You manage server based password policies in the OpenDJ configuration by using the dsconfig command. As they are part of the server configuration, such password policies are not replicated. You must instead apply password policy configuration updates to each replica in your deployment.
By default, OpenDJ includes two password policy configurations, one
default for all users, and another for directory root DN users, such as
cn=Directory Manager. You can see all the default password
policy settings using the dsconfig command as
follows.
$ dsconfig get-password-policy-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Default Password Policy" --advanced Property : Value(s) ------------------------------------------:-------------------------- account-status-notification-handler : - allow-expired-password-changes : false allow-multiple-password-values : false allow-pre-encoded-passwords : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : false force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 0 s max-password-reset-age : 0 s min-password-age : 0 s password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : Random Password Generator password-history-count : 0 password-history-duration : 0 s password-validator : - previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : false skip-validation-for-administrators : false state-update-failure-policy : reactive
See the OpenDJ Configuration Reference page on Password Policy for detailed descriptions of each property.
Here you notice that many capabilities are not set by default: no lockout, no password expiration, no multiple passwords, no password validator to check that passwords contain the appropriate mix of characters. This means that if you decide to use the directory to enforce password policy, you must configure at least the default password policy to meet your needs.
Yet a few basic protections are configured by default. When you import
LDIF with userPassword values, OpenDJ hashes the values
before storing them. When a user provides a password value during a bind for
example, the server hashes the value provided to compared it with the stored
value. Even the directory manager cannot see the plain text value of a user's
password.
$ ldapsearch
--port 1389
--bindDN "cn=Directory Manager"
--bindPassword password
--baseDN dc=example,dc=com
uid=bjensen
userpassword
dn: uid=bjensen,ou=People,dc=example,dc=com
userpassword: {SSHA}QWAtw8ch/9850HNFRRqLNMIQc1YhxCnOoGmk1g==In addition, users can change their passwords provided you have
granted them access to do so. OpenDJ uses the userPassword
attribute to store passwords by default, rather than the
authPassword attribute, which is designed to store
passwords hashed by the client application.
