51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<?xml version="1.0" encoding="UTF-8"?>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<chapter xml:id='chap-pwd-policy'

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark xsi:schemaLocation='http://docbook.org/ns/docbook

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark xmlns:xlink='http://www.w3.org/1999/xlink'>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Configuring Password Policy</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Password policy</primary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you want to synchronize password policy across your organization

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and your applications go to the directory for authentication, then the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory can be a good place to enforce your password policy uniformly.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Even if you do not depend on the directory for all your password policy,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you no doubt still want to consider directory password policy if only to

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark choose the appropriate password storage scheme.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter covers password policy, including examples of how

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to configure password policies for common use cases.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="pwp-overview">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>About OpenDJ Password Policies</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ password policies govern not only passwords, but also account

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout, and how OpenDJ provides notification about account status.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ supports password policies as part of the server configuration,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and also subentry password policies as part of the (replicated) user

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark data.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="pwp-per-server">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Server Based Password Policies</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You manage server based password policies in the OpenDJ configuration

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by using the <command>dsconfig</command> command. As they are part of the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server configuration, such password policies are not replicated. You must

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark instead apply password policy configuration updates to each replica in your

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark deployment.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default, OpenDJ includes two password policy configurations, one

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default for all users, and another for directory root DN users, such as

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>cn=Directory Manager</literal>. You can see all the default password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy settings using the <command>dsconfig</command> command as

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark follows.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark get-password-policy-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Default Password Policy" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --advanced</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Property : Value(s)

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------------:--------------------------

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaccount-status-notification-handler : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-expired-password-changes : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-multiple-password-values : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-pre-encoded-passwords : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-user-password-changes : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdefault-password-storage-scheme : Salted SHA-1

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdeprecated-password-storage-scheme : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkexpire-passwords-without-warning : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-add : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-reset : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgrace-login-count : 0

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkidle-lockout-interval : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-attribute : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-format : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-duration : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-count : 0

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-expiration-interval : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-age : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-reset-age : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmin-password-age : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-attribute : userpassword

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-change-requires-current-password : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-expiration-warning-interval : 5 d

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-generator : Random Password Generator

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-count : 0

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-duration : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-validator : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkprevious-last-login-time-format : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-change-by-time : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-authentication : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-password-changes : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkskip-validation-for-administrators : false

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkstate-update-failure-policy : reactive</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>See the <citetitle>OpenDJ Configuration Reference</citetitle> page

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark on <link xlink:show="new"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="${configRefBase}password-policy.html"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ><citetitle>Password Policy</citetitle></link> for detailed descriptions of

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark each property.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Here you notice that many capabilities are not set by default: no

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout, no password expiration, no multiple passwords, no password validator

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to check that passwords contain the appropriate mix of characters. This means

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that if you decide to use the directory to enforce password policy, you

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark must configure at least the default password policy to meet your

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark needs.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Yet a few basic protections are configured by default. When you import

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LDIF with <literal>userPassword</literal> values, OpenDJ hashes the values

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark before storing them. When a user provides a password value during a bind for

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example, the server hashes the value provided to compared it with the stored

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark value. Even the directory manager cannot see the plain text value of a user's

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark userpassword</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuserpassword: {SSHA}QWAtw8ch/9850HNFRRqLNMIQc1YhxCnOoGmk1g==</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In addition, users can change their passwords provided you have

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark granted them access to do so. OpenDJ uses the <literal>userPassword</literal>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute to store passwords by default, rather than the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>authPassword</literal> attribute, which is designed to store

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords hashed by the client application.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="pwp-replicated">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Subentry Based Password Policies</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <primary>Replication</primary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <secondary>Password policy</secondary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You manage subentry password policies by adding the subentries

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark alongside the user data. Thus OpenDJ can replicate subentry password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policies across servers.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <primary>Password policy</primary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <secondary>Behera Internet-Draft</secondary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Subentry password policies support the Internet-Draft <link

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-09"

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >Password Policy for LDAP Directories</link> (version 09). A subentry

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy effectively overrides settings in the default password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy defined in the OpenDJ configuration. Settings not supported or not

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark included in the subentry password policy are thus inherited from the default

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>As a result, the following Internet-Draft password policy attributes

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark override the default password policy when you set them in the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark subentry.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdAllowUserChange</literal>, corresponding to the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>allow-user-password-changes</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMustChange</literal>, corresponding to the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>force-change-on-reset</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdGraceAuthNLimit</literal>, corresponding to the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>grace-login-count</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdLockoutDuration</literal>, corresponding to the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>lockout-duration</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMaxFailure</literal>, corresponding to the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>lockout-failure-count</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdFailureCountInterval</literal>, corresponding

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to the OpenDJ password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>lockout-failure-expiration-interval</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMaxAge</literal>, corresponding to the OpenDJ

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>max-password-age</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMinAge</literal>, corresponding to the OpenDJ

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>min-password-age</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdAttribute</literal>, corresponding to the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-attribute</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdSafeModify</literal>, corresponding to the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-change-requires-current-password</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdExpireWarning</literal>, corresponding to the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-expiration-warning-interval</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdInHistory</literal>, corresponding to the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-history-count</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following Internet-Draft password policy attributes are not

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark taken into account by OpenDJ.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para><literal>pwdCheckQuality</literal>, as OpenDJ has password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark validators. You can set password validators to use in the default

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para><literal>pwdMinLength</literal>, as this is handled by the Length

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Based Password Validator. You can configure this as part of the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default password policy.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para><literal>pwdLockout</literal>, as OpenDJ can deduce whether

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout is configured based on the values of other lockout-related

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy attributes.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>

97cb8289f277962530b3890287205dca5401bb4amark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Values of the following properties are inherited from the default

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy for Internet-Draft based password policies.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>account-status-notification-handlers</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>allow-expired-password-changes</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>allow-multiple-password-values</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>allow-pre-encoded-passwords</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>default-password-storage-schemes</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>deprecated-password-storage-schemes</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>expire-passwords-without-warning</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>force-change-on-add</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>idle-lockout-interval</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>last-login-time-attribute</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>last-login-time-format</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>max-password-reset-age</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>password-generator</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>password-history-duration</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>password-validators</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>previous-last-login-time-formats</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>require-change-by-time</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>require-secure-authentication</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>require-secure-password-changes</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>skip-validation-for-administrators</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>state-update-failure-policy</literal></para></listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>

97cb8289f277962530b3890287205dca5401bb4amark

97cb8289f277962530b3890287205dca5401bb4amark <para>

97cb8289f277962530b3890287205dca5401bb4amark If you would rather specify password validators for your policy,

97cb8289f277962530b3890287205dca5401bb4amark you can configure password validators for a subentry password policy

97cb8289f277962530b3890287205dca5401bb4amark by adding the auxiliary object class <literal>pwdValidatorPolicy</literal>

97cb8289f277962530b3890287205dca5401bb4amark and setting the multi-valued attribute,

97cb8289f277962530b3890287205dca5401bb4amark <literal>ds-cfg-password-validator</literal>,

97cb8289f277962530b3890287205dca5401bb4amark to the DNs of the password validator configuration entries.

97cb8289f277962530b3890287205dca5401bb4amark </para>

97cb8289f277962530b3890287205dca5401bb4amark

97cb8289f277962530b3890287205dca5401bb4amark <para>

97cb8289f277962530b3890287205dca5401bb4amark The following example shows a subentry password policy

97cb8289f277962530b3890287205dca5401bb4amark that references two password validator configuration entries.

97cb8289f277962530b3890287205dca5401bb4amark The Character Set password validator determines

97cb8289f277962530b3890287205dca5401bb4amark whether a proposed password is acceptable

97cb8289f277962530b3890287205dca5401bb4amark by checking whether it contains a sufficient number of characters

97cb8289f277962530b3890287205dca5401bb4amark from one or more user-defined character sets and ranges.

97cb8289f277962530b3890287205dca5401bb4amark The Length-Based password validator determines

97cb8289f277962530b3890287205dca5401bb4amark whether a proposed password is acceptable

97cb8289f277962530b3890287205dca5401bb4amark based on whether the number of characters it contains

97cb8289f277962530b3890287205dca5401bb4amark falls within an acceptable range of values.

97cb8289f277962530b3890287205dca5401bb4amark Both are enabled in the default OpenDJ directory server configuration.

97cb8289f277962530b3890287205dca5401bb4amark </para>

97cb8289f277962530b3890287205dca5401bb4amark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <programlisting language="ldif">

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkdn: cn=Subentry Password Policy with Validators,dc=example,dc=com

97cb8289f277962530b3890287205dca5401bb4amarkobjectClass: top

97cb8289f277962530b3890287205dca5401bb4amarkobjectClass: subentry

97cb8289f277962530b3890287205dca5401bb4amarkobjectClass: pwdPolicy

97cb8289f277962530b3890287205dca5401bb4amarkobjectClass: pwdValidatorPolicy

97cb8289f277962530b3890287205dca5401bb4amarkcn: Subentry Password Policy with Validators

97cb8289f277962530b3890287205dca5401bb4amarkpwdAttribute: userPassword

97cb8289f277962530b3890287205dca5401bb4amarkpwdLockout: TRUE

97cb8289f277962530b3890287205dca5401bb4amarkpwdMaxFailure: 3

97cb8289f277962530b3890287205dca5401bb4amarkpwdFailureCountInterval: 300

97cb8289f277962530b3890287205dca5401bb4amarkpwdLockoutDuration: 300

97cb8289f277962530b3890287205dca5401bb4amarkpwdAllowUserChange: TRUE

97cb8289f277962530b3890287205dca5401bb4amarkpwdSafeModify: TRUE

97cb8289f277962530b3890287205dca5401bb4amarkds-cfg-password-validator: cn=Character Set,cn=Password Validators,cn=config

97cb8289f277962530b3890287205dca5401bb4amarkds-cfg-password-validator: cn=Length-Based Password Validator,

97cb8289f277962530b3890287205dca5401bb4amark cn=Password Validators,cn=config

97cb8289f277962530b3890287205dca5401bb4amarksubtreeSpecification: {base "ou=people", specificationFilter

97cb8289f277962530b3890287205dca5401bb4amark "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }

97cb8289f277962530b3890287205dca5401bb4amark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </programlisting>

97cb8289f277962530b3890287205dca5401bb4amark

97cb8289f277962530b3890287205dca5401bb4amark <para>

97cb8289f277962530b3890287205dca5401bb4amark If a referenced password validator cannot be found,

97cb8289f277962530b3890287205dca5401bb4amark then OpenDJ directory server logs an error message

97cb8289f277962530b3890287205dca5401bb4amark when the password policy is invoked.

97cb8289f277962530b3890287205dca5401bb4amark This can occur for example when a subentry password policy is replicated

97cb8289f277962530b3890287205dca5401bb4amark to a directory server where the password validator is not (yet) configured.

97cb8289f277962530b3890287205dca5401bb4amark In that case when a user attempts to change their password,

97cb8289f277962530b3890287205dca5401bb4amark the server fails to find the referenced password validator.

97cb8289f277962530b3890287205dca5401bb4amark </para>

97cb8289f277962530b3890287205dca5401bb4amark

97cb8289f277962530b3890287205dca5401bb4amark <para>

97cb8289f277962530b3890287205dca5401bb4amark See also <xref linkend="create-repl-pwp" />.

97cb8289f277962530b3890287205dca5401bb4amark </para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="pwp-application">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Which Password Policy Applies</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The password policy that applies to a user is identified by the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operational attribute, <literal>pwdPolicySubentry</literal>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen width="81">

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen pwdPolicySubentry</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkpwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="configure-pwp">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Configuring Password Policies</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

ec40cc0dc62425cea5d63fd9d984f8614479de25mark <para>

ec40cc0dc62425cea5d63fd9d984f8614479de25mark You configure server based password policies by using the

ec40cc0dc62425cea5d63fd9d984f8614479de25mark <link

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:show="new"

57d6342a74476c0bf2200992e778229d62ab1fa6mark xlink:href="reference#dsconfig-1"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:role="http://docbook.org/xlink/role/olink"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark ><command>dsconfig</command></link> command.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark Notice that server based password policies are

ec40cc0dc62425cea5d63fd9d984f8614479de25mark part of the server configuration,

ec40cc0dc62425cea5d63fd9d984f8614479de25mark and therefore not replicated.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark Alternatively, you can configure a subset of password policy features

ec40cc0dc62425cea5d63fd9d984f8614479de25mark by using subentry based password policies

ec40cc0dc62425cea5d63fd9d984f8614479de25mark that are stored with the replicated server data.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark This section covers both server based and subentry based password policies.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark </para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="default-pwp">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Adjust the Default Password Policy</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <primary>Password policy</primary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <secondary>Default</secondary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can reconfigure the default password policy for example to

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark enforce password expiration, check that passwords do not match dictionary

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark words, and prevent password reuse. This default policy is a server based

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Enable the appropriate password validator.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-password-validator-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --validator-name Dictionary \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set check-substrings:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set min-substring-length:4 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Apply the changes to the default password policy.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-password-policy-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Default Password Policy" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set max-password-age:90d \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set min-password-age:4w \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-history-count:7 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-validator:Dictionary \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput></screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check your work.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark get-password-policy-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Default Password Policy"</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Property : Value(s)

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------------:--------------------------

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaccount-status-notification-handler : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-expired-password-changes : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-user-password-changes : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdefault-password-storage-scheme : Salted SHA-1

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdeprecated-password-storage-scheme : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkexpire-passwords-without-warning : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-add : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-reset : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgrace-login-count : 0

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkidle-lockout-interval : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-attribute : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-format : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-duration : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-count : 0

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-expiration-interval : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-age : 12 w 6 d

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-reset-age : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmin-password-age : 4 w

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-attribute : userpassword

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-change-requires-current-password : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-expiration-warning-interval : 5 d

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-generator : Random Password Generator

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-count : 7

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-duration : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-validator : Dictionary

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkprevious-last-login-time-format : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-change-by-time : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-authentication : false

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkrequire-secure-password-changes : false</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="create-per-server-pwp">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Create a Server Based Password Policy</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can add a password policy for example for new users who have not

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark yet used their credentials to bind.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create the new password policy.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "New Account Password Policy" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set default-password-storage-scheme:"Salted SHA-1" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set force-change-on-add:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-attribute:userPassword \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check your work.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark get-password-policy-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "New Account Password Policy"</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Property : Value(s)

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------------:-------------

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaccount-status-notification-handler : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-expired-password-changes : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-user-password-changes : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdefault-password-storage-scheme : Salted SHA-1

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdeprecated-password-storage-scheme : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkexpire-passwords-without-warning : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-add : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-reset : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgrace-login-count : 0

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkidle-lockout-interval : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-attribute : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-format : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-duration : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-count : 0

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-expiration-interval : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-age : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-reset-age : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmin-password-age : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-attribute : userpassword

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-change-requires-current-password : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-expiration-warning-interval : 5 d

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-generator : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-count : 0

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-duration : 0 s

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-validator : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkprevious-last-login-time-format : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-change-by-time : -

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-authentication : false

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkrequire-secure-password-changes : false</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you use a password policy like this, you might want to change the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user's policy again when the new user successfully updates the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="create-repl-pwp">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Create a Subentry Based Password Policy</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can add a subentry to configure a password policy that

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark applies to Directory Administrators.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create the entry that specifies the password policy.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat /path/to/subentry-pwp.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Subentry Password Policy,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: pwdPolicy

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Subentry Password Policy

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdAttribute: userPassword

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdLockout: TRUE

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdMaxFailure: 3

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdFailureCountInterval: 300

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdLockoutDuration: 300

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdAllowUserChange: TRUE

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdSafeModify: TRUE

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: {base "ou=people", specificationFilter

08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Add the policy to the directory.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename /path/to/subentry-pwp.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for cn=Subentry Password Policy,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkADD operation successful for DN cn=Subentry Password Policy,dc=example,dc=com</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check that the policy applies as specified.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In the example, the policy should apply to a Directory Administrator,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark while a normal user has the default password policy. Here, Kirsten Vaughan

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is a member of the Directory Administrators group, and Babs Jensen is not

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a member.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=kvaughan \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark pwdPolicySubentry</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkpwdPolicySubentry: cn=Subentry Password Policy,dc=example,dc=com</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark pwdPolicySubentry</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkpwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="assign-pwp">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Assigning Password Policies</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You assign subentry based password policies for a subtree of the DIT by

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark adding the policy to an LDAP subentry whose immediate superior is the root of

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the subtree. In other words you can add the subtree based password policy

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark under <literal>ou=People,dc=example,dc=com</literal>, to have it apply to all

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entries under <literal>ou=People,dc=example,dc=com</literal>. You can further

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark use the capabilities of LDAP <link

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="http://tools.ietf.org/html/rfc3672">subentries</link> to refine

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the scope of application.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You assign server based password policies by using the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ds-pwp-password-policy-dn</literal> attribute.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="assign-pwp-to-individual">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Assign a Password Policy to a User</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Prevent users from selecting their own password policy.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat protectpwp.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: ou=People,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: aci

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass

08248b5c5b494aff8d1922e8e0b5777796d7450dmark word policy";deny (write)(userdn = "ldap:///self");)</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename protectpwp.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN ou=People,dc=example,dc=com</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Update the user's <literal>ds-pwp-password-policy-dn</literal>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat newuser.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuid: newuser

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: person

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: organizationalPerson

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: inetOrgPerson

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: New User

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksn: User

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkou: People

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmail: newuser@example.com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: changeme

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-pwp-password-policy-dn: cn=New Account Password Policy,cn=Password Policies,

08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn=config</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename newuser.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for uid=newuser,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check your work.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=newuser \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark pwdPolicySubentry</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkpwdPolicySubentry: cn=New Account Password Policy,cn=Password Policies,cn=config</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="assign-pwp-to-group">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Assign a Password Policy to a Group</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create a subentry defining the collective attribute that sets the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ds-pwp-password-policy-dn</literal> attribute for group

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark members' entries.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat pwp-coll.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Password Policy for Dir Admins,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: collectiveAttributeSubentry

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: extensibleObject

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Password Policy for Dir Admins

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-pwp-password-policy-dn;collective: cn=Root Password Policy,cn=Pass

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark word Policies,cn=config

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=

08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename pwp-coll.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for cn=Password Policy for Dir Admins,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN cn=Password Policy for Dir

08248b5c5b494aff8d1922e8e0b5777796d7450dmark Admins,dc=example,dc=com</computeroutput></screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check your work.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=kvaughan \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark pwdPolicySubentry</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkpwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <procedure xml:id="assign-pwp-for-branch">

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <title>To Assign Password Policy for an Entire Branch</title>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark You can use a collective attribute to assign a password policy

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark to the entries under a base DN.

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark </para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <step>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark Create a password policy and collective attribute subentry

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark to assign the policy to all entries under a base DN.

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark </para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark The following example creates a password policy,

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark and then assigns that policy to entries

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark under <literal>ou=People,dc=example,dc=com</literal>.

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark </para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat collective-pwp.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=People Password Policy,dc=example,dc=com

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: top

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: subentry

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: pwdPolicy

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkcn: People Password Policy

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdAttribute: userPassword

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdLockout: TRUE

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdMaxFailure: 3

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdFailureCountInterval: 300

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdLockoutDuration: 300

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdAllowUserChange: TRUE

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdSafeModify: TRUE

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarksubtreeSpecification: {}

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkdn: cn=Assign People Password Policy,dc=example,dc=com

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: top

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: subentry

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: extensibleObject

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: collectiveAttributeSubentry

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkcn: Assign People Password Policy

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkds-pwp-password-policy-dn;collective: cn=People Password Policy,dc=example,dc=com

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarksubtreeSpecification: { base "ou=people" }

08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename collective-pwp.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for cn=People Password Policy,dc=example,dc=com

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkADD operation successful for DN cn=People Password Policy,dc=example,dc=com

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkProcessing ADD request for cn=Assign People Password Policy,dc=example,dc=com

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkADD operation successful for DN

08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn=Assign People Password Policy,dc=example,dc=com</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark Notice the subtree specification used to assign the policy,

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <literal>{ base "ou=people" }</literal>.

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark You can relax the subtree specification value to <literal>{}</literal>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark to apply the password policy to all entries

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark the parent of the subentry, <literal>dc=example,dc=com</literal>,

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark or further restrict the subtree specification

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark by adding a <literal>specificationFilter</literal>.

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark See <link xlink:show="new" xlink:href="admin-guide#collective-attributes"

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark >Collective Attributes</citetitle></link> for more information.

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark </para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark </step>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <step>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark Check your work.

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark </para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(uid=alutz)" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark pwdPolicySubentry</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=alutz,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkpwdPolicySubentry: cn=People Password Policy,dc=example,dc=com</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark If everything is correctly configured,

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark then the password policy should be assigned to users

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark whose entries are under <literal>ou=People,dc=example,dc=com</literal>.

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark </para>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark </step>

089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="configure-pwd-generation">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Configuring Password Generation</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <primary>Passwords</primary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <secondary>Generating</secondary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

ec40cc0dc62425cea5d63fd9d984f8614479de25mark <para>

ec40cc0dc62425cea5d63fd9d984f8614479de25mark Password generators are used by OpenDJ during the

ec40cc0dc62425cea5d63fd9d984f8614479de25mark <link

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:show="new"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:href="http://tools.ietf.org/html/rfc3062"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark >LDAP Password Modify extended operation</link>

ec40cc0dc62425cea5d63fd9d984f8614479de25mark to construct a new password for the user.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark In other words, a directory administrator resetting a user's password

ec40cc0dc62425cea5d63fd9d984f8614479de25mark can have OpenDJ directory server generate the new password

ec40cc0dc62425cea5d63fd9d984f8614479de25mark by using the

ec40cc0dc62425cea5d63fd9d984f8614479de25mark <link

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:show="new"

57d6342a74476c0bf2200992e778229d62ab1fa6mark xlink:href="reference#ldappasswordmodify-1"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:role="http://docbook.org/xlink/role/olink"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark ><command>ldappasswordmodify</command></link> command.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark </para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldappasswordmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --authzID "u:bjensen"</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>The LDAP password modify operation was successful

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkGenerated Password: eak77qdi</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

ec40cc0dc62425cea5d63fd9d984f8614479de25mark <para>

ec40cc0dc62425cea5d63fd9d984f8614479de25mark The default password policy shown in <xref linkend="default-pwp" /> uses the

ec40cc0dc62425cea5d63fd9d984f8614479de25mark <link

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:show="new"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:href="${configRefBase}random-password-generator.html"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark >Random Password Generator</link>.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark </para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark get-password-policy-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Default Password Policy" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --property password-generator</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Property : Value(s)

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-------------------:--------------------------

bae06e40ce897cdf589169079718c3e70af3684bmarkpassword-generator : Random Password Generator</computeroutput>

bae06e40ce897cdf589169079718c3e70af3684bmark

bae06e40ce897cdf589169079718c3e70af3684bmark$ <userinput>dsconfig \

bae06e40ce897cdf589169079718c3e70af3684bmark get-password-generator-prop \

bae06e40ce897cdf589169079718c3e70af3684bmark --hostname opendj.example.com \

bae06e40ce897cdf589169079718c3e70af3684bmark --port 4444 \

bae06e40ce897cdf589169079718c3e70af3684bmark --bindDN "cn=Directory Manager" \

bae06e40ce897cdf589169079718c3e70af3684bmark --bindPassword password \

bae06e40ce897cdf589169079718c3e70af3684bmark --generator-name "Random Password Generator" \

bae06e40ce897cdf589169079718c3e70af3684bmark --property password-generator</userinput>

bae06e40ce897cdf589169079718c3e70af3684bmark<computeroutput> Property : Value(s)

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-----------------------:-----------------------------------------------------

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkenabled : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-character-set : alpha:abcdefghijklmnopqrstuvwxyz, numeric:0123456789

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkpassword-format : "alpha:3,numeric:2,alpha:3"</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that the default configuration for the Random Password Generator

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark defines two <literal>password-character-set</literal> values, and then uses

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark those definitions in the <literal>password-format</literal> so that generated

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords have eight characters: three from the <literal>alpha</literal> set,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark followed by two from the <literal>numeric</literal> set, followed by three

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark from the <literal>alpha</literal> set. The

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-character-set</literal> name must be ASCII.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To set the password generator that OpenDJ employs when constructing a

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark new password for a user, set the <literal>password-generator</literal>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark property for the password policy that applies to the user.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following example does not change the password policy, but instead

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark changes the Random Password Generator configuration, and then demonstrates a

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password being generated upon reset.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen width="81">

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-password-generator-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --generator-name "Random Password Generator" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --remove password-character-set:alpha:abcdefghijklmnopqrstuvwxyz \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --add \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark password-character-set:alpha:ABCDEFGHIJKLMNOPQRSTUVWabcdefghijklmnopqrstuvwxyz \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --add password-character-set:punct:,./\`!@#\$%^&amp;*:\;[]\"\'\(\)+=-_~\\ \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark password-format:alpha:3,punct:1,numeric:2,punct:2,numeric:3,alpha:3,punct:2 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldappasswordmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --authzID "u:bjensen"</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>The LDAP password modify operation was successful

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkGenerated Password: pld^06:)529HTq$'</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you also set up a password validator in the password policy as

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark shown in <xref linkend="default-pwp" /> and further described in

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <xref linkend="configure-pwd-validation" />, make sure the generated

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords are acceptable to the validator.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="configure-pwd-storage">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Configuring Password Storage</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <primary>Passwords</primary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <secondary>Storage schemes</secondary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

ec40cc0dc62425cea5d63fd9d984f8614479de25mark <para>

ec40cc0dc62425cea5d63fd9d984f8614479de25mark <link

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:show="new"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:href="${configRefBase}password-storage-scheme.html"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark >Password storage schemes</link>

ec40cc0dc62425cea5d63fd9d984f8614479de25mark encode new passwords provided by users

ec40cc0dc62425cea5d63fd9d984f8614479de25mark so that they are stored in an encoded manner.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark This makes it difficult or impossible

ec40cc0dc62425cea5d63fd9d984f8614479de25mark to determine the clear-text passwords from the encoded values.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark Password storage schemes also determine whether

ec40cc0dc62425cea5d63fd9d984f8614479de25mark a clear-text password provided by a client

ec40cc0dc62425cea5d63fd9d984f8614479de25mark matches the encoded value stored by the server.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark </para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ offers a variety of both reversible and one-way password storage

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark schemes. Some schemes make it easy to recover the clear-text password,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark whereas others aim to make it computationally hard to do so.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark list-password-storage-schemes \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPassword Storage Scheme : Type : enabled

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------:---------------:--------

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark3DES : triple-des : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAES : aes : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkBase64 : base64 : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkBlowfish : blowfish : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkClear : clear : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCRYPT : crypt : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMD5 : md5 : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPBKDF2 : pbkdf2 : true

1c87ba56eccd769f09e5cb68104bbcbab21f2845markPKCS5S2 : pkcs5s2 : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkRC4 : rc4 : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted MD5 : salted-md5 : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-1 : salted-sha1 : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-256 : salted-sha256 : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-384 : salted-sha384 : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-512 : salted-sha512 : true

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkSHA-1 : sha1 : true</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>As shown in <xref linkend="default-pwp" />, the default password storage

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark scheme for users in Salted SHA-1. When you add users or import user entries

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark with <literal>userPassword</literal> values in clear text, OpenDJ hashes them

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark with the default password storage scheme. Root DN users have a different

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy by default, shown in <xref linkend="assign-pwp-to-group" />.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The Root Password Policy uses Salted SHA-512 by default.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You change the default password policy storage scheme for users by

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark changing the applicable password policy, as shown in the following

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-password-policy-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Default Password Policy" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set default-password-storage-scheme:pbkdf2 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that the change in default password storage scheme does not

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cause OpenDJ to update any stored password values. By default, OpenDJ only

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark stores a password with the new storage scheme the next time that the password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is changed.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ prefixes passwords with the scheme used to encode them, which

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark means it is straightforward to see which password storage scheme is in use.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark After the default password storage scheme is changed to PBKDF2, old user

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords remain encoded with Salted SHA-1.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN uid=bjensen,ou=people,dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword hifalutin \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(uid=bjensen)" userPassword</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuserPassword: {SSHA}Rc3tkAj1qP5zGiRkwDIWDFxrxpGgO8Fwh3aibg==</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When the password is changed, the new default password storage scheme

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark takes effect, as shown in the following example.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldappasswordmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --authzID "u:bjensen" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --newPassword changeit</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>The LDAP password modify operation was successful</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN uid=bjensen,ou=people,dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword changeit \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(uid=bjensen)" userPassword</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuserPassword: {PBKDF2}10000:O3V6G7y7n7AefOkRGNKQ5ukrMuO5uf+iEQ9ZLg==</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When you change the password storage scheme for users, realize that

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the user passwords must change in order for OpenDJ to encode them with

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the chosen storage scheme. If you are changing the storage scheme because

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the old scheme was too weak, then you no doubt want users to change their

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords anyway.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If however the storage scheme change is not related to vulnerability,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you can use the <literal>deprecated-password-storage-scheme</literal>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark property of the password policy to have OpenDJ store the password in the new

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark format after successful authentication. This makes it possible to do password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark migration for active users without forcing users to change their

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN uid=kvaughan,ou=people,dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword bribery \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(uid=kvaughan)" userPassword</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuserPassword: {SSHA}hDgK44F2GhIIZj913b+29Ak7phb9oU3Lz4ogkg==</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-password-policy-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Default Password Policy" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set deprecated-password-storage-scheme:"Salted SHA-1" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN uid=kvaughan,ou=people,dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword bribery \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(uid=kvaughan)" userPassword</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuserPassword: {PBKDF2}10000:L4dCYqSsNnf47YZ3a6aC8K2E3DChhHHhpcoUzg==</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that with <literal>deprecated-password-storage-scheme</literal>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set appropriately, Kirsten Vaughan's password was hashed again after she

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark authenticated successfully.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="configure-pwd-validation">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Configuring Password Validation</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <primary>Passwords</primary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <secondary>Validating</secondary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

ec40cc0dc62425cea5d63fd9d984f8614479de25mark <para>

ec40cc0dc62425cea5d63fd9d984f8614479de25mark <link

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:show="new"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:href="${configRefBase}password-validator.html"

ec40cc0dc62425cea5d63fd9d984f8614479de25mark >Password validators</link>

ec40cc0dc62425cea5d63fd9d984f8614479de25mark are responsible for determining whether a proposed password is

ec40cc0dc62425cea5d63fd9d984f8614479de25mark acceptable for use.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark Validators can run checks like ensuring

ec40cc0dc62425cea5d63fd9d984f8614479de25mark that the password meets minimum length requirements,

ec40cc0dc62425cea5d63fd9d984f8614479de25mark that it has an appropriate range of characters,

ec40cc0dc62425cea5d63fd9d984f8614479de25mark or that it is not in the history of recently used passwords.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark OpenDJ directory server provides a variety of password validators.

ec40cc0dc62425cea5d63fd9d984f8614479de25mark </para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark list-password-validators \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password</userinput>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPassword Validator : Type : enabled

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------:---------------------:--------

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAttribute Value : attribute-value : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCharacter Set : character-set : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkDictionary : dictionary : false

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkLength-Based Password Validator : length-based : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkRepeated Characters : repeated-characters : true

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSimilarity-Based Password Validator : similarity-based : true

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkUnique Characters : unique-characters : true</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The password policy for a user specifies the set of password validators

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that should be used whenever that user provides a new password. By default

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark no password validators are configured. You can see an example setting the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Default Password Policy to use the Dictionary validator in

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <xref linkend="default-pwp" />. The following example shows how to set up

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a custom password validator and assign it to the default password

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The custom password validator ensures passwords meet at least three of

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the following four criteria. Passwords are composed of:</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>English lowercase characters (a through z)</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>English uppercase characters (A through Z)</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Base 10 digits (0 through 9)</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Non-alphabetic characters (for example, !, $, #, %)</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice how the <literal>character-set</literal> values are constructed.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The initial <literal>0:</literal> means the set is optional, whereas

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>1:</literal> would mean the set is required.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-validator \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --validator-name "Custom Character Set Password Validator" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set allow-unclassified-characters:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set character-set:0:abcdefghijklmnopqrstuvwxyz \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set character-set:0:ABCDEFGHIJKLMNOPQRSTUVWXYZ \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set character-set:0:0123456789 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set character-set:0:!\"#\$%&amp;\'\(\)*+,-./:\;\\&lt;=\&gt;?@[\\]^_\`{\|}~ \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set min-character-sets:3 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type character-set \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-password-policy-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Default Password Policy" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-validator:"Custom Character Set Password Validator" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldappasswordmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --authzID "u:bjensen" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --newPassword '!ABcd$%^'</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In the preceding example, the character set of ASCII punctuation,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>!\"#\$%&amp;\'\(\)*+,-./:\;\\&lt;=\&gt;?@[\\]^_\`{\|}~</literal>,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is hard to read because of all the escape characters. In practice it can

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark be easier to enter sequences like that by using <command>dsconfig</command>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in interactive mode, and letting it do the escaping for you. You can also

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark use the <option>--commandFilePath {path}</option> option to save the result

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark of your interactive session to a file for use in scripts later.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>An attempt to set an invalid password fails as shown in the following

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldappasswordmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --authzID "u:bjensen" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --newPassword hifalutin</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>The LDAP password modify operation failed with result code 19

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkError Message: The provided new password failed the validation checks defined

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkin the server: The provided password did not contain characters from at least

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark3 of the following character sets or ranges: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',

08248b5c5b494aff8d1922e8e0b5777796d7450dmark'!"#$%&amp;'()*+,-./:;&lt;=\&gt;?@[\]^_`{|}~', '0123456789', 'abcdefghijklmnopqrstuvwxyz'</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Validation does not affect existing passwords, but only takes effect

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark when the password is updated.</para>

97cb8289f277962530b3890287205dca5401bb4amark

97cb8289f277962530b3890287205dca5401bb4amark <para>

97cb8289f277962530b3890287205dca5401bb4amark You can reference password validators from subentry password policies.

97cb8289f277962530b3890287205dca5401bb4amark See <xref linkend="pwp-replicated" /> for an example.

97cb8289f277962530b3890287205dca5401bb4amark </para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <section xml:id="sample-password-policies">

391d13679315472c5e7b2abcde000787152da4c6mark <title>Sample Password Policies</title>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark The sample password policies in this section demonstrate

391d13679315472c5e7b2abcde000787152da4c6mark OpenDJ server based password policies for several common cases.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <indexterm>

391d13679315472c5e7b2abcde000787152da4c6mark <primary>Password policy</primary>

391d13679315472c5e7b2abcde000787152da4c6mark <secondary>Samples</secondary>

391d13679315472c5e7b2abcde000787152da4c6mark </indexterm>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <itemizedlist>

391d13679315472c5e7b2abcde000787152da4c6mark <listitem>

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark <xref linkend="example-enforce-regular-password-changes" />

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </listitem>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <listitem>

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark <xref linkend="example-track-last-login" />

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </listitem>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <listitem>

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark <xref linkend="example-deprecate-storage-scheme" />

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </listitem>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <listitem>

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark <xref linkend="example-lock-idle-accounts" />

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </listitem>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <listitem>

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark <xref linkend="example-allow-grace-login" />

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </listitem>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <listitem>

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark <xref linkend="example-require-password-change-on-add-or-reset" />

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </listitem>

391d13679315472c5e7b2abcde000787152da4c6mark </itemizedlist>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <example xml:id="example-enforce-regular-password-changes">

391d13679315472c5e7b2abcde000787152da4c6mark <?dbfo keep-together="auto"?>

391d13679315472c5e7b2abcde000787152da4c6mark <title>Enforce Regular Password Changes</title>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy

391d13679315472c5e7b2abcde000787152da4c6mark that sets age limits on passwords, requiring that they change periodically.

391d13679315472c5e7b2abcde000787152da4c6mark It also sets the number of passwords to keep in the password history

391d13679315472c5e7b2abcde000787152da4c6mark of the entry, thereby preventing users from reusing the same password

391d13679315472c5e7b2abcde000787152da4c6mark on consecutive changes.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Enforce Regular Password Changes" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set default-password-storage-scheme:"Salted SHA-1" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-attribute:userPassword \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set max-password-age:13w \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set min-password-age:4w \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-history-count:7 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark See also <xref linkend="assign-pwp" /> for instructions on using the policy.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </example>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <example xml:id="example-track-last-login">

391d13679315472c5e7b2abcde000787152da4c6mark <?dbfo keep-together="auto"?>

391d13679315472c5e7b2abcde000787152da4c6mark <title>Track Last Login Time</title>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy

391d13679315472c5e7b2abcde000787152da4c6mark that keeps track of the last successful login.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark First, set up an attribute to which OpenDJ directory server

391d13679315472c5e7b2abcde000787152da4c6mark can write a timestamp value on successful login.

391d13679315472c5e7b2abcde000787152da4c6mark For additional information also see the example, <link

391d13679315472c5e7b2abcde000787152da4c6mark xlink:href="admin-guide#configure-account-lockout"

391d13679315472c5e7b2abcde000787152da4c6mark xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"

391d13679315472c5e7b2abcde000787152da4c6mark ><citetitle>Search: List Active Accounts</citetitle></link>.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

391d13679315472c5e7b2abcde000787152da4c6mark --bindPassword password

391d13679315472c5e7b2abcde000787152da4c6markdn: cn=schema

391d13679315472c5e7b2abcde000787152da4c6markchangetype: modify

391d13679315472c5e7b2abcde000787152da4c6markadd: attributeTypes

391d13679315472c5e7b2abcde000787152da4c6markattributeTypes: ( lastLoginTime-oid

391d13679315472c5e7b2abcde000787152da4c6mark NAME 'lastLoginTime'

391d13679315472c5e7b2abcde000787152da4c6mark DESC 'Last time the user logged in'

391d13679315472c5e7b2abcde000787152da4c6mark EQUALITY generalizedTimeMatch

391d13679315472c5e7b2abcde000787152da4c6mark ORDERING generalizedTimeOrderingMatch

391d13679315472c5e7b2abcde000787152da4c6mark SYNTAX 1.3.6.1.4.1.1466.115.121.1.24

391d13679315472c5e7b2abcde000787152da4c6mark SINGLE-VALUE

391d13679315472c5e7b2abcde000787152da4c6mark NO-USER-MODIFICATION

391d13679315472c5e7b2abcde000787152da4c6mark USAGE directoryOperation

08248b5c5b494aff8d1922e8e0b5777796d7450dmark X-ORIGIN 'OpenDJ example documentation' )</userinput>

391d13679315472c5e7b2abcde000787152da4c6mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for cn=schema

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN cn=schema</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark Next, create the password policy that causes OpenDJ directory server

391d13679315472c5e7b2abcde000787152da4c6mark to write the timestamp to the attribute on successful login.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Track Last Login Time" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set default-password-storage-scheme:"Salted SHA-1" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-attribute:userPassword \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set last-login-time-attribute:lastLoginTime \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set last-login-time-format:"yyyyMMddHH'Z'" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark See also <xref linkend="assign-pwp" /> for instructions on using the policy.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </example>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <example xml:id="example-deprecate-storage-scheme">

391d13679315472c5e7b2abcde000787152da4c6mark <?dbfo keep-together="auto"?>

391d13679315472c5e7b2abcde000787152da4c6mark <title>Deprecate a Password Storage Scheme</title>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy

391d13679315472c5e7b2abcde000787152da4c6mark that you can use when deprecating a password storage scheme.

391d13679315472c5e7b2abcde000787152da4c6mark This policy uses elements from

391d13679315472c5e7b2abcde000787152da4c6mark <xref linkend="example-enforce-regular-password-changes" />,

391d13679315472c5e7b2abcde000787152da4c6mark as OpenDJ directory server only employs the new password storage scheme

391d13679315472c5e7b2abcde000787152da4c6mark to hash or to encrypt passwords when a password changes.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Deprecate a Password Storage Scheme" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set deprecated-password-storage-scheme:Crypt \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set default-password-storage-scheme:"Salted SHA-1" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-attribute:userPassword \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set max-password-age:13w \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set min-password-age:4w \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-history-count:7 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark See also <xref linkend="assign-pwp" /> for instructions on using the policy.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </example>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <example xml:id="example-lock-idle-accounts">

391d13679315472c5e7b2abcde000787152da4c6mark <?dbfo keep-together="auto"?>

391d13679315472c5e7b2abcde000787152da4c6mark <title>Lock Idle Accounts</title>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy

391d13679315472c5e7b2abcde000787152da4c6mark that locks idle accounts.

391d13679315472c5e7b2abcde000787152da4c6mark This policy extends the example from

391d13679315472c5e7b2abcde000787152da4c6mark <xref linkend="example-track-last-login" />

391d13679315472c5e7b2abcde000787152da4c6mark as OpenDJ directory server must track last successful login time

391d13679315472c5e7b2abcde000787152da4c6mark in order to calculate how long the account has been idle.

391d13679315472c5e7b2abcde000787152da4c6mark You must first add the <literal>lastLoginTime</literal> attribute type

391d13679315472c5e7b2abcde000787152da4c6mark in order for OpenDJ directory server to accept this new password policy.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Lock Idle Accounts" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set default-password-storage-scheme:"Salted SHA-1" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-attribute:userPassword \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set last-login-time-attribute:lastLoginTime \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set last-login-time-format:"yyyyMMddHH'Z'" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set idle-lockout-interval:13w \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark See also <xref linkend="assign-pwp" />,

391d13679315472c5e7b2abcde000787152da4c6mark and <link xlink:href="admin-guide#configure-account-lockout"

391d13679315472c5e7b2abcde000787152da4c6mark xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"

391d13679315472c5e7b2abcde000787152da4c6mark ><citetitle>Configuring Account Lockout</citetitle></link>.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </example>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <example xml:id="example-allow-grace-login">

391d13679315472c5e7b2abcde000787152da4c6mark <?dbfo keep-together="auto"?>

391d13679315472c5e7b2abcde000787152da4c6mark <title>Allow Grace Login to Change Expired Password</title>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy

391d13679315472c5e7b2abcde000787152da4c6mark that allows users to login after their password has expired

391d13679315472c5e7b2abcde000787152da4c6mark in order to choose a new password.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Allow Grace Login" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set default-password-storage-scheme:"Salted SHA-1" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-attribute:userPassword \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set grace-login-count:2 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark See also <xref linkend="assign-pwp" /> for instructions on using the policy.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </example>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <example xml:id="example-require-password-change-on-add-or-reset">

391d13679315472c5e7b2abcde000787152da4c6mark <?dbfo keep-together="auto"?>

391d13679315472c5e7b2abcde000787152da4c6mark <title>Require Password Change on Add or Reset</title>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy

391d13679315472c5e7b2abcde000787152da4c6mark that requires new users to change their password

391d13679315472c5e7b2abcde000787152da4c6mark after logging in for the first time,

391d13679315472c5e7b2abcde000787152da4c6mark and also requires users to change their password

391d13679315472c5e7b2abcde000787152da4c6mark after their password is reset.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Require Password Change on Add or Reset" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type password-policy \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set default-password-storage-scheme:"Salted SHA-1" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set password-attribute:userPassword \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set force-change-on-add:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set force-change-on-reset:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark <para>

391d13679315472c5e7b2abcde000787152da4c6mark See also <xref linkend="assign-pwp" /> for instructions on using the policy.

391d13679315472c5e7b2abcde000787152da4c6mark </para>

391d13679315472c5e7b2abcde000787152da4c6mark </example>

391d13679315472c5e7b2abcde000787152da4c6mark

391d13679315472c5e7b2abcde000787152da4c6mark </section>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark</chapter>