ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahypwdpolicy.htm

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights                   -->
<!-- Use, duplication or disclosure restricted by            -->
<!-- GSA ADP Schedule Contract with IBM Corp.                -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Password policy</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link --> 
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>


<a name="rzahypwdpolicy"></a>
<h3 id="rzahypwdpolicy">Password policy</h3>
<p>With the use of LDAP servers for authentication, is important that a LDAP
server support policies regarding password expiration, failed login attempts,
and password rules. Directory Server provides configurable support for all
three of these kinds of policies.  This policy is applied to all directory
entries having a userPassword attribute.  You cannot define one policy for
one set of users, and different policies for other sets of users.  Directory
Server also provides a mechanism for clients to be informed of password policy
related conditions (password expires in three days), and a set of operational
attributes that an administrator can use to search for such things as users
with expired passwords or locked out accounts.</p>
<p>For more information about how to work with password policy properties,
see <a href="rzahymanagepwds.htm#rzahymanagepwds">Manage passwords</a>.</p>
<p><span class="bold">Configuration</span></p>
<p>You can configure behavior of the server with respect to passwords in the
following areas:</p>
<ul>
<li>A global "on/off" switch for enabling or disabling password policy</li>
<li>Rules for changing passwords, including:
<ul>
<li>Users can change their own passwords. Note that this policy applies in
addition to any access control.  That is, access control must give a user
authority to change the userPassword attribute, as well as password policy
allowing users to change their own passwords.  If this policy is disabled,
users cannot change their own passwords.  Only an administrator or other user
with authority to change the userPassword attribute can change the password
for an entry.</li>
<li>Passwords must be changed after reset.  If this policy is enabled, when
a password is changed by anybody other than that user, the password is marked
as reset and must be changed by the user before he can perform other directory
operations.  A bind request with a reset password is successful.  To be notified
that the password must be reset, the application must be password policy aware.</li>
<li>Users must send old password when changing password.  If this policy is
enabled, a password can be changed only by a modify request that includes
both a delete of the userPassword attribute (with the old value) and an add
of the new userPassword value.   This ensures that only a user who knows their
password can change it. The administrator, or other users authorized to change
the userPassword attribute can always set the password.</li></ul></li>
<li>Rules for password expiration, including:
<ul>
<li>Passwords never expire, or passwords expire a configurable time after
they were last changed.</li>
<li>Do not warn users when a password expires, or warn users a configurable
time before the password expires.  To be warned of approaching password expiration,
the application must be password policy aware.</li>
<li>Allow a configurable number of grace logins after the user's password
has expired.  A password policy aware application will be notified of the
number of remaining grace logins.  If no grace logins are allowed, a user
cannot authenticate or change their own password once it has expired.</li></ul></li>
<li>Rules for password validation, including:
<ul>
<li> A configurable password history size, which tells the server to keep
a history of the last N passwords and reject passwords that have been previously
used.</li>
<li>Password syntax checking, including a setting for how the server should
behave when passwords are hashed.  This setting affects whether the server
should ignore the policy under either of the following conditions:
<ul>
<li>The server is storing hashed passwords.</li>
<li>A client presents a hashed password to the server (this can happen when
transferring entries between servers using an LDIF file if the source server
stores hashed passwords).</li></ul>In either of these cases the server might not be able to apply all syntax
rules.  The following syntax rules are supported: Minimum length, minimum
number of alphabetic characters, minimum number of numeric or special characters,
number of repeated characters, and number of characters in which the password
must differ from the previous password.</li></ul></li>
<li>Rules for failed logins, including:
<ul>
<li>A minimum time allowed between password changes, which prevents users
from quickly cycling through a set of passwords to get back to their original
password.</li>
<li>A maximum number of failed login attempts before the account is locked.</li>
<li>A configurable password lockout duration.  After this time, a previous
locked account can be used.  This can help to lockout a hacker attempting
to crack a password, while aiding a user that has forgotten their password.</li>
<li>A configurable time for which the server keeps track of failed login attempts.
 If the maximum number of failed login attempts occurs within this time, the
account is locked.  Once this time has expired, the server discards information
about previous failed login attempts for the account.</li></ul></li></ul>
<p>The password policy settings for the directory server are stored in the
object "cn=pwdpolicy", which looks like this:  </p>
<pre class="xmp">cn=pwdpolicy 
objectclass=container 
objectclass=pwdPolicy 
objectclass=ibm-pwdPolicyExt 
objectclass=top 
cn=pwdPolicy 
pwdExpireWarning=0 
pwdGraceLoginLimit=0 
passwordMaxRepeatedChars=0 
pwdSafeModify=false 
pwdattribute=userpassword 
pwdinhistory=0 
pwdchecksyntax=0 
passwordminotherchars=0 
passwordminalphachars=0 
pwdminlength=0 
passwordmindiffchars=0 
pwdminage=0 
pwdmaxage=0 
pwdallowuserchange=true 
pwdlockoutduration=0 
ibm-pwdpolicy=true 
pwdlockout=true 
pwdmaxfailure=2 
pwdfailurecountinterval=0 
pwdmustchange=false </pre>
<p><span class="bold">Password policy aware applications</span></p>
<p>The Directory Server for iSeries password policy support includes a set
of LDAP controls which can be used by a password policy aware application
to receive notification of additional password policy related conditions.</p>
<p>An application can be informed of the following warning conditions:</p>
<ul>
<li>Time remaining before password expiration</li>
<li>Number of grace logins remaining after the password has expired</li></ul>
<p>An application can also be informed of the following error conditions:</p>
<ul>
<li>Password has expired</li>
<li>Account is locked</li>
<li>Password has been reset and must be changed</li>
<li>User is not allowed to change their password</li>
<li>Old password must be supplied when changing password</li>
<li>New password violates syntax rules</li>
<li>New password is too short</li>
<li>Password has been changed too recently</li>
<li>New password is in history</li></ul>
<p>Two controls are used.  A password policy request control is used to inform
the server that the application wishes to be informed of password policy related
conditions.  This control must be specified by the application on all operations
for which it is interested, typically the initial bind request and any password
change requests.  If the password policy request control is present, a password
policy response control is returned by the server when any of the above error
conditions are present.</p>
<p>The Directory Server client APIs include a set of APIs which can be used
by C applications to work with these controls.  These APIs are:</p>
<ul>
<li> ldap_parse_pwdpolicy_response</li>
<li> ldap_pwdpolicy_err2string</li></ul>
<p>For applications not using these APIs, the controls are defined below.
 You must use the capabilities provided by the LDAP client APIs being used
to process the controls.  For example, the Java Naming and Directory Interface
(JNDI) has built-in support for some well-known controls, and also provides
a framework for supporting controls that JNDI does not recognize.</p>
<p><span class="bold">Password Policy Request Control</span></p>
<p></p>
<pre class="xmp">Control name: 1.3.6.1.4.1.42.2.27.8.5.1 
Control criticality: FALSE 
Control value: None</pre>
<p><span class="bold">Password Policy Response Control</span></p>
<pre class="xmp">Control name: 1.3.6.1.4.1.42.2.27.8.5.1 (same as the request control) 
Control criticality: FALSE 
Control value: A BER encoded value defined in ASN.1 as follows:  
  PasswordPolicyResponseValue ::= SEQUENCE { 
  warning	[0] CHOICE OPTIONAL { 
		timeBeforeExpiration	[0] INTEGER (0 .. MaxInt), 
		graceLoginsRemaining	[1] INTEGER (0 .. maxInt) } 
  error		[1] ENUMERATED OPTIONAL { 
		passwordExpired			(0), 
		accountLocked				(1), 
		changeAfterReset			(2), 
		passwordModNotAllowed	(3), 
		mustSupplyOldPassword	(4), 
		invalidPasswordSyntax	(5), 
		passwordTooShort			(6), 
		passwordTooYoung			(7), 
		passwordInHistory			(8) } } </pre>
<p>Like other LDAP protocol elements, the BER encoding uses implicit tagging.</p>
<p><span class="bold">Password policy operational attributes</span></p>
<p>The Directory Server maintains a set of operational attributes for each
entry that has a userPassword attribute.  These attributes can be searched
by authorized users, either used in search filters, or returned by the search
request.  These attributes are:</p>
<ul>
<li>pwdChangedTime - A GeneralizedTime attribute containing the time the password
was last changed.</li>
<li>pwdAccountLockedTime - A GeneralizedTime attribute containing the time
at which the account was locked.  If the account is not locked, this attribute
is not present.</li>
<li>pwdExpirationWarned - A GeneralizedTime attribute containing the time
at which the password expiration warning was first sent to the client.</li>
<li>pwdFailureTime - A multi-valued GeneralizedTime attribute containing the
times of previous consecutive login failures.  If the last login was successful,
this attribute is not present.</li>
<li>pwdGraceUseTime - A multi-valued GeneralizedTime attribute containing
the times of the previous grace logins.</li>
<li> pwdReset - A Boolean attribute containing the value TRUE if the password
has been reset and must be changed by the user.</li>
<li>ibm-pwdAccountLocked - A Boolean attribute indicating that the account
has been administratively locked.</li></ul>
<p><span class="bold">Replication of Password Policy</span></p>
<p>Password policy information is replicated by supplier servers to consumers.
 Changes to the entry cn=pwdpolicy are replicated as global changes, like
changes to the schema.  Password policy state information for individual entries
is also replicated, so that, for example, if an entry is locked on a supplier
server, that action will be replicated to any consumers.  Password policy
state changes on a read-only replica do not replicate to any other servers,
however.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>