iPlanet Password Policies
Original Author: Beth Mercer - 20081104
Definitions
Thoughout this document are references to ldap_*<Inst> commands. Those are simply scripted invocations of the associated ldap* utilities that make it possible to search the directory, and to add, modify and delete directory data using the Directory Manager credentials. The ldap_*<Inst> scripts can be found on the "e" boxes under ~iplanet/local/ldap/scripts.
Although "only regents can set policy", iPlanet refers to a set of password/account configuration settings as a "Password Policy". That is the intent of the term "policy" throughout this document.
Default Password Policy
iPlanet supports one default password policy at the /config level. The default password policy dictates the behavior of any directory record not explicitly associated with another, non-default password policy.
The settings for the default policy in all Enterprise Directory instances (test, prep and production) are the same. They can be seen/modified via the iPlanet console or they can be seen and updated by using command line utilities.
Query the LDAP Configuration for an Instance
The following example queries PROD:
iplanet@egegik> ldap_queryConfigProd "(cn=Password Policy)" dn: cn=Password Policy,cn=config objectClass: top objectClass: passwordPolicy cn: Password Policy passwordInHistory: 5 passwordStorageScheme: SSHA passwordUnlock: on passwordMustChange: on passwordNonRootMayResetUserpwd: off passwordWarning: 604800 passwordExpireWithoutWarning: on passwordLockout: on passwordMinLength: 8 passwordMaxFailure: 5 passwordMaxAge: 34560000 passwordResetFailureCount: 600 passwordisglobalpolicy: on passwordChange: on passwordExp: on passwordLockoutDuration: 1800 passwordCheckSyntax: on passwordMinAge: 0 passwordRootdnMayBypassModsChecks: on
Modify LDAP Password Policy for an Instance
iplanet@egegik> ldap_modifyProd "(cn=Password Policy)" dn: cn=Password Policy,cn=config changetype: modify replace: passwordMaxAge passwordMaxAge: <some new value>
Creating Additional Password Policies
iPlanet supports creation of additional password policies but those policies must be manually associated with a directory account much like any other piece of directory data. Additional password policies can be created using ldapadd and associated with individual directory records using iPlanet ldapmodify command. The following three examples show how one might create a new policy that is associated with a directory.
First Delete the Instance Default Password
iplanet@egegik> ldap_deleteTest inst: test port: 13338 ldapdelete: started Tue Nov 4 07:19:30 2008 ldap_init( egegik, 13338 ) ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db ldaptool_getdonglefilename -- (null) cn=Password Policy,ou=resource,dc=alaska,dc=edu deleting entry cn=Password Policy,ou=resource,dc=alaska,dc=edu entry removed
Create a New Password Policy for the Instance
iplanet@egegik> cat create_resource_password_policyTest.20070220 dn: cn=Password Policy,ou=resource,dc=alaska,dc=edu objectClass: top objectClass: passwordPolicy objectClass: LDAPsubentry cn: Password Policy passwordStorageScheme: SSHA passwordChange: on passwordMinAge: 0 passwordUnlock: on passwordResetFailureCount: 600 passwordMustChange: off passwordInHistory: 10 passwordExp: off passwordMaxAge: 0 passwordWarning: 604800 passwordCheckSyntax: on passwordRootdnMayBypassModsChecks: on passwordMinLength: 8 passwordLockout: off passwordMaxFailure: 5 passwordLockoutDuration: 1800
Add the Password Policy to the Instance
iplanet@egegik> ldap_addTest -f create_resource_password_policyTest.20070220 inst: test port: 13338 ldapmodify: started Mon Nov 3 15:58:15 2008 ldap_init( egegik, 13338 ) ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db ldaptool_getdonglefilename -- (null) add objectClass: top passwordPolicy LDAPsubentry add cn: Password Policy add passwordStorageScheme: SSHA add passwordChange: on add passwordMinAge: 0 add passwordUnlock: on add passwordResetFailureCount: 600 add passwordMustChange: off add passwordInHistory: 10 add passwordExp: off add passwordMaxAge: 0 add passwordWarning: 604800 add passwordCheckSyntax: on add passwordRootdnMayBypassModsChecks: on add passwordMinLength: 8 add passwordLockout: off add passwordMaxFailure: 5 add passwordLockoutDuration: 1800 adding new entry cn=Password Policy,ou=resource,dc=alaska,dc=edu modify complete
Modify a Resource Using a Script to Invoke iPlanet ldapmodify
Once a password policy exists, modifying it is accomplished in the usual way. In the example below, the script, ldap_modifyTest does the invocation for the usual iPlanet ldapmodify command that can be run from the command line.
iplanet@egegik> ldap_modifyTest dn: uid=fake03,dc=resource,dc=alaska,dc=edu changetype: modify replace: passwordPolicySubentry passwordPolicySubentry: cn=Password Policy,ou=resource,dc=alaska,dc=edu <ctrl+d>
Changes to max age impact only future password changes. If a password expiration has already been established for a directory record, that expiration remains in effect until the next time the password is changed.
Note: Work on an additional password policy that might someday be applied to ou=resource records can be found on egegik under ~iplanet/local/ldap/schema/POLICY.