chap-pwd-policy.xml revision 51607ea01068c9047391e4c8b46bc9dbd0edb7fd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER END
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Copyright 2011-2013 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Password policy</primary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you want to synchronize password policy across your organization
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and your applications go to the directory for authentication, then the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory can be a good place to enforce your password policy uniformly.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Even if you do not depend on the directory for all your password policy,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you no doubt still want to consider directory password policy if only to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark choose the appropriate password storage scheme.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter covers password policy, including examples of how
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to configure password policies for common use cases.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ password policies govern not only passwords, but also account
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout, and how OpenDJ provides notification about account status.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ supports password policies as part of the server configuration,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and also subentry password policies as part of the (replicated) user
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark data.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You manage server based password policies in the OpenDJ configuration
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by using the <command>dsconfig</command> command. As they are part of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server configuration, such password policies are not replicated. You must
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark instead apply password policy configuration updates to each replica in your
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark deployment.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default, OpenDJ includes two password policy configurations, one
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default for all users, and another for directory root DN users, such as
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>cn=Directory Manager</literal>. You can see all the default password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy settings using the <command>dsconfig</command> command as
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark follows.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark get-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --advanced
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProperty : Value(s)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------------:--------------------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaccount-status-notification-handler : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-expired-password-changes : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-multiple-password-values : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-pre-encoded-passwords : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-user-password-changes : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdefault-password-storage-scheme : Salted SHA-1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdeprecated-password-storage-scheme : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkexpire-passwords-without-warning : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-add : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-reset : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgrace-login-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkidle-lockout-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-attribute : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-expiration-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-reset-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmin-password-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-attribute : userpassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-change-requires-current-password : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-expiration-warning-interval : 5 d
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-generator : Random Password Generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-validator : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkprevious-last-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-change-by-time : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-authentication : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-password-changes : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkskip-validation-for-administrators : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkstate-update-failure-policy : reactive</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>See the <citetitle>OpenDJ Configuration Reference</citetitle> page
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ><citetitle>Password Policy</citetitle></link> for detailed descriptions of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark each property.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Here you notice that many capabilities are not set by default: no
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout, no password expiration, no multiple passwords, no password validator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to check that passwords contain the appropriate mix of characters. This means
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that if you decide to use the directory to enforce password policy, you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark must configure at least the default password policy to meet your
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark needs.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Yet a few basic protections are configured by default. When you import
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LDIF with <literal>userPassword</literal> values, OpenDJ hashes the values
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark before storing them. When a user provides a password value during a bind for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example, the server hashes the value provided to compared it with the stored
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark value. Even the directory manager cannot see the plain text value of a user's
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=bjensen
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark userpassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserpassword: {SSHA}QWAtw8ch/9850HNFRRqLNMIQc1YhxCnOoGmk1g==</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In addition, users can change their passwords provided you have
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark granted them access to do so. OpenDJ uses the <literal>userPassword</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute to store passwords by default, rather than the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>authPassword</literal> attribute, which is designed to store
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords hashed by the client application.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You manage subentry password policies by adding the subentries
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark alongside the user data. Thus OpenDJ can replicate subentry password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policies across servers.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Subentry password policies support the Internet-Draft <link
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-09"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >Password Policy for LDAP Directories</link> (version 09). A subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy effectively overrides settings in the default password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy defined in the OpenDJ configuration. Settings not supported or not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark included in the subentry password policy are thus inherited from the default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>As a result, the following Internet-Draft password policy attributes
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark override the default password policy when you set them in the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark subentry.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdAllowUserChange</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>allow-user-password-changes</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMustChange</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>force-change-on-reset</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdGraceAuthNLimit</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdLockoutDuration</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMaxFailure</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>lockout-failure-count</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdFailureCountInterval</literal>, corresponding
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to the OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>lockout-failure-expiration-interval</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMaxAge</literal>, corresponding to the OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMinAge</literal>, corresponding to the OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdAttribute</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-attribute</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdSafeModify</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-change-requires-current-password</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdExpireWarning</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-expiration-warning-interval</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdInHistory</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-history-count</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following Internet-Draft password policy attributes are not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark taken into account by OpenDJ.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para><literal>pwdCheckQuality</literal>, as OpenDJ has password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark validators. You can set password validators to use in the default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para><literal>pwdMinLength</literal>, as this is handled by the Length
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Based Password Validator. You can configure this as part of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para><literal>pwdLockout</literal>, as OpenDJ can deduce whether
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout is configured based on the values of other lockout-related
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy attributes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Values of the following properties are inherited from the default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy for Internet-Draft based password policies.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>account-status-notification-handlers</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>allow-expired-password-changes</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>allow-multiple-password-values</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>allow-pre-encoded-passwords</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>default-password-storage-schemes</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>deprecated-password-storage-schemes</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>expire-passwords-without-warning</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>force-change-on-add</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>idle-lockout-interval</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>last-login-time-attribute</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>last-login-time-format</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>max-password-reset-age</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>password-generator</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>password-history-duration</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>password-validators</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>previous-last-login-time-formats</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>require-change-by-time</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>require-secure-authentication</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>require-secure-password-changes</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>skip-validation-for-administrators</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>state-update-failure-policy</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The password policy that applies to a user is identified by the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operational attribute, <literal>pwdPolicySubentry</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen pwdPolicySubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You configure server based password policies using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>dsconfig</command> command. Notice that server based password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policies are part of the server configuration, and therefore not replicated.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Alternatively, you can configure a subset of password policy features using
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark subentry based password policies that are stored with the replicated
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server data. This section covers both server based and subentry based
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policies.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can reconfigure the default password policy for example to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark enforce password expiration, check that passwords do not match dictionary
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark words, and prevent password reuse. This default policy is a server based
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Enable the appropriate password validator.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-validator-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --validator-name Dictionary
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set check-substrings:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set min-substring-length:4
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Apply the changes to the default password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set max-password-age:90d
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set min-password-age:4w
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set password-history-count:7
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set password-validator:Dictionary
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark get-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProperty : Value(s)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------------:--------------------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaccount-status-notification-handler : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-expired-password-changes : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-user-password-changes : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdefault-password-storage-scheme : Salted SHA-1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdeprecated-password-storage-scheme : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkexpire-passwords-without-warning : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-add : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-reset : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgrace-login-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkidle-lockout-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-attribute : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-expiration-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-age : 12 w 6 d
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-reset-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmin-password-age : 4 w
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-attribute : userpassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-change-requires-current-password : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-expiration-warning-interval : 5 d
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-generator : Random Password Generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-count : 7
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-validator : Dictionary
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkprevious-last-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-change-by-time : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-authentication : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-password-changes : false</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Create a Server Based Password Policy</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can add a password policy for example for new users who have not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark yet used their credentials to bind.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark create-password-policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "New Account Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set default-password-storage-scheme:"Salted SHA-1"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set force-change-on-add:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set password-attribute:userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --type password-policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark get-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "New Account Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProperty : Value(s)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------------:-------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaccount-status-notification-handler : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-expired-password-changes : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-user-password-changes : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdefault-password-storage-scheme : Salted SHA-1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdeprecated-password-storage-scheme : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkexpire-passwords-without-warning : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-add : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-reset : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgrace-login-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkidle-lockout-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-attribute : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-expiration-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-reset-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmin-password-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-attribute : userpassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-change-requires-current-password : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-expiration-warning-interval : 5 d
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-generator : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-validator : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkprevious-last-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-change-by-time : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-authentication : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-password-changes : false</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you use a password policy like this, you might want to change the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user's policy again when the new user successfully updates the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Create a Subentry Based Password Policy</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can add a subentry to configure a password policy that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark applies to Directory Administrators.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create the entry that specifies the password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: cn=Subentry Password Policy,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: pwdPolicy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Subentry Password Policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdAttribute: userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdLockout: TRUE
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdMaxFailure: 3
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdFailureCountInterval: 300
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdLockoutDuration: 300
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdAllowUserChange: TRUE
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdSafeModify: TRUE
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: {base "ou=people", specificationFilter
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --defaultAdd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing ADD request for cn=Subentry Password Policy,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN cn=Subentry Password Policy,dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check that the policy applies as specified.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In the example, the policy should apply to a Directory Administrator,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark while a normal user has the default password policy. Here, Kirsten Vaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is a member of the Directory Administrators group, and Babs Jensen is not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a member.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=kvaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark pwdPolicySubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=kvaughan,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdPolicySubentry: cn=Subentry Password Policy,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=bjensen
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark pwdPolicySubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You assign subentry based password policies for a subtree of the DIT by
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark adding the policy to an LDAP subentry whose immediate superior is the root of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the subtree. In other words you can add the subtree based password policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark under <literal>ou=People,dc=example,dc=com</literal>, to have it apply to all
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entries under <literal>ou=People,dc=example,dc=com</literal>. You can further
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark use the capabilities of LDAP <link
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="http://tools.ietf.org/html/rfc3672">subentries</link> to refine
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the scope of application.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You assign server based password policies by using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ds-pwp-password-policy-dn</literal> attribute.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Prevent users from selecting their own password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark word policy";deny (write)(userdn = "ldap:///self");)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing MODIFY request for ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation successful for DN ou=People,dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Update the user's <literal>ds-pwp-password-policy-dn</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=newuser,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuid: newuser
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: person
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: organizationalPerson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: inetOrgPerson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: New User
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmail: newuser@example.com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: changeme
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-pwp-password-policy-dn: cn=New Account Password Policy,cn=Password Policies,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --defaultAdd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing ADD request for uid=newuser,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=newuser
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark pwdPolicySubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=newuser,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdPolicySubentry: cn=New Account Password Policy,cn=Password Policies,cn=config</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create a subentry defining the collective attribute that sets the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ds-pwp-password-policy-dn</literal> attribute for group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark members' entries.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: cn=Password Policy for Dir Admins,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: collectiveAttributeSubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: extensibleObject
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Password Policy for Dir Admins
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-pwp-password-policy-dn;collective: cn=Root Password Policy,cn=Pass
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark word Policies,cn=config
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --defaultAdd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing ADD request for cn=Password Policy for Dir Admins,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN cn=Password Policy for Dir
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Admins,dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=kvaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark pwdPolicySubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=kvaughan,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Password generators are used by OpenDJ during the LDAP password modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark extended operation to construct a new password for the user. In other words,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a directory administrator resetting a user's password can have OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory server generate the new password.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldappasswordmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --authzID "u:bjensen"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkThe LDAP password modify operation was successful
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkGenerated Password: eak77qdi</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The default password policy shown in <xref linkend="default-pwp" /> uses
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the Random Password Generator.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark get-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --property password-generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProperty : Value(s)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-------------------:--------------------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-generator : Random Password Generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark get-password-generator-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --generator-name "Random Password Generator"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --property password-generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Property : Value(s)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-----------------------:-----------------------------------------------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkenabled : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-character-set : alpha:abcdefghijklmnopqrstuvwxyz, numeric:0123456789
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-format : "alpha:3,numeric:2,alpha:3"</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that the default configuration for the Random Password Generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark defines two <literal>password-character-set</literal> values, and then uses
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark those definitions in the <literal>password-format</literal> so that generated
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords have eight characters: three from the <literal>alpha</literal> set,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark followed by two from the <literal>numeric</literal> set, followed by three
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-character-set</literal> name must be ASCII.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To set the password generator that OpenDJ employs when constructing a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark new password for a user, set the <literal>password-generator</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark property for the password policy that applies to the user.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following example does not change the password policy, but instead
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark changes the Random Password Generator configuration, and then demonstrates a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password being generated upon reset.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-generator-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --generator-name "Random Password Generator"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --remove password-character-set:alpha:abcdefghijklmnopqrstuvwxyz
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password-character-set:alpha:ABCDEFGHIJKLMNOPQRSTUVWabcdefghijklmnopqrstuvwxyz
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --add password-character-set:punct:,./\`!@#\$%^&*:\;[]\"\'\(\)+=-_~\\
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password-format:alpha:3,punct:1,numeric:2,punct:2,numeric:3,alpha:3,punct:2
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldappasswordmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --authzID "u:bjensen"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkThe LDAP password modify operation was successful
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkGenerated Password: pld^06:)529HTq$'</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you also set up a password validator in the password policy as
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark shown in <xref linkend="default-pwp" /> and further described in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <xref linkend="configure-pwd-validation" />, make sure the generated
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords are acceptable to the validator.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Password storage schemes encode new passwords provided by users so that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark they are stored in an encoded manner. This makes it difficult or impossible
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for someone to determine the clear-text passwords from the encoded
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark values. Password storage schemes also determine whether a clear-text password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark provided by a client matches the encoded value stored in the server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ offers a variety of both reversible and one-way password storage
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark schemes. Some schemes make it easy to recover the clear-text password,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark whereas others aim to make it computationally hard to do so.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark list-password-storage-schemes
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPassword Storage Scheme : Type : enabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------:---------------:--------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark3DES : triple-des : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAES : aes : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkBase64 : base64 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkBlowfish : blowfish : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkClear : clear : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCRYPT : crypt : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMD5 : md5 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPBKDF2 : pbkdf2 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkRC4 : rc4 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted MD5 : salted-md5 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-1 : salted-sha1 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-256 : salted-sha256 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-384 : salted-sha384 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-512 : salted-sha512 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSHA-1 : sha1 : true</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>As shown in <xref linkend="default-pwp" />, the default password storage
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark scheme for users in Salted SHA-1. When you add users or import user entries
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark with <literal>userPassword</literal> values in clear text, OpenDJ hashes them
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark with the default password storage scheme. Root DN users have a different
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy by default, shown in <xref linkend="assign-pwp-to-group" />.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The Root Password Policy uses Salted SHA-512 by default.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You change the default password policy storage scheme for users by
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark changing the applicable password policy, as shown in the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set default-password-storage-scheme:pbkdf2
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that the change in default password storage scheme does not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cause OpenDJ to update any stored password values. By default, OpenDJ only
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark stores a password with the new storage scheme the next time that the password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is changed.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ prefixes passwords with the scheme used to encode them, which
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark means it is straightforward to see which password storage scheme is in use.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark After the default password storage scheme is changed to PBKDF2, old user
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords remain encoded with Salted SHA-1.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN uid=bjensen,ou=people,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword hifalutin
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "(uid=bjensen)" userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: {SSHA}Rc3tkAj1qP5zGiRkwDIWDFxrxpGgO8Fwh3aibg==</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When the password is changed, the new default password storage scheme
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark takes effect, as shown in the following example.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldappasswordmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --authzID "u:bjensen"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --newPassword changeit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkThe LDAP password modify operation was successful
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN uid=bjensen,ou=people,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword changeit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "(uid=bjensen)" userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: {PBKDF2}10000:O3V6G7y7n7AefOkRGNKQ5ukrMuO5uf+iEQ9ZLg==</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When you change the password storage scheme for users, realize that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the user passwords must change in order for OpenDJ to encode them with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the chosen storage scheme. If you are changing the storage scheme because
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the old scheme was too weak, then you no doubt want users to change their
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords anyway.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If however the storage scheme change is not related to vulnerability,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you can use the <literal>deprecated-password-storage-scheme</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark property of the password policy to have OpenDJ store the password in the new
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark format after successful authentication. This makes it possible to do password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark migration for active users without forcing users to change their
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN uid=kvaughan,ou=people,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword bribery
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "(uid=kvaughan)" userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=kvaughan,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: {SSHA}hDgK44F2GhIIZj913b+29Ak7phb9oU3Lz4ogkg==
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set deprecated-password-storage-scheme:"Salted SHA-1"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN uid=kvaughan,ou=people,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword bribery
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "(uid=kvaughan)" userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=kvaughan,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: {PBKDF2}10000:L4dCYqSsNnf47YZ3a6aC8K2E3DChhHHhpcoUzg==</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that with <literal>deprecated-password-storage-scheme</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set appropriately, Kirsten Vaughan's password was hashed again after she
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark authenticated successfully.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Password validators are responsible for determining whether a proposed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password is acceptable for use and can run checks like ensuring the password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark meets minimum length requirements, that it has an appropriate range of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark characters, or that it is not in the history. OpenDJ directory server
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark provides a variety of password validators.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark list-password-validators
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPassword Validator : Type : enabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------:---------------------:--------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAttribute Value : attribute-value : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCharacter Set : character-set : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkDictionary : dictionary : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkLength-Based Password Validator : length-based : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkRepeated Characters : repeated-characters : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSimilarity-Based Password Validator : similarity-based : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkUnique Characters : unique-characters : true</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The password policy for a user specifies the set of password validators
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that should be used whenever that user provides a new password. By default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark no password validators are configured. You can see an example setting the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Default Password Policy to use the Dictionary validator in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <xref linkend="default-pwp" />. The following example shows how to set up
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a custom password validator and assign it to the default password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The custom password validator ensures passwords meet at least three of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the following four criteria. Passwords are composed of:</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>English lowercase characters (a through z)</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>English uppercase characters (A through Z)</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Non-alphabetic characters (for example, !, $, #, %)</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice how the <literal>character-set</literal> values are constructed.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The initial <literal>0:</literal> means the set is optional, whereas
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>1:</literal> would mean the set is required.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark create-password-validator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --validator-name "Custom Character Set Password Validator"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set allow-unclassified-characters:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set character-set:0:abcdefghijklmnopqrstuvwxyz
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set character-set:0:ABCDEFGHIJKLMNOPQRSTUVWXYZ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set character-set:0:0123456789
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set character-set:0:!\"#\$%&\'\(\)*+,-./:\;\\<=\>?@[\\]^_\`{\|}~
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set min-character-sets:3
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --type character-set
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set password-validator:"Custom Character Set Password Validator"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldappasswordmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --authzID "u:bjensen"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --newPassword '!ABcd$%^'</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In the preceding example, the character set of ASCII punctuation,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>!\"#\$%&\'\(\)*+,-./:\;\\<=\>?@[\\]^_\`{\|}~</literal>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is hard to read because of all the escape characters. In practice it can
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark be easier to enter sequences like that by using <command>dsconfig</command>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in interactive mode, and letting it do the escaping for you. You can also
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark use the <option>--commandFilePath {path}</option> option to save the result
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark of your interactive session to a file for use in scripts later.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>An attempt to set an invalid password fails as shown in the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldappasswordmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --authzID "u:bjensen"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --newPassword hifalutin
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The LDAP password modify operation failed with result code 19
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkError Message: The provided new password failed the validation checks defined
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkin the server: The provided password did not contain characters from at least
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark3 of the following character sets or ranges: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark'!"#$%&'()*+,-./:;<=\>?@[\]^_`{|}~', '0123456789', 'abcdefghijklmnopqrstuvwxyz'</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Validation does not affect existing passwords, but only takes effect
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark when the password is updated.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>