You configure server based password policies using the dsconfig command. Notice that server based password policies are part of the server configuration, and therefore not replicated. Alternatively, you can configure a subset of password policy features using subentry based password policies that are stored with the replicated server data. This section covers both server based and subentry based password policies.
Procedure 11.1. To Adjust the Default Password Policy
You can reconfigure the default password policy for example to enforce password expiration, check that passwords do not match dictionary words, and prevent password reuse. This default policy is a server based password policy.
-
Enable the appropriate password validator.
$ dsconfig set-password-validator-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --validator-name Dictionary --set enabled:true --set check-substrings:true --set min-substring-length:4 --trustAll --no-prompt
-
Apply the changes to the default password policy.
$ dsconfig set-password-policy-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Default Password Policy" --set max-password-age:90d --set min-password-age:4w --set password-history-count:7 --set password-validator:Dictionary --trustAll --no-prompt
-
Check your work.
$ dsconfig get-password-policy-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Default Password Policy" Property : Value(s) ------------------------------------------:-------------------------- account-status-notification-handler : - allow-expired-password-changes : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : false force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 12 w 6 d max-password-reset-age : 0 s min-password-age : 4 w password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : Random Password Generator password-history-count : 7 password-history-duration : 0 s password-validator : Dictionary previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : false
Procedure 11.2. To Create a Server Based Password Policy
You can add a password policy for example for new users who have not yet used their credentials to bind.
-
Create the new password policy.
$ dsconfig create-password-policy --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "New Account Password Policy" --set default-password-storage-scheme:"Salted SHA-1" --set force-change-on-add:true --set password-attribute:userPassword --type password-policy --trustAll --no-prompt
-
Check your work.
$ dsconfig get-password-policy-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "New Account Password Policy" Property : Value(s) ------------------------------------------:------------- account-status-notification-handler : - allow-expired-password-changes : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : true force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 0 s max-password-reset-age : 0 s min-password-age : 0 s password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : - password-history-count : 0 password-history-duration : 0 s password-validator : - previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : false
If you use a password policy like this, you might want to change the user's policy again when the new user successfully updates the password.
Procedure 11.3. To Create a Subentry Based Password Policy
You can add a subentry to configure a password policy that applies to Directory Administrators.
-
Create the entry that specifies the password policy.
$ cat /path/to/subentry-pwp.ldif dn: cn=Subentry Password Policy,dc=example,dc=com objectClass: top objectClass: subentry objectClass: pwdPolicy cn: Subentry Password Policy pwdAttribute: userPassword pwdLockout: TRUE pwdMaxFailure: 3 pwdFailureCountInterval: 300 pwdLockoutDuration: 300 pwdAllowUserChange: TRUE pwdSafeModify: TRUE subtreeSpecification: {base "ou=people", specificationFilter "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" } -
Add the policy to the directory.
$ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename /path/to/subentry-pwp.ldif Processing ADD request for cn=Subentry Password Policy,dc=example,dc=com ADD operation successful for DN cn=Subentry Password Policy,dc=example,dc=com
-
Check that the policy applies as specified.
In the example, the policy should apply to a Directory Administrator, while a normal user has the default password policy. Here, Kirsten Vaughan is a member of the Directory Administrators group, and Babs Jensen is not a member.
$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan pwdPolicySubentry dn: uid=kvaughan,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Subentry Password Policy,dc=example,dc=com $ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen pwdPolicySubentry dn: uid=bjensen,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
