ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahypwdpoltips.htm

145 lines
7.5 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Password policy tips</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<img src="delta.gif" alt="Start of change" /><img src="delta.gif" alt="Start of change" />
<a name="rzahypwdpoltips"></a>
<h4 id="rzahypwdpoltips">Password policy tips</h4>
<p><span class="bold">Password policy queries</span></p>
<p>The password policy operational attributes can be used to view the status
of a directory entry or to query for entries matching specified criteria.
Operational attributes are returned on a search request only when specifically
requested by the client. To use these attributes in search operations, you
must have permission to critical attributes, or permission to the specific
attributes used.</p>
<p>To view all password policy attributes for a given entry:</p>
<pre class="xmp">> ldapsearch -b "uid=user1,cn=users,o=ibm" -s base "(objectclass=*)"
pwdChangedTime pwdAccountLockedTime pwdExpirationWarned
pwdFailureTime pwdGraceUseTime pwdReset</pre>
<p>To query for entries for which the password is about to expire, use the
pwdChangedTime attribute. For example, to find passwords which expire August
26, 2004, with a password expiration policy of 186 days, query for entries
for which the password was changed at least 186 days ago (February 22, 2004):</p>
<pre class="xmp">> ldapsearch -b "cn=users,o=ibm" -s sub
"(!(pwdChangedTime>20040222000000Z))" 1.1</pre><p class="indatacontent">where the filter is equivalent
to pwdChangedTime of midnight, February 22, 2004.</p>
<p>To query for locked accounts, use the pwdAccountLockedTime attribute:</p>
<pre class="xmp">> ldapsearch -b "cn=users,o=ibm" -s sub "(pwdAccountLockedTime=*)" 1.1</pre><p class="indatacontent">where
"1.1" indicates that only the entry DNs are to be returned.</p>
<p>To query for accounts for which the password must be changed because the
password was reset, use the pwdReset attribute:</p>
<pre class="xmp">> ldapsearch -b "cn=users,o=ibm" -s sub "(pwdReset=TRUE)" 1.1</pre>
<p><span class="bold">Overriding password policy</span></p>
<p>A directory administrator can override normal password policy behavior
for specific entries by modifying the password policy operational attributes
and using the server administration control (-k option of the LDAP command
line utilities).</p>
<p>You can prevent the password for a particular account from expiring by
setting the pwdChangedTime attribute to a date far in the future when setting
the userPassword attribute. The following example sets the time to midnight,
January 1, 2200.</p>
<pre class="xmp">> ldapmodify -D cn=root -w ? -k
dn: uid=wasadmin,cn=users,o=ibm
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 22000101000000Z
</pre>
<p>You can unlock an account which has been locked due to excessive login
failures by removing the pwdAccountLockedTime and pwdFailureTime attributes:</p>
<pre class="xmp">> ldapmodify -D cn=root -w ? -k
dn: uid=user1,cn=users,o=ibm
changetype: modify
delete: pwdAccountLockedTime
-
delete: pwdFailureTime
</pre>
<p>You can unlock an expired account by changing the pwdChangedTime and clearing
the pwdExpirationWarned and pwdGraceUseTime attributes:</p>
<pre class="xmp">> ldapmodify -D cn=root -w ? -k
dn: uid=user1,cn=users,o=ibm
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 20040826000000Z
-
delete: pwdExpirationWarned
-
delete: pwdGraceUseTime
</pre>
<p>You can clear or set the "password must be changed" status by setting the
pwdReset attribute:</p>
<pre class="xmp">> ldapmodify -D cn=root -w ? -k
dn: uid=user1,cn=users,o=ibm
changetype: modify
delete: pwdReset
> ldapmodify -D cn=root -w ? -k
dn: uid=user2,cn=users,o=ibm
changetype: modify
replace: pwdReset
pwdReset: TRUE
</pre>
<p>An account can be administratively locked by setting the ibm-pwdAccountLocked
operational attribute to TRUE. The account can be unlocked by setting the
attribute to FALSE. Unlocking an account in this way does not affect the
state of the account with respect to being locked due to excessive password
failures or an expired password.</p>
<p>The user setting this attribute must have permission to write is the ibm-pwdAccountLocked
attribute, which is defined as being in the CRITICAL access class.</p>
<pre class="xmp">> ldapmodify -D uid=useradmin,cn=users,o=ibm -w ?
dn: uid=user1,cn=users,o=ibm
changetype: modify
replace: ibm-pwdAccountLocked
ibm-pwdAccountLocked: TRUE
</pre>
<p>To unlock the account:</p>
<pre class="xmp">> ldapmodify -D uid=useradmin,cn=users,o=ibm -w ?
dn: uid=user1,cn=users,o=ibm
changetype: modify
replace: ibm-pwdAccountLocked
ibm-pwdAccountLocked: FALSE
</pre>
<p><span class="bold">Other password policy tips</span></p>
<p>There are two areas where the implementation of password policy may not
behave as expected:</p>
<ol type="1">
<li>If the pwdReset attribute has been set for an entry, a client can bind
indefinitely using the entry DN and the reset password. With the Password
Policy Request Control present, this results in a successful bind with a warning
in the response control. But if the client does not specify the request control,
this "non-password policy aware" client sees a successful bind with no indication
that the password must be changed. Subsequent operations under that DN will
still fail with an "unwilling to perform" error; only the initial bind result
might seem misleading. This could be an issue if the bind was done only for
authentication, as might be the case with a web application using the directory
for authentication.</li>
<li>The pwdSafeModify and pwdMustChange policies do not behave as you might
expect with an application that changes passwords under an identity other
than the DN of the entry for which the password is being changed. In this
scenario, a safe password change done under an administrative identity, for
example, will result in the pwdReset attribute being set. The application
changing the password can use an administrator account and remove the pwdReset
attribute as described earlier.</li></ol><img src="deltaend.gif" alt="End of change" /><img src="deltaend.gif" alt="End of change" />
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>