wiki:ALL__security_passwd_policy
Last modified 6 years ago Last modified on 12/03/14 10:40:28

iPlanet Password Policies

Original Author: Beth Mercer - 20081104

Definitions

Thoughout this document are references to ldap_*<Inst> commands. Those are simply scripted invocations of the associated ldap* utilities that make it possible to search the directory, and to add, modify and delete directory data using the Directory Manager credentials. The ldap_*<Inst> scripts can be found on the "e" boxes under ~iplanet/local/ldap/scripts.

Although "only regents can set policy", iPlanet refers to a set of password/account configuration settings as a "Password Policy". That is the intent of the term "policy" throughout this document.

Default Password Policy

iPlanet supports one default password policy at the /config level. The default password policy dictates the behavior of any directory record not explicitly associated with another, non-default password policy.

The settings for the default policy in all Enterprise Directory instances (test, prep and production) are the same. They can be seen/modified via the iPlanet console or they can be seen and updated by using command line utilities.

Query the LDAP Configuration for an Instance

The following example queries PROD:

	iplanet@egegik> ldap_queryConfigProd "(cn=Password Policy)"     
	dn: cn=Password Policy,cn=config
	objectClass: top
	objectClass: passwordPolicy
	cn: Password Policy
	passwordInHistory: 5
	passwordStorageScheme: SSHA
	passwordUnlock: on
	passwordMustChange: on
	passwordNonRootMayResetUserpwd: off
	passwordWarning: 604800
	passwordExpireWithoutWarning: on
	passwordLockout: on
	passwordMinLength: 8
	passwordMaxFailure: 5
	passwordMaxAge: 34560000
	passwordResetFailureCount: 600
	passwordisglobalpolicy: on
	passwordChange: on
	passwordExp: on
	passwordLockoutDuration: 1800
	passwordCheckSyntax: on
	passwordMinAge: 0
	passwordRootdnMayBypassModsChecks: on

Modify LDAP Password Policy for an Instance

	iplanet@egegik> ldap_modifyProd "(cn=Password Policy)"     
	dn: cn=Password Policy,cn=config
	changetype: modify
	replace: passwordMaxAge
	passwordMaxAge: <some new value>

Creating Additional Password Policies

iPlanet supports creation of additional password policies but those policies must be manually associated with a directory account much like any other piece of directory data. Additional password policies can be created using ldapadd and associated with individual directory records using iPlanet ldapmodify command. The following three examples show how one might create a new policy that is associated with a directory.

First Delete the Instance Default Password

	iplanet@egegik> ldap_deleteTest 
	inst: test
	port: 13338
	
	
	ldapdelete: started Tue Nov  4 07:19:30 2008
	
	ldap_init( egegik, 13338 )
	ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getdonglefilename -- (null)
	cn=Password Policy,ou=resource,dc=alaska,dc=edu
	deleting entry cn=Password Policy,ou=resource,dc=alaska,dc=edu
	entry removed

Create a New Password Policy for the Instance

	iplanet@egegik> cat create_resource_password_policyTest.20070220            
	dn: cn=Password Policy,ou=resource,dc=alaska,dc=edu
	objectClass: top
	objectClass: passwordPolicy
	objectClass: LDAPsubentry
	cn: Password Policy
	passwordStorageScheme: SSHA
	passwordChange: on
	passwordMinAge: 0
	passwordUnlock: on
	passwordResetFailureCount: 600
	passwordMustChange: off
	passwordInHistory: 10
	passwordExp: off
	passwordMaxAge: 0
	passwordWarning: 604800
	passwordCheckSyntax: on
	passwordRootdnMayBypassModsChecks: on
	passwordMinLength: 8
	passwordLockout: off
	passwordMaxFailure: 5
	passwordLockoutDuration: 1800

Add the Password Policy to the Instance

	iplanet@egegik> ldap_addTest -f create_resource_password_policyTest.20070220
	inst: test
	port: 13338
	
	
	ldapmodify: started Mon Nov  3 15:58:15 2008
	
	ldap_init( egegik, 13338 )
	ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getdonglefilename -- (null)
	add objectClass:
	        top
	        passwordPolicy
	        LDAPsubentry
	add cn:
	        Password Policy
	add passwordStorageScheme:
	        SSHA
	add passwordChange:
	        on
	add passwordMinAge:
	        0
	add passwordUnlock:
	        on
	add passwordResetFailureCount:
	        600
	add passwordMustChange:
	        off
	add passwordInHistory:
	        10
	add passwordExp:
	        off
	add passwordMaxAge:
	        0
	add passwordWarning:
	        604800
	add passwordCheckSyntax:
	        on
	add passwordRootdnMayBypassModsChecks:
	        on
	add passwordMinLength:
	        8
	add passwordLockout:
	        off
	add passwordMaxFailure:
	        5
	add passwordLockoutDuration:
	        1800
	adding new entry cn=Password Policy,ou=resource,dc=alaska,dc=edu
	modify complete

Modify a Resource Using a Script to Invoke iPlanet ldapmodify

Once a password policy exists, modifying it is accomplished in the usual way. In the example below, the script, ldap_modifyTest does the invocation for the usual iPlanet ldapmodify command that can be run from the command line.

	iplanet@egegik> ldap_modifyTest
	dn: uid=fake03,dc=resource,dc=alaska,dc=edu
	changetype: modify
	replace: passwordPolicySubentry
	passwordPolicySubentry: cn=Password Policy,ou=resource,dc=alaska,dc=edu
	<ctrl+d>

Changes to max age impact only future password changes. If a password expiration has already been established for a directory record, that expiration remains in effect until the next time the password is changed.

Note: Work on an additional password policy that might someday be applied to ou=resource records can be found on egegik under ~iplanet/local/ldap/schema/POLICY.