145 lines
7.5 KiB
HTML
145 lines
7.5 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow"/>
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<title>Directory Server (LDAP) - Password policy tips</title>
|
||
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
||
|
<img src="delta.gif" alt="Start of change" /><img src="delta.gif" alt="Start of change" />
|
||
|
<a name="rzahypwdpoltips"></a>
|
||
|
<h4 id="rzahypwdpoltips">Password policy tips</h4>
|
||
|
<p><span class="bold">Password policy queries</span></p>
|
||
|
<p>The password policy operational attributes can be used to view the status
|
||
|
of a directory entry or to query for entries matching specified criteria.
|
||
|
Operational attributes are returned on a search request only when specifically
|
||
|
requested by the client. To use these attributes in search operations, you
|
||
|
must have permission to critical attributes, or permission to the specific
|
||
|
attributes used.</p>
|
||
|
<p>To view all password policy attributes for a given entry:</p>
|
||
|
<pre class="xmp">> ldapsearch -b "uid=user1,cn=users,o=ibm" -s base "(objectclass=*)"
|
||
|
pwdChangedTime pwdAccountLockedTime pwdExpirationWarned
|
||
|
pwdFailureTime pwdGraceUseTime pwdReset</pre>
|
||
|
<p>To query for entries for which the password is about to expire, use the
|
||
|
pwdChangedTime attribute. For example, to find passwords which expire August
|
||
|
26, 2004, with a password expiration policy of 186 days, query for entries
|
||
|
for which the password was changed at least 186 days ago (February 22, 2004):</p>
|
||
|
<pre class="xmp">> ldapsearch -b "cn=users,o=ibm" -s sub
|
||
|
"(!(pwdChangedTime>20040222000000Z))" 1.1</pre><p class="indatacontent">where the filter is equivalent
|
||
|
to pwdChangedTime of midnight, February 22, 2004.</p>
|
||
|
<p>To query for locked accounts, use the pwdAccountLockedTime attribute:</p>
|
||
|
<pre class="xmp">> ldapsearch -b "cn=users,o=ibm" -s sub "(pwdAccountLockedTime=*)" 1.1</pre><p class="indatacontent">where
|
||
|
"1.1" indicates that only the entry DNs are to be returned.</p>
|
||
|
<p>To query for accounts for which the password must be changed because the
|
||
|
password was reset, use the pwdReset attribute:</p>
|
||
|
<pre class="xmp">> ldapsearch -b "cn=users,o=ibm" -s sub "(pwdReset=TRUE)" 1.1</pre>
|
||
|
<p><span class="bold">Overriding password policy</span></p>
|
||
|
<p>A directory administrator can override normal password policy behavior
|
||
|
for specific entries by modifying the password policy operational attributes
|
||
|
and using the server administration control (-k option of the LDAP command
|
||
|
line utilities).</p>
|
||
|
<p>You can prevent the password for a particular account from expiring by
|
||
|
setting the pwdChangedTime attribute to a date far in the future when setting
|
||
|
the userPassword attribute. The following example sets the time to midnight,
|
||
|
January 1, 2200.</p>
|
||
|
<pre class="xmp">> ldapmodify -D cn=root -w ? -k
|
||
|
dn: uid=wasadmin,cn=users,o=ibm
|
||
|
changetype: modify
|
||
|
replace: pwdChangedTime
|
||
|
pwdChangedTime: 22000101000000Z
|
||
|
</pre>
|
||
|
<p>You can unlock an account which has been locked due to excessive login
|
||
|
failures by removing the pwdAccountLockedTime and pwdFailureTime attributes:</p>
|
||
|
<pre class="xmp">> ldapmodify -D cn=root -w ? -k
|
||
|
dn: uid=user1,cn=users,o=ibm
|
||
|
changetype: modify
|
||
|
delete: pwdAccountLockedTime
|
||
|
-
|
||
|
delete: pwdFailureTime
|
||
|
</pre>
|
||
|
<p>You can unlock an expired account by changing the pwdChangedTime and clearing
|
||
|
the pwdExpirationWarned and pwdGraceUseTime attributes:</p>
|
||
|
<pre class="xmp">> ldapmodify -D cn=root -w ? -k
|
||
|
dn: uid=user1,cn=users,o=ibm
|
||
|
changetype: modify
|
||
|
replace: pwdChangedTime
|
||
|
pwdChangedTime: 20040826000000Z
|
||
|
-
|
||
|
delete: pwdExpirationWarned
|
||
|
-
|
||
|
delete: pwdGraceUseTime
|
||
|
</pre>
|
||
|
<p>You can clear or set the "password must be changed" status by setting the
|
||
|
pwdReset attribute:</p>
|
||
|
<pre class="xmp">> ldapmodify -D cn=root -w ? -k
|
||
|
dn: uid=user1,cn=users,o=ibm
|
||
|
changetype: modify
|
||
|
delete: pwdReset
|
||
|
|
||
|
> ldapmodify -D cn=root -w ? -k
|
||
|
dn: uid=user2,cn=users,o=ibm
|
||
|
changetype: modify
|
||
|
replace: pwdReset
|
||
|
pwdReset: TRUE
|
||
|
</pre>
|
||
|
<p>An account can be administratively locked by setting the ibm-pwdAccountLocked
|
||
|
operational attribute to TRUE. The account can be unlocked by setting the
|
||
|
attribute to FALSE. Unlocking an account in this way does not affect the
|
||
|
state of the account with respect to being locked due to excessive password
|
||
|
failures or an expired password.</p>
|
||
|
<p>The user setting this attribute must have permission to write is the ibm-pwdAccountLocked
|
||
|
attribute, which is defined as being in the CRITICAL access class.</p>
|
||
|
<pre class="xmp">> ldapmodify -D uid=useradmin,cn=users,o=ibm -w ?
|
||
|
dn: uid=user1,cn=users,o=ibm
|
||
|
changetype: modify
|
||
|
replace: ibm-pwdAccountLocked
|
||
|
ibm-pwdAccountLocked: TRUE
|
||
|
</pre>
|
||
|
<p>To unlock the account:</p>
|
||
|
<pre class="xmp">> ldapmodify -D uid=useradmin,cn=users,o=ibm -w ?
|
||
|
dn: uid=user1,cn=users,o=ibm
|
||
|
changetype: modify
|
||
|
replace: ibm-pwdAccountLocked
|
||
|
ibm-pwdAccountLocked: FALSE
|
||
|
</pre>
|
||
|
<p><span class="bold">Other password policy tips</span></p>
|
||
|
<p>There are two areas where the implementation of password policy may not
|
||
|
behave as expected:</p>
|
||
|
<ol type="1">
|
||
|
<li>If the pwdReset attribute has been set for an entry, a client can bind
|
||
|
indefinitely using the entry DN and the reset password. With the Password
|
||
|
Policy Request Control present, this results in a successful bind with a warning
|
||
|
in the response control. But if the client does not specify the request control,
|
||
|
this "non-password policy aware" client sees a successful bind with no indication
|
||
|
that the password must be changed. Subsequent operations under that DN will
|
||
|
still fail with an "unwilling to perform" error; only the initial bind result
|
||
|
might seem misleading. This could be an issue if the bind was done only for
|
||
|
authentication, as might be the case with a web application using the directory
|
||
|
for authentication.</li>
|
||
|
<li>The pwdSafeModify and pwdMustChange policies do not behave as you might
|
||
|
expect with an application that changes passwords under an identity other
|
||
|
than the DN of the entry for which the password is being changed. In this
|
||
|
scenario, a safe password change done under an administrative identity, for
|
||
|
example, will result in the pwdReset attribute being set. The application
|
||
|
changing the password can use an administrator account and remove the pwdReset
|
||
|
attribute as described earlier.</li></ol><img src="deltaend.gif" alt="End of change" /><img src="deltaend.gif" alt="End of change" />
|
||
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
</body>
|
||
|
</html>
|