| | 1 | # 20081104 elm iPlanet Password Policies |
| | 2 | |
| | 3 | Note: Thoughout this document are references to ldap_*<Inst> commands. Those are |
| | 4 | simply scripted invocations of the associated ldap* utilities that make it possible |
| | 5 | to search the directory, and to add, modify and delete directory data using the |
| | 6 | Directory Manager credentials. The ldap_*<Inst> scripts can be found on the "e" |
| | 7 | boxes under ~iplanet/local/ldap/scripts. |
| | 8 | |
| | 9 | Although "only regents can set policy", iPlanet refers to a set of password/account |
| | 10 | configuration settings as a "Password Policy". That is the intent of the term |
| | 11 | "policy" throughout this document. |
| | 12 | |
| | 13 | iPlanet supports one default password policy at the config level. The default |
| | 14 | password policy dictates the behavior of any directory record not explicitly |
| | 15 | associated with another, non-default password policy. |
| | 16 | |
| | 17 | The settings for the default policy in all Enterprise Directory instances (test, |
| | 18 | prep and production) are the same. They can be seen/modified via the iPlanet console |
| | 19 | or they can be seen and updated by using command line utilities |
| | 20 | |
| | 21 | iplanet@egegik> ldap_queryConfigProd "(cn=Password Policy)" |
| | 22 | dn: cn=Password Policy,cn=config |
| | 23 | objectClass: top |
| | 24 | objectClass: passwordPolicy |
| | 25 | cn: Password Policy |
| | 26 | passwordInHistory: 5 |
| | 27 | passwordStorageScheme: SSHA |
| | 28 | passwordUnlock: on |
| | 29 | passwordMustChange: on |
| | 30 | passwordNonRootMayResetUserpwd: off |
| | 31 | passwordWarning: 604800 |
| | 32 | passwordExpireWithoutWarning: on |
| | 33 | passwordLockout: on |
| | 34 | passwordMinLength: 8 |
| | 35 | passwordMaxFailure: 5 |
| | 36 | passwordMaxAge: 34560000 |
| | 37 | passwordResetFailureCount: 600 |
| | 38 | passwordisglobalpolicy: on |
| | 39 | passwordChange: on |
| | 40 | passwordExp: on |
| | 41 | passwordLockoutDuration: 1800 |
| | 42 | passwordCheckSyntax: on |
| | 43 | passwordMinAge: 0 |
| | 44 | passwordRootdnMayBypassModsChecks: on |
| | 45 | |
| | 46 | iplanet@egegik> ldap_modifyProd "(cn=Password Policy)" |
| | 47 | dn: cn=Password Policy,cn=config |
| | 48 | changetype: modify |
| | 49 | replace: passwordMaxAge |
| | 50 | passwordMaxAge: <some new value> |
| | 51 | |
| | 52 | |
| | 53 | iPlanet supports creation of additional password policies but those policies must |
| | 54 | be manually associated with a directory account much like any other piece of directory |
| | 55 | data. Additional password policies can be created using ldapadd and associated with |
| | 56 | individual directory records using ldapmodify. |
| | 57 | |
| | 58 | iplanet@egegik> ldap_deleteTest |
| | 59 | inst: test |
| | 60 | port: 13338 |
| | 61 | |
| | 62 | |
| | 63 | ldapdelete: started Tue Nov 4 07:19:30 2008 |
| | 64 | |
| | 65 | ldap_init( egegik, 13338 ) |
| | 66 | ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db |
| | 67 | ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db |
| | 68 | ldaptool_getdonglefilename -- (null) |
| | 69 | cn=Password Policy,ou=resource,dc=alaska,dc=edu |
| | 70 | deleting entry cn=Password Policy,ou=resource,dc=alaska,dc=edu |
| | 71 | entry removed |
| | 72 | |
| | 73 | iplanet@egegik> cat create_resource_password_policyTest.20070220 |
| | 74 | dn: cn=Password Policy,ou=resource,dc=alaska,dc=edu |
| | 75 | objectClass: top |
| | 76 | objectClass: passwordPolicy |
| | 77 | objectClass: LDAPsubentry |
| | 78 | cn: Password Policy |
| | 79 | passwordStorageScheme: SSHA |
| | 80 | passwordChange: on |
| | 81 | passwordMinAge: 0 |
| | 82 | passwordUnlock: on |
| | 83 | passwordResetFailureCount: 600 |
| | 84 | passwordMustChange: off |
| | 85 | passwordInHistory: 10 |
| | 86 | passwordExp: off |
| | 87 | passwordMaxAge: 0 |
| | 88 | passwordWarning: 604800 |
| | 89 | passwordCheckSyntax: on |
| | 90 | passwordRootdnMayBypassModsChecks: on |
| | 91 | passwordMinLength: 8 |
| | 92 | passwordLockout: off |
| | 93 | passwordMaxFailure: 5 |
| | 94 | passwordLockoutDuration: 1800 |
| | 95 | |
| | 96 | iplanet@egegik> ldap_addTest -f create_resource_password_policyTest.20070220 |
| | 97 | inst: test |
| | 98 | port: 13338 |
| | 99 | |
| | 100 | |
| | 101 | ldapmodify: started Mon Nov 3 15:58:15 2008 |
| | 102 | |
| | 103 | ldap_init( egegik, 13338 ) |
| | 104 | ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db |
| | 105 | ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db |
| | 106 | ldaptool_getdonglefilename -- (null) |
| | 107 | add objectClass: |
| | 108 | top |
| | 109 | passwordPolicy |
| | 110 | LDAPsubentry |
| | 111 | add cn: |
| | 112 | Password Policy |
| | 113 | add passwordStorageScheme: |
| | 114 | SSHA |
| | 115 | add passwordChange: |
| | 116 | on |
| | 117 | add passwordMinAge: |
| | 118 | 0 |
| | 119 | add passwordUnlock: |
| | 120 | on |
| | 121 | add passwordResetFailureCount: |
| | 122 | 600 |
| | 123 | add passwordMustChange: |
| | 124 | off |
| | 125 | add passwordInHistory: |
| | 126 | 10 |
| | 127 | add passwordExp: |
| | 128 | off |
| | 129 | add passwordMaxAge: |
| | 130 | 0 |
| | 131 | add passwordWarning: |
| | 132 | 604800 |
| | 133 | add passwordCheckSyntax: |
| | 134 | on |
| | 135 | add passwordRootdnMayBypassModsChecks: |
| | 136 | on |
| | 137 | add passwordMinLength: |
| | 138 | 8 |
| | 139 | add passwordLockout: |
| | 140 | off |
| | 141 | add passwordMaxFailure: |
| | 142 | 5 |
| | 143 | add passwordLockoutDuration: |
| | 144 | 1800 |
| | 145 | adding new entry cn=Password Policy,ou=resource,dc=alaska,dc=edu |
| | 146 | modify complete |
| | 147 | |
| | 148 | iplanet@egegik> ldap_modifyTest |
| | 149 | dn: uid=fake03,dc=resource,dc=alaska,dc=edu |
| | 150 | changetype: modify |
| | 151 | replace: passwordPolicySubentry |
| | 152 | passwordPolicySubentry: cn=Password Policy,ou=resource,dc=alaska,dc=edu |
| | 153 | <ctrl+d> |
| | 154 | |
| | 155 | Changes to max age impact only future password changes. If a password expiration |
| | 156 | has already been established for a directory record, that expiration remains in effect |
| | 157 | until the next time the password is changed. |
| | 158 | |
| | 159 | Note: Work on an additional password policy that might someday be applied to |
| | 160 | ou=resource records can be found on egegik under ~iplanet/local/ldap/schema/POLICY. |
| | 161 | |
| | 162 | # eof |