

    • Time stamps of grace logins

    The directory server checks the state information during ldapbind and ldapcompare operations, but does so only if the orclpwdpolicyenable attribute is set to 1.

    To enable password value syntax checking, set the attributes orclpwdpolicyenable and pwdchecksyntax in the password policy entry to TRUE.

15.1.4 Overview: Establishing a Password Policy for an Identity Management Realm

In general, establishing a password policy requires doing the following:

  1. Creating a password policy entry, associating it with the pwdpolicy object class, and populating the corresponding attributes.

  2. Setting values for the pwdPolicy object class that contains password policy information for the entire directory. Do this during installation when the entry of this object class is created.

  3. Verifying that the orclpwdpolicyenable attribute in the password policy entry is set to 1.


    See Also:

    "Object Class Reference" in Oracle Identity Management User Reference for a list and descriptions of the attributes of the pwdPolicy object class, and those of the top object class that pertain to password policies

15.2 Managing Password Policies

This section contains these topics:

Table 15-1 lists the administrative tasks related to password policies and the tools you use to perform each one, and points you to the corresponding information.

15.2.1 Managing Password Policies by Using Oracle Directory Manager

When you create the base entry for an identity management realm—whether during an Oracle Internet Directory installation or later—you also create a password policy entry for that realm. Later, you can use Oracle Directory Manager to view, refresh, and modify those policies.

This section contains these topics:

15.2.1.1 Viewing Password Policies of an Identity Management Realm by Using Oracle Directory Manager

To view the password policies for a particular identity management realm, in the navigator pane, expand Oracle Internet Directory Servers, then directory server instance, then Password Policy Management. The navigator pane displays the password policy entries for the identity management realm. The right pane displays a table with two columns:

  • The Path to Password Policy Entry column listing the full DN of each password policy entry

  • The Password Policy Entry column listing the corresponding RDNs of those policies

To get the latest updates to realm-specific password policies, choose Refresh.

To get the password polices of a particular realm, in the navigator pane, choose the realm-specific password policy you want to view. The policies appear in the right pane.


See Also:

"Password Policy Fields in Oracle Directory Manager" for a description of each password policy displayed in Oracle Directory Manager

15.2.1.2 Modifying Password Policies of an Identity Management Realm by Using Oracle Directory Manager

To modify the password policies for a particular identity management realm:

  1. In the navigator pane, expand in succession Oracle Internet Directory Servers, directory server instance, Password Policy Management.

  2. In the navigator pane, choose the realm-specific password policy you want to modify. The corresponding tab pages appear in the right pane.

  3. In the General tab page, modify the editable attribute fields as needed. These fields are described in Table A-10.

  4. Select the Account Lockout tab page and, to modify the fields, select Global Lockout. Modify the editable attribute fields as needed. These fields are described in Table A-11.

  5. Select the IP Lockout tab page and, to modify the fields, select IP Lockout. Modify the editable attribute fields as needed. These fields are described in Table A-12.

  6. Select the Password Syntax tab page and, to modify the fields, select Check Password Syntax. Modify the editable attribute fields as needed. These fields are described in Table A-13.

  7. When you are finished, choose Apply.

15.2.2 Managing Password Policies by Using Command-Line Tools

This section contains these topics:

15.2.2.1 Example: Setting Password Policies by Using Command-Line Tools

The following example disables the pwdLockout attribute, changing it from its default setting of 1.

The file my_file.ldif contains:

dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com
changetype:modify
replace: pwdlockout
pwdlockout: 0

The following command loads this file into the directory:

ldapmodify -p 389 -h myhost -f my_file.ldif

15.2.2.2 Examples: Managing the Password Policies of an Identity Management Realm by Using Command-Line Tools

Look at the following examples to learn how to view and modify the password policies of a realm by using command-line tools.

15.2.2.2.1 Example: Viewing Password Policies of an Identity Management Realm by Using Command-Line Tools

The following example retrieves a specific password policy entry.

ldapsearch -p 389 -h my_host \
           -b "cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext, \
               o=my_company,dc=com" \
           -s base "objectclass=*"

The following example retrieves all password policy entries:

ldapsearch -p 389 -h my_host -b "" -s sub "objectclass=pwdpolicy"
15.2.2.2.2 Example: Modifying Password Policies of an Identity Management Realm by Using Command-Line Tools

The following example modifies a password policy entry.

ldapmodify -p 389 -h my_host -v <<EOF
dn: cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,o=my_company,dc=com
changetype: modify
replace: pwdMaxAge
pwdMaxAge: 100000
EOF

15.2.2.3 Example: Enabling and Disabling Accounts by Using Command-Line Tools

You can temporarily disable a user's account, then enable it once again, by using command-line tools.

To permanently disable the account by setting the orclisenabled attribute to DISABLED. Setting this attribute to any other value enables the account.

To enable the account after you have disabled it, delete this attribute from the entry.

To enable the account for a specific period, set the orclActiveStartDate and orclActiveEndDate attributes in the user entry to the proper value in UTC (Coordinated Universal Time) format. For example:

cn=John Doe,cn=users,o=my_company,dc=com
orclactivestartdate:20030101000000z
orclactiveenddate: 20031231000000z

In this example, John Doe can log in only between January 1, 2003 and December 31, 2003. He cannot login prior to January 1, 2003 or after December 31, 2003. If you want to disable his account for a period of time between these dates, then set the orclisenabled attribute to FALSE.

15.2.2.4 Example: Unlocking Accounts by Using Command-Line Tools

If you are a member of the Security Administrators Group, then you can unlock an account without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in using the old password.

To unlock an account, set the orclpwdaccountunlock attribute to 1.

The following example unlocks the account for user John Doe.

ldapmodify -p port_number -h host_name -D cn=orcladmin -w welcome -v <<EOF
dn: cn=John Doe,cn=users,o=my_company,dc=com
changetype: modify
add: orclpwdaccountunlock
orclpwdaccountunlock: 1
EOF

15.2.2.5 Example: Forcing a Password Change by Using Command-Line Tools

You can force users to change their passwords when they log in for the first time. To do this, set the pwdMustChange attribute in the pwdpolicy entry to TRUE, and then reset the password. If you do this, you must explicitly tell the user the new password so that the user can login to change that password.

15.2.3 Managing Password Policies by Using the Self-Service Console

This section explains how to use the Oracle Internet Directory Self-Service Console to:

  • Enable and disable accounts

  • Unlock accounts

  • Reset your own password

15.2.3.1 Enabling and Disabling Accounts by Using the Oracle Internet Directory Self-Service Console

You can temporarily disable a user's account, then enable it once again, by using the Oracle Internet Directory Self-Service Console.


See Also:

The section on managing accounts in Oracle Identity Management Guide to Delegated Administration for instructions on enabling and disabling accounts by using the Oracle Internet Directory Self-Service Console

15.2.3.2 Unlocking Accounts by Using the Oracle Internet Directory Self-Service Console

If you are a member of the Security Administrators Group, then, if an account becomes locked, you can unlock it without resetting the user password. This saves you from having to explicitly tell the user the new password. The user can simply log in by using the old password.


See Also:

The section on managing accounts in Oracle Identity Management Guide to Delegated Administration for instructions on using the Oracle Internet Directory Self-Service Console to unlock accounts

15.2.3.3 Resetting Your Own Password by Using the Oracle Internet Directory Self-Service Console

If you forget your password or become locked out of your account, then you can reset your password. This involves identifying yourself to the server by providing values for a set of password validation attributes. This takes the form of answering a password hint question to which you had earlier specified an answer.


See Also:

The section on resetting your password if you forget it in Oracle Identity Management Guide to Delegated Administration for instructions on using the Oracle Internet Directory Self-Service Console to reset your password

15.3 Password Policy Error Messages

Whenever there are password policy violations, the directory server sends to the client various error and warning messages. In Oracle Internet Directory, 10g Release 2 (10.1.2), the directory server can send these messages as LDAP controls only if the client sends a password policy request control as a part of an ldapbind or ldapcompare operation. If the client does not send the request control, then the directory server does not send the response controls. Instead, it sends errors and warnings as part of additional information.


See:

"Troubleshooting Password Policies" for a list of the messages and information about how to resolve them