chap-pwd-policy.xml revision 97cb8289f277962530b3890287205dca5401bb4a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER END
391d13679315472c5e7b2abcde000787152da4c6mark ! Copyright 2011-2014 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Password policy</primary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you want to synchronize password policy across your organization
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and your applications go to the directory for authentication, then the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory can be a good place to enforce your password policy uniformly.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Even if you do not depend on the directory for all your password policy,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you no doubt still want to consider directory password policy if only to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark choose the appropriate password storage scheme.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter covers password policy, including examples of how
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to configure password policies for common use cases.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ password policies govern not only passwords, but also account
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout, and how OpenDJ provides notification about account status.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ supports password policies as part of the server configuration,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and also subentry password policies as part of the (replicated) user
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark data.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You manage server based password policies in the OpenDJ configuration
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by using the <command>dsconfig</command> command. As they are part of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server configuration, such password policies are not replicated. You must
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark instead apply password policy configuration updates to each replica in your
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark deployment.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default, OpenDJ includes two password policy configurations, one
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default for all users, and another for directory root DN users, such as
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>cn=Directory Manager</literal>. You can see all the default password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy settings using the <command>dsconfig</command> command as
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark follows.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark get-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --advanced
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProperty : Value(s)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------------:--------------------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaccount-status-notification-handler : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-expired-password-changes : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-multiple-password-values : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-pre-encoded-passwords : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-user-password-changes : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdefault-password-storage-scheme : Salted SHA-1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdeprecated-password-storage-scheme : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkexpire-passwords-without-warning : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-add : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-reset : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgrace-login-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkidle-lockout-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-attribute : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-expiration-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-reset-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmin-password-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-attribute : userpassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-change-requires-current-password : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-expiration-warning-interval : 5 d
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-generator : Random Password Generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-validator : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkprevious-last-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-change-by-time : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-authentication : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-password-changes : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkskip-validation-for-administrators : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkstate-update-failure-policy : reactive</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>See the <citetitle>OpenDJ Configuration Reference</citetitle> page
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ><citetitle>Password Policy</citetitle></link> for detailed descriptions of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark each property.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Here you notice that many capabilities are not set by default: no
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout, no password expiration, no multiple passwords, no password validator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to check that passwords contain the appropriate mix of characters. This means
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that if you decide to use the directory to enforce password policy, you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark must configure at least the default password policy to meet your
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark needs.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Yet a few basic protections are configured by default. When you import
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LDIF with <literal>userPassword</literal> values, OpenDJ hashes the values
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark before storing them. When a user provides a password value during a bind for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example, the server hashes the value provided to compared it with the stored
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark value. Even the directory manager cannot see the plain text value of a user's
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=bjensen
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark userpassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserpassword: {SSHA}QWAtw8ch/9850HNFRRqLNMIQc1YhxCnOoGmk1g==</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In addition, users can change their passwords provided you have
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark granted them access to do so. OpenDJ uses the <literal>userPassword</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute to store passwords by default, rather than the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>authPassword</literal> attribute, which is designed to store
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords hashed by the client application.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You manage subentry password policies by adding the subentries
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark alongside the user data. Thus OpenDJ can replicate subentry password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policies across servers.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Subentry password policies support the Internet-Draft <link
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-09"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >Password Policy for LDAP Directories</link> (version 09). A subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy effectively overrides settings in the default password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy defined in the OpenDJ configuration. Settings not supported or not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark included in the subentry password policy are thus inherited from the default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>As a result, the following Internet-Draft password policy attributes
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark override the default password policy when you set them in the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark subentry.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdAllowUserChange</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>allow-user-password-changes</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMustChange</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>force-change-on-reset</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdGraceAuthNLimit</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdLockoutDuration</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMaxFailure</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>lockout-failure-count</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdFailureCountInterval</literal>, corresponding
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to the OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>lockout-failure-expiration-interval</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMaxAge</literal>, corresponding to the OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdMinAge</literal>, corresponding to the OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdAttribute</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-attribute</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdSafeModify</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-change-requires-current-password</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdExpireWarning</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-expiration-warning-interval</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>pwdInHistory</literal>, corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ password policy property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-history-count</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following Internet-Draft password policy attributes are not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark taken into account by OpenDJ.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para><literal>pwdCheckQuality</literal>, as OpenDJ has password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark validators. You can set password validators to use in the default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para><literal>pwdMinLength</literal>, as this is handled by the Length
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Based Password Validator. You can configure this as part of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para><literal>pwdLockout</literal>, as OpenDJ can deduce whether
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout is configured based on the values of other lockout-related
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy attributes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Values of the following properties are inherited from the default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy for Internet-Draft based password policies.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>account-status-notification-handlers</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>allow-expired-password-changes</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>allow-multiple-password-values</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>allow-pre-encoded-passwords</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>default-password-storage-schemes</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>deprecated-password-storage-schemes</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>expire-passwords-without-warning</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>force-change-on-add</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>idle-lockout-interval</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>last-login-time-attribute</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>last-login-time-format</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>max-password-reset-age</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>password-generator</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>password-history-duration</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>password-validators</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>previous-last-login-time-formats</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>require-change-by-time</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>require-secure-authentication</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>require-secure-password-changes</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>skip-validation-for-administrators</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>state-update-failure-policy</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
97cb8289f277962530b3890287205dca5401bb4amark If you would rather specify password validators for your policy,
97cb8289f277962530b3890287205dca5401bb4amark you can configure password validators for a subentry password policy
97cb8289f277962530b3890287205dca5401bb4amark by adding the auxiliary object class <literal>pwdValidatorPolicy</literal>
97cb8289f277962530b3890287205dca5401bb4amark and setting the multi-valued attribute,
97cb8289f277962530b3890287205dca5401bb4amark to the DNs of the password validator configuration entries.
97cb8289f277962530b3890287205dca5401bb4amark The following example shows a subentry password policy
97cb8289f277962530b3890287205dca5401bb4amark that references two password validator configuration entries.
97cb8289f277962530b3890287205dca5401bb4amark The Character Set password validator determines
97cb8289f277962530b3890287205dca5401bb4amark whether a proposed password is acceptable
97cb8289f277962530b3890287205dca5401bb4amark by checking whether it contains a sufficient number of characters
97cb8289f277962530b3890287205dca5401bb4amark from one or more user-defined character sets and ranges.
97cb8289f277962530b3890287205dca5401bb4amark The Length-Based password validator determines
97cb8289f277962530b3890287205dca5401bb4amark whether a proposed password is acceptable
97cb8289f277962530b3890287205dca5401bb4amark based on whether the number of characters it contains
97cb8289f277962530b3890287205dca5401bb4amark falls within an acceptable range of values.
97cb8289f277962530b3890287205dca5401bb4amark Both are enabled in the default OpenDJ directory server configuration.
97cb8289f277962530b3890287205dca5401bb4amark >dn: cn=Subentry Password Policy with Validators,dc=example,dc=com
97cb8289f277962530b3890287205dca5401bb4amarkobjectClass: top
97cb8289f277962530b3890287205dca5401bb4amarkobjectClass: subentry
97cb8289f277962530b3890287205dca5401bb4amarkobjectClass: pwdPolicy
97cb8289f277962530b3890287205dca5401bb4amarkobjectClass: pwdValidatorPolicy
97cb8289f277962530b3890287205dca5401bb4amarkcn: Subentry Password Policy with Validators
97cb8289f277962530b3890287205dca5401bb4amarkpwdAttribute: userPassword
97cb8289f277962530b3890287205dca5401bb4amarkpwdLockout: TRUE
97cb8289f277962530b3890287205dca5401bb4amarkpwdMaxFailure: 3
97cb8289f277962530b3890287205dca5401bb4amarkpwdFailureCountInterval: 300
97cb8289f277962530b3890287205dca5401bb4amarkpwdLockoutDuration: 300
97cb8289f277962530b3890287205dca5401bb4amarkpwdAllowUserChange: TRUE
97cb8289f277962530b3890287205dca5401bb4amarkpwdSafeModify: TRUE
97cb8289f277962530b3890287205dca5401bb4amarkds-cfg-password-validator: cn=Character Set,cn=Password Validators,cn=config
97cb8289f277962530b3890287205dca5401bb4amarkds-cfg-password-validator: cn=Length-Based Password Validator,
97cb8289f277962530b3890287205dca5401bb4amark cn=Password Validators,cn=config
97cb8289f277962530b3890287205dca5401bb4amarksubtreeSpecification: {base "ou=people", specificationFilter
97cb8289f277962530b3890287205dca5401bb4amark "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
97cb8289f277962530b3890287205dca5401bb4amark</programlisting>
97cb8289f277962530b3890287205dca5401bb4amark If a referenced password validator cannot be found,
97cb8289f277962530b3890287205dca5401bb4amark then OpenDJ directory server logs an error message
97cb8289f277962530b3890287205dca5401bb4amark when the password policy is invoked.
97cb8289f277962530b3890287205dca5401bb4amark This can occur for example when a subentry password policy is replicated
97cb8289f277962530b3890287205dca5401bb4amark to a directory server where the password validator is not (yet) configured.
97cb8289f277962530b3890287205dca5401bb4amark In that case when a user attempts to change their password,
97cb8289f277962530b3890287205dca5401bb4amark the server fails to find the referenced password validator.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The password policy that applies to a user is identified by the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operational attribute, <literal>pwdPolicySubentry</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen pwdPolicySubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You configure server based password policies using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>dsconfig</command> command. Notice that server based password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policies are part of the server configuration, and therefore not replicated.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Alternatively, you can configure a subset of password policy features using
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark subentry based password policies that are stored with the replicated
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server data. This section covers both server based and subentry based
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policies.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can reconfigure the default password policy for example to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark enforce password expiration, check that passwords do not match dictionary
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark words, and prevent password reuse. This default policy is a server based
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Enable the appropriate password validator.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-validator-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --validator-name Dictionary
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set check-substrings:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set min-substring-length:4
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Apply the changes to the default password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set max-password-age:90d
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set min-password-age:4w
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set password-history-count:7
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set password-validator:Dictionary
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark get-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProperty : Value(s)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------------:--------------------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaccount-status-notification-handler : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-expired-password-changes : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-user-password-changes : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdefault-password-storage-scheme : Salted SHA-1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdeprecated-password-storage-scheme : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkexpire-passwords-without-warning : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-add : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-reset : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgrace-login-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkidle-lockout-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-attribute : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-expiration-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-age : 12 w 6 d
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-reset-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmin-password-age : 4 w
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-attribute : userpassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-change-requires-current-password : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-expiration-warning-interval : 5 d
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-generator : Random Password Generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-count : 7
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-validator : Dictionary
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkprevious-last-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-change-by-time : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-authentication : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-password-changes : false</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Create a Server Based Password Policy</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can add a password policy for example for new users who have not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark yet used their credentials to bind.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark create-password-policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "New Account Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set default-password-storage-scheme:"Salted SHA-1"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set force-change-on-add:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set password-attribute:userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --type password-policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark get-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "New Account Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProperty : Value(s)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------------:-------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaccount-status-notification-handler : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-expired-password-changes : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkallow-user-password-changes : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdefault-password-storage-scheme : Salted SHA-1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdeprecated-password-storage-scheme : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkexpire-passwords-without-warning : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-add : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkforce-change-on-reset : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgrace-login-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkidle-lockout-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-attribute : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklast-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarklockout-failure-expiration-interval : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmax-password-reset-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmin-password-age : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-attribute : userpassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-change-requires-current-password : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-expiration-warning-interval : 5 d
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-generator : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-count : 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-history-duration : 0 s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-validator : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkprevious-last-login-time-format : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-change-by-time : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-authentication : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrequire-secure-password-changes : false</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you use a password policy like this, you might want to change the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user's policy again when the new user successfully updates the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Create a Subentry Based Password Policy</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can add a subentry to configure a password policy that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark applies to Directory Administrators.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create the entry that specifies the password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: cn=Subentry Password Policy,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: pwdPolicy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Subentry Password Policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdAttribute: userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdLockout: TRUE
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdMaxFailure: 3
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdFailureCountInterval: 300
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdLockoutDuration: 300
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdAllowUserChange: TRUE
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdSafeModify: TRUE
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: {base "ou=people", specificationFilter
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --defaultAdd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing ADD request for cn=Subentry Password Policy,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN cn=Subentry Password Policy,dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check that the policy applies as specified.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In the example, the policy should apply to a Directory Administrator,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark while a normal user has the default password policy. Here, Kirsten Vaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is a member of the Directory Administrators group, and Babs Jensen is not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a member.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=kvaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark pwdPolicySubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=kvaughan,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdPolicySubentry: cn=Subentry Password Policy,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=bjensen
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark pwdPolicySubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You assign subentry based password policies for a subtree of the DIT by
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark adding the policy to an LDAP subentry whose immediate superior is the root of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the subtree. In other words you can add the subtree based password policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark under <literal>ou=People,dc=example,dc=com</literal>, to have it apply to all
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entries under <literal>ou=People,dc=example,dc=com</literal>. You can further
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark use the capabilities of LDAP <link
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="http://tools.ietf.org/html/rfc3672">subentries</link> to refine
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the scope of application.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You assign server based password policies by using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ds-pwp-password-policy-dn</literal> attribute.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Prevent users from selecting their own password policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark word policy";deny (write)(userdn = "ldap:///self");)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing MODIFY request for ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation successful for DN ou=People,dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Update the user's <literal>ds-pwp-password-policy-dn</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=newuser,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuid: newuser
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: person
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: organizationalPerson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: inetOrgPerson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: New User
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmail: newuser@example.com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: changeme
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-pwp-password-policy-dn: cn=New Account Password Policy,cn=Password Policies,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --defaultAdd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing ADD request for uid=newuser,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=newuser
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark pwdPolicySubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=newuser,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdPolicySubentry: cn=New Account Password Policy,cn=Password Policies,cn=config</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create a subentry defining the collective attribute that sets the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ds-pwp-password-policy-dn</literal> attribute for group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark members' entries.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: cn=Password Policy for Dir Admins,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: collectiveAttributeSubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: extensibleObject
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Password Policy for Dir Admins
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-pwp-password-policy-dn;collective: cn=Root Password Policy,cn=Pass
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark word Policies,cn=config
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --defaultAdd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing ADD request for cn=Password Policy for Dir Admins,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN cn=Password Policy for Dir
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Admins,dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=kvaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark pwdPolicySubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=kvaughan,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <title>To Assign Password Policy for an Entire Branch</title>
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark You can use a collective attribute to assign a password policy
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark to the entries under a base DN.
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark Create a password policy and collective attribute subentry
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark to assign the policy to all entries under a base DN.
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark The following example creates a password policy,
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark and then assigns that policy to entries
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkdn: cn=People Password Policy,dc=example,dc=com
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: top
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: subentry
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: pwdPolicy
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkcn: People Password Policy
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdAttribute: userPassword
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdLockout: TRUE
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdMaxFailure: 3
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdFailureCountInterval: 300
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdLockoutDuration: 300
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdAllowUserChange: TRUE
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdSafeModify: TRUE
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarksubtreeSpecification: {}
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkdn: cn=Assign People Password Policy,dc=example,dc=com
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: top
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: subentry
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: extensibleObject
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkobjectClass: collectiveAttributeSubentry
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkcn: Assign People Password Policy
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkds-pwp-password-policy-dn;collective: cn=People Password Policy,dc=example,dc=com
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarksubtreeSpecification: { base "ou=people" }
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark$ ldapmodify
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark --port 1389
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark --bindDN "cn=Directory Manager"
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark --bindPassword password
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark --defaultAdd
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkProcessing ADD request for cn=People Password Policy,dc=example,dc=com
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkADD operation successful for DN cn=People Password Policy,dc=example,dc=com
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkProcessing ADD request for cn=Assign People Password Policy,dc=example,dc=com
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkADD operation successful for DN
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark cn=Assign People Password Policy,dc=example,dc=com</screen>
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark Notice the subtree specification used to assign the policy,
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark You can relax the subtree specification value to <literal>{}</literal>
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark to apply the password policy to all entries
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark the parent of the subentry, <literal>dc=example,dc=com</literal>,
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark or further restrict the subtree specification
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark See <link xlink:show="new" xlink:href="admin-guide#collective-attributes"
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark >Collective Attributes</citetitle></link> for more information.
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark Check your work.
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark <screen>$ ldapsearch
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark --port 1389
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark --baseDN dc=example,dc=com
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark "(uid=alutz)"
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark pwdPolicySubentry
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkdn: uid=alutz,ou=People,dc=example,dc=com
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmarkpwdPolicySubentry: cn=People Password Policy,dc=example,dc=com</screen>
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark If everything is correctly configured,
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark then the password policy should be assigned to users
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark whose entries are under <literal>ou=People,dc=example,dc=com</literal>.
089bd21b4d1cee267b5ca4663cb8a2fe6c029e1cmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Password generators are used by OpenDJ during the LDAP password modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark extended operation to construct a new password for the user. In other words,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a directory administrator resetting a user's password can have OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory server generate the new password.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldappasswordmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --authzID "u:bjensen"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkThe LDAP password modify operation was successful
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkGenerated Password: eak77qdi</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The default password policy shown in <xref linkend="default-pwp" /> uses
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the Random Password Generator.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark get-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --property password-generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProperty : Value(s)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-------------------:--------------------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-generator : Random Password Generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark get-password-generator-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --generator-name "Random Password Generator"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --property password-generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Property : Value(s)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-----------------------:-----------------------------------------------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkenabled : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-character-set : alpha:abcdefghijklmnopqrstuvwxyz, numeric:0123456789
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpassword-format : "alpha:3,numeric:2,alpha:3"</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that the default configuration for the Random Password Generator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark defines two <literal>password-character-set</literal> values, and then uses
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark those definitions in the <literal>password-format</literal> so that generated
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords have eight characters: three from the <literal>alpha</literal> set,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark followed by two from the <literal>numeric</literal> set, followed by three
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>password-character-set</literal> name must be ASCII.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To set the password generator that OpenDJ employs when constructing a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark new password for a user, set the <literal>password-generator</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark property for the password policy that applies to the user.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following example does not change the password policy, but instead
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark changes the Random Password Generator configuration, and then demonstrates a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password being generated upon reset.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-generator-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --generator-name "Random Password Generator"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --remove password-character-set:alpha:abcdefghijklmnopqrstuvwxyz
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password-character-set:alpha:ABCDEFGHIJKLMNOPQRSTUVWabcdefghijklmnopqrstuvwxyz
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --add password-character-set:punct:,./\`!@#\$%^&*:\;[]\"\'\(\)+=-_~\\
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password-format:alpha:3,punct:1,numeric:2,punct:2,numeric:3,alpha:3,punct:2
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldappasswordmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --authzID "u:bjensen"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkThe LDAP password modify operation was successful
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkGenerated Password: pld^06:)529HTq$'</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you also set up a password validator in the password policy as
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark shown in <xref linkend="default-pwp" /> and further described in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <xref linkend="configure-pwd-validation" />, make sure the generated
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords are acceptable to the validator.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Password storage schemes encode new passwords provided by users so that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark they are stored in an encoded manner. This makes it difficult or impossible
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for someone to determine the clear-text passwords from the encoded
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark values. Password storage schemes also determine whether a clear-text password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark provided by a client matches the encoded value stored in the server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ offers a variety of both reversible and one-way password storage
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark schemes. Some schemes make it easy to recover the clear-text password,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark whereas others aim to make it computationally hard to do so.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark list-password-storage-schemes
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPassword Storage Scheme : Type : enabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------:---------------:--------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark3DES : triple-des : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAES : aes : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkBase64 : base64 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkBlowfish : blowfish : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkClear : clear : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCRYPT : crypt : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMD5 : md5 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPBKDF2 : pbkdf2 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkRC4 : rc4 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted MD5 : salted-md5 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-1 : salted-sha1 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-256 : salted-sha256 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-384 : salted-sha384 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSalted SHA-512 : salted-sha512 : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSHA-1 : sha1 : true</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>As shown in <xref linkend="default-pwp" />, the default password storage
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark scheme for users in Salted SHA-1. When you add users or import user entries
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark with <literal>userPassword</literal> values in clear text, OpenDJ hashes them
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark with the default password storage scheme. Root DN users have a different
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy by default, shown in <xref linkend="assign-pwp-to-group" />.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The Root Password Policy uses Salted SHA-512 by default.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You change the default password policy storage scheme for users by
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark changing the applicable password policy, as shown in the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set default-password-storage-scheme:pbkdf2
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that the change in default password storage scheme does not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cause OpenDJ to update any stored password values. By default, OpenDJ only
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark stores a password with the new storage scheme the next time that the password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is changed.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ prefixes passwords with the scheme used to encode them, which
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark means it is straightforward to see which password storage scheme is in use.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark After the default password storage scheme is changed to PBKDF2, old user
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords remain encoded with Salted SHA-1.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN uid=bjensen,ou=people,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword hifalutin
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "(uid=bjensen)" userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: {SSHA}Rc3tkAj1qP5zGiRkwDIWDFxrxpGgO8Fwh3aibg==</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When the password is changed, the new default password storage scheme
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark takes effect, as shown in the following example.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldappasswordmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --authzID "u:bjensen"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --newPassword changeit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkThe LDAP password modify operation was successful
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN uid=bjensen,ou=people,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword changeit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "(uid=bjensen)" userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: {PBKDF2}10000:O3V6G7y7n7AefOkRGNKQ5ukrMuO5uf+iEQ9ZLg==</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When you change the password storage scheme for users, realize that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the user passwords must change in order for OpenDJ to encode them with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the chosen storage scheme. If you are changing the storage scheme because
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the old scheme was too weak, then you no doubt want users to change their
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords anyway.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If however the storage scheme change is not related to vulnerability,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you can use the <literal>deprecated-password-storage-scheme</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark property of the password policy to have OpenDJ store the password in the new
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark format after successful authentication. This makes it possible to do password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark migration for active users without forcing users to change their
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN uid=kvaughan,ou=people,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword bribery
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "(uid=kvaughan)" userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=kvaughan,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: {SSHA}hDgK44F2GhIIZj913b+29Ak7phb9oU3Lz4ogkg==
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set deprecated-password-storage-scheme:"Salted SHA-1"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN uid=kvaughan,ou=people,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword bribery
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "(uid=kvaughan)" userPassword
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=kvaughan,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: {PBKDF2}10000:L4dCYqSsNnf47YZ3a6aC8K2E3DChhHHhpcoUzg==</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that with <literal>deprecated-password-storage-scheme</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set appropriately, Kirsten Vaughan's password was hashed again after she
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark authenticated successfully.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Password validators are responsible for determining whether a proposed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password is acceptable for use and can run checks like ensuring the password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark meets minimum length requirements, that it has an appropriate range of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark characters, or that it is not in the history. OpenDJ directory server
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark provides a variety of password validators.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark list-password-validators
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPassword Validator : Type : enabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------:---------------------:--------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAttribute Value : attribute-value : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCharacter Set : character-set : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkDictionary : dictionary : false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkLength-Based Password Validator : length-based : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkRepeated Characters : repeated-characters : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSimilarity-Based Password Validator : similarity-based : true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkUnique Characters : unique-characters : true</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The password policy for a user specifies the set of password validators
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that should be used whenever that user provides a new password. By default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark no password validators are configured. You can see an example setting the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Default Password Policy to use the Dictionary validator in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <xref linkend="default-pwp" />. The following example shows how to set up
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a custom password validator and assign it to the default password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The custom password validator ensures passwords meet at least three of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the following four criteria. Passwords are composed of:</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>English lowercase characters (a through z)</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>English uppercase characters (A through Z)</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Non-alphabetic characters (for example, !, $, #, %)</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice how the <literal>character-set</literal> values are constructed.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The initial <literal>0:</literal> means the set is optional, whereas
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>1:</literal> would mean the set is required.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark create-password-validator
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --validator-name "Custom Character Set Password Validator"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set allow-unclassified-characters:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set character-set:0:abcdefghijklmnopqrstuvwxyz
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set character-set:0:ABCDEFGHIJKLMNOPQRSTUVWXYZ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set character-set:0:0123456789
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set character-set:0:!\"#\$%&\'\(\)*+,-./:\;\\<=\>?@[\\]^_\`{\|}~
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set min-character-sets:3
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --type character-set
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set password-validator:"Custom Character Set Password Validator"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldappasswordmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --authzID "u:bjensen"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --newPassword '!ABcd$%^'</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In the preceding example, the character set of ASCII punctuation,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>!\"#\$%&\'\(\)*+,-./:\;\\<=\>?@[\\]^_\`{\|}~</literal>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is hard to read because of all the escape characters. In practice it can
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark be easier to enter sequences like that by using <command>dsconfig</command>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in interactive mode, and letting it do the escaping for you. You can also
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark use the <option>--commandFilePath {path}</option> option to save the result
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark of your interactive session to a file for use in scripts later.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>An attempt to set an invalid password fails as shown in the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldappasswordmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --authzID "u:bjensen"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --newPassword hifalutin
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The LDAP password modify operation failed with result code 19
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkError Message: The provided new password failed the validation checks defined
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkin the server: The provided password did not contain characters from at least
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark3 of the following character sets or ranges: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark'!"#$%&'()*+,-./:;<=\>?@[\]^_`{|}~', '0123456789', 'abcdefghijklmnopqrstuvwxyz'</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Validation does not affect existing passwords, but only takes effect
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark when the password is updated.</para>
97cb8289f277962530b3890287205dca5401bb4amark You can reference password validators from subentry password policies.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
391d13679315472c5e7b2abcde000787152da4c6mark The sample password policies in this section demonstrate
391d13679315472c5e7b2abcde000787152da4c6mark OpenDJ server based password policies for several common cases.
391d13679315472c5e7b2abcde000787152da4c6mark <indexterm>
391d13679315472c5e7b2abcde000787152da4c6mark </indexterm>
391d13679315472c5e7b2abcde000787152da4c6mark <itemizedlist>
391d13679315472c5e7b2abcde000787152da4c6mark <listitem>
391d13679315472c5e7b2abcde000787152da4c6mark <xref linkend="example-enforce-regular-password-changes" />
391d13679315472c5e7b2abcde000787152da4c6mark </listitem>
391d13679315472c5e7b2abcde000787152da4c6mark <listitem>
391d13679315472c5e7b2abcde000787152da4c6mark </listitem>
391d13679315472c5e7b2abcde000787152da4c6mark <listitem>
391d13679315472c5e7b2abcde000787152da4c6mark </listitem>
391d13679315472c5e7b2abcde000787152da4c6mark <listitem>
391d13679315472c5e7b2abcde000787152da4c6mark </listitem>
391d13679315472c5e7b2abcde000787152da4c6mark <listitem>
391d13679315472c5e7b2abcde000787152da4c6mark </listitem>
391d13679315472c5e7b2abcde000787152da4c6mark <listitem>
391d13679315472c5e7b2abcde000787152da4c6mark <xref linkend="example-require-password-change-on-add-or-reset" />
391d13679315472c5e7b2abcde000787152da4c6mark </listitem>
391d13679315472c5e7b2abcde000787152da4c6mark </itemizedlist>
391d13679315472c5e7b2abcde000787152da4c6mark <example xml:id="example-enforce-regular-password-changes">
391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy
391d13679315472c5e7b2abcde000787152da4c6mark that sets age limits on passwords, requiring that they change periodically.
391d13679315472c5e7b2abcde000787152da4c6mark It also sets the number of passwords to keep in the password history
391d13679315472c5e7b2abcde000787152da4c6mark of the entry, thereby preventing users from reusing the same password
391d13679315472c5e7b2abcde000787152da4c6mark on consecutive changes.
391d13679315472c5e7b2abcde000787152da4c6mark <screen>$ dsconfig create-password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --port 4444
391d13679315472c5e7b2abcde000787152da4c6mark --bindDN "cn=Directory Manager"
391d13679315472c5e7b2abcde000787152da4c6mark --bindPassword password
391d13679315472c5e7b2abcde000787152da4c6mark --policy-name "Enforce Regular Password Changes"
391d13679315472c5e7b2abcde000787152da4c6mark --type password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --set default-password-storage-scheme:"Salted SHA-1"
391d13679315472c5e7b2abcde000787152da4c6mark --set password-attribute:userPassword
391d13679315472c5e7b2abcde000787152da4c6mark --set max-password-age:13w
391d13679315472c5e7b2abcde000787152da4c6mark --set min-password-age:4w
391d13679315472c5e7b2abcde000787152da4c6mark --set password-history-count:7
391d13679315472c5e7b2abcde000787152da4c6mark --trustAll
391d13679315472c5e7b2abcde000787152da4c6mark --no-prompt</screen>
391d13679315472c5e7b2abcde000787152da4c6mark See also <xref linkend="assign-pwp" /> for instructions on using the policy.
391d13679315472c5e7b2abcde000787152da4c6mark </example>
391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy
391d13679315472c5e7b2abcde000787152da4c6mark that keeps track of the last successful login.
391d13679315472c5e7b2abcde000787152da4c6mark First, set up an attribute to which OpenDJ directory server
391d13679315472c5e7b2abcde000787152da4c6mark can write a timestamp value on successful login.
391d13679315472c5e7b2abcde000787152da4c6mark For additional information also see the example, <link
391d13679315472c5e7b2abcde000787152da4c6mark xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"
391d13679315472c5e7b2abcde000787152da4c6mark ><citetitle>Search: List Active Accounts</citetitle></link>.
391d13679315472c5e7b2abcde000787152da4c6mark <screen>$ ldapmodify
391d13679315472c5e7b2abcde000787152da4c6mark --port 1389
391d13679315472c5e7b2abcde000787152da4c6mark --bindDN "cn=Directory Manager"
391d13679315472c5e7b2abcde000787152da4c6mark --bindPassword password
391d13679315472c5e7b2abcde000787152da4c6markdn: cn=schema
391d13679315472c5e7b2abcde000787152da4c6markchangetype: modify
391d13679315472c5e7b2abcde000787152da4c6markadd: attributeTypes
391d13679315472c5e7b2abcde000787152da4c6markattributeTypes: ( lastLoginTime-oid
391d13679315472c5e7b2abcde000787152da4c6mark NAME 'lastLoginTime'
391d13679315472c5e7b2abcde000787152da4c6mark DESC 'Last time the user logged in'
391d13679315472c5e7b2abcde000787152da4c6mark EQUALITY generalizedTimeMatch
391d13679315472c5e7b2abcde000787152da4c6mark ORDERING generalizedTimeOrderingMatch
391d13679315472c5e7b2abcde000787152da4c6mark SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
391d13679315472c5e7b2abcde000787152da4c6mark SINGLE-VALUE
391d13679315472c5e7b2abcde000787152da4c6mark NO-USER-MODIFICATION
391d13679315472c5e7b2abcde000787152da4c6mark USAGE directoryOperation
391d13679315472c5e7b2abcde000787152da4c6mark X-ORIGIN 'OpenDJ example documentation' )
391d13679315472c5e7b2abcde000787152da4c6markProcessing MODIFY request for cn=schema
391d13679315472c5e7b2abcde000787152da4c6markMODIFY operation successful for DN cn=schema</screen>
391d13679315472c5e7b2abcde000787152da4c6mark Next, create the password policy that causes OpenDJ directory server
391d13679315472c5e7b2abcde000787152da4c6mark to write the timestamp to the attribute on successful login.
391d13679315472c5e7b2abcde000787152da4c6mark <screen>$ dsconfig create-password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --port 4444
391d13679315472c5e7b2abcde000787152da4c6mark --bindDN "cn=Directory Manager"
391d13679315472c5e7b2abcde000787152da4c6mark --bindPassword password
391d13679315472c5e7b2abcde000787152da4c6mark --policy-name "Track Last Login Time"
391d13679315472c5e7b2abcde000787152da4c6mark --type password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --set default-password-storage-scheme:"Salted SHA-1"
391d13679315472c5e7b2abcde000787152da4c6mark --set password-attribute:userPassword
391d13679315472c5e7b2abcde000787152da4c6mark --set last-login-time-attribute:lastLoginTime
391d13679315472c5e7b2abcde000787152da4c6mark --set last-login-time-format:"yyyyMMddHH'Z'"
391d13679315472c5e7b2abcde000787152da4c6mark --trustAll
391d13679315472c5e7b2abcde000787152da4c6mark --no-prompt</screen>
391d13679315472c5e7b2abcde000787152da4c6mark See also <xref linkend="assign-pwp" /> for instructions on using the policy.
391d13679315472c5e7b2abcde000787152da4c6mark </example>
391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy
391d13679315472c5e7b2abcde000787152da4c6mark that you can use when deprecating a password storage scheme.
391d13679315472c5e7b2abcde000787152da4c6mark This policy uses elements from
391d13679315472c5e7b2abcde000787152da4c6mark <xref linkend="example-enforce-regular-password-changes" />,
391d13679315472c5e7b2abcde000787152da4c6mark as OpenDJ directory server only employs the new password storage scheme
391d13679315472c5e7b2abcde000787152da4c6mark to hash or to encrypt passwords when a password changes.
391d13679315472c5e7b2abcde000787152da4c6mark <screen>$ dsconfig create-password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --port 4444
391d13679315472c5e7b2abcde000787152da4c6mark --bindDN "cn=Directory Manager"
391d13679315472c5e7b2abcde000787152da4c6mark --bindPassword password
391d13679315472c5e7b2abcde000787152da4c6mark --policy-name "Deprecate a Password Storage Scheme"
391d13679315472c5e7b2abcde000787152da4c6mark --type password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --set deprecated-password-storage-scheme:Crypt
391d13679315472c5e7b2abcde000787152da4c6mark --set default-password-storage-scheme:"Salted SHA-1"
391d13679315472c5e7b2abcde000787152da4c6mark --set password-attribute:userPassword
391d13679315472c5e7b2abcde000787152da4c6mark --set max-password-age:13w
391d13679315472c5e7b2abcde000787152da4c6mark --set min-password-age:4w
391d13679315472c5e7b2abcde000787152da4c6mark --set password-history-count:7
391d13679315472c5e7b2abcde000787152da4c6mark --trustAll
391d13679315472c5e7b2abcde000787152da4c6mark --no-prompt</screen>
391d13679315472c5e7b2abcde000787152da4c6mark See also <xref linkend="assign-pwp" /> for instructions on using the policy.
391d13679315472c5e7b2abcde000787152da4c6mark </example>
391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy
391d13679315472c5e7b2abcde000787152da4c6mark that locks idle accounts.
391d13679315472c5e7b2abcde000787152da4c6mark This policy extends the example from
391d13679315472c5e7b2abcde000787152da4c6mark as OpenDJ directory server must track last successful login time
391d13679315472c5e7b2abcde000787152da4c6mark in order to calculate how long the account has been idle.
391d13679315472c5e7b2abcde000787152da4c6mark You must first add the <literal>lastLoginTime</literal> attribute type
391d13679315472c5e7b2abcde000787152da4c6mark in order for OpenDJ directory server to accept this new password policy.
391d13679315472c5e7b2abcde000787152da4c6mark <screen>$ dsconfig create-password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --port 4444
391d13679315472c5e7b2abcde000787152da4c6mark --bindDN "cn=Directory Manager"
391d13679315472c5e7b2abcde000787152da4c6mark --bindPassword password
391d13679315472c5e7b2abcde000787152da4c6mark --policy-name "Lock Idle Accounts"
391d13679315472c5e7b2abcde000787152da4c6mark --type password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --set default-password-storage-scheme:"Salted SHA-1"
391d13679315472c5e7b2abcde000787152da4c6mark --set password-attribute:userPassword
391d13679315472c5e7b2abcde000787152da4c6mark --set last-login-time-attribute:lastLoginTime
391d13679315472c5e7b2abcde000787152da4c6mark --set last-login-time-format:"yyyyMMddHH'Z'"
391d13679315472c5e7b2abcde000787152da4c6mark --set idle-lockout-interval:13w
391d13679315472c5e7b2abcde000787152da4c6mark --trustAll
391d13679315472c5e7b2abcde000787152da4c6mark --no-prompt</screen>
391d13679315472c5e7b2abcde000787152da4c6mark and <link xlink:href="admin-guide#configure-account-lockout"
391d13679315472c5e7b2abcde000787152da4c6mark xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"
391d13679315472c5e7b2abcde000787152da4c6mark ><citetitle>Configuring Account Lockout</citetitle></link>.
391d13679315472c5e7b2abcde000787152da4c6mark </example>
391d13679315472c5e7b2abcde000787152da4c6mark <title>Allow Grace Login to Change Expired Password</title>
391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy
391d13679315472c5e7b2abcde000787152da4c6mark that allows users to login after their password has expired
391d13679315472c5e7b2abcde000787152da4c6mark in order to choose a new password.
391d13679315472c5e7b2abcde000787152da4c6mark <screen>$ dsconfig create-password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --port 4444
391d13679315472c5e7b2abcde000787152da4c6mark --bindDN "cn=Directory Manager"
391d13679315472c5e7b2abcde000787152da4c6mark --bindPassword password
391d13679315472c5e7b2abcde000787152da4c6mark --policy-name "Allow Grace Login"
391d13679315472c5e7b2abcde000787152da4c6mark --type password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --set default-password-storage-scheme:"Salted SHA-1"
391d13679315472c5e7b2abcde000787152da4c6mark --set password-attribute:userPassword
391d13679315472c5e7b2abcde000787152da4c6mark --set grace-login-count:2
391d13679315472c5e7b2abcde000787152da4c6mark --trustAll
391d13679315472c5e7b2abcde000787152da4c6mark --no-prompt</screen>
391d13679315472c5e7b2abcde000787152da4c6mark See also <xref linkend="assign-pwp" /> for instructions on using the policy.
391d13679315472c5e7b2abcde000787152da4c6mark </example>
391d13679315472c5e7b2abcde000787152da4c6mark <example xml:id="example-require-password-change-on-add-or-reset">
391d13679315472c5e7b2abcde000787152da4c6mark The following commands configure an OpenDJ server based password policy
391d13679315472c5e7b2abcde000787152da4c6mark that requires new users to change their password
391d13679315472c5e7b2abcde000787152da4c6mark after logging in for the first time,
391d13679315472c5e7b2abcde000787152da4c6mark and also requires users to change their password
391d13679315472c5e7b2abcde000787152da4c6mark after their password is reset.
391d13679315472c5e7b2abcde000787152da4c6mark <screen>$ dsconfig create-password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --port 4444
391d13679315472c5e7b2abcde000787152da4c6mark --bindDN "cn=Directory Manager"
391d13679315472c5e7b2abcde000787152da4c6mark --bindPassword password
391d13679315472c5e7b2abcde000787152da4c6mark --policy-name "Require Password Change on Add or Reset"
391d13679315472c5e7b2abcde000787152da4c6mark --type password-policy
391d13679315472c5e7b2abcde000787152da4c6mark --set default-password-storage-scheme:"Salted SHA-1"
391d13679315472c5e7b2abcde000787152da4c6mark --set password-attribute:userPassword
391d13679315472c5e7b2abcde000787152da4c6mark --set force-change-on-add:true
391d13679315472c5e7b2abcde000787152da4c6mark --set force-change-on-reset:true
391d13679315472c5e7b2abcde000787152da4c6mark --trustAll
391d13679315472c5e7b2abcde000787152da4c6mark --no-prompt</screen>
391d13679315472c5e7b2abcde000787152da4c6mark See also <xref linkend="assign-pwp" /> for instructions on using the policy.
391d13679315472c5e7b2abcde000787152da4c6mark </example>
391d13679315472c5e7b2abcde000787152da4c6mark </section>