Chapter 5. Configuring password policies
A password policy minimizes the risks associated with using passwords by enforcing a certain level of security. For example, you can define a password policy to ensure that:
- Users must change their passwords according to a schedule
- Users must provide non-trivial passwords
- The password syntax must meet certain complexity requirements
5.1. How password policies work
Directory Server supports fine-grained password policies, which work in an inverted pyramid, from general to specific. A global password policy is superseded by a subtree-level password policy, which is superseded by a user-level password policy.
You can define:
- Global password policy, applied to the entire directory
Local password policy
- Subtree-level policy, applied to a particular subtree
- User-level policy, applied to a particular user
Password policies are not additive: only one password policy applies to an entry. For example, when you configure a particular attribute in the global or subtree-level password policy, but not in the user-level password policy, this attribute does not apply to the user. In this case, when the user attempts to log in, only the user-level policy is active.
When using a password administrator account or the Directory Manager (root DN) to set a password, you bypass the password policies. Do not use these accounts for regular user password management. Use them only to perform password administration tasks that require bypassing the password policies, such as adding a prehashed password, or purposefully overriding current password constraints for setting temporary passwords after a reset.
The complete password policy that applies to a user account consists of the following elements:
- The type or level of password policy checks. This information indicates whether the server should check for and enforce a global password policy or local password policies.
- Password add and modify information. The password information includes password syntax and password history details.
- Bind information. The bind information includes the number of grace logins permitted, password aging attributes, and tracking bind failures.
After establishing a password policy, you can protect user passwords from potential threats by configuring an account lockout policy. Account lockout protects against attempts to break into the directory by repeatedly guessing a user’s password.
5.2. Configuring the global password policy using the command line
By default, global password policy settings are disabled. You can configure the global password policy using the dsconf
command line utility.
Procedure
Display the current settings:
# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy get Global Password Policy: cn=config ------------------------------------ passwordstoragescheme: PBKDF2_SHA256 passwordChange: on passwordMustChange: off passwordHistory: off passwordInHistory: 6 ...
Adjust the password policy settings. For a full list of available settings, enter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --help
For example, to enable password syntax checking and set the minimum length of passwords to
12
characters, enter:# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdchecksyntax on --pwdmintokenlen 12
Enable the the account lockout feature for the password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdlockout on
5.3. Configuring the global password policy using the web console
By default, global password policy settings are disabled. You can configure the global password policy using the web console.
Prerequisites
- You are logged in to the instance in the web console.
Procedure
-
Open the
menu. Set the global password policy settings. You can set parameters in the following categories:
- General settings, such as the password storage scheme
- Password expiration settings, such as the time when a password expires
- Account lockout settings, such as after how many failed login attempts an account should be locked
Password syntax settings, such as the minimum password length
To display a tool tip and the corresponding attribute name in the
cn=config
entry for a parameter, hover the mouse cursor over the setting.
- Click .
5.4. Local password policy entries
When you use the dsconf localpwp addsubtree
or dsconf localpwp adduser
commands, Directory Server automatically creates an entry to store the local password policy attributes.
For a subtree, the following entries are added:
Entry name | Description | Contents |
---|---|---|
| A container entry at the subtree level | Various password policy-related entries for the subtree and all its children |
| The actual password policy specification entry | All the password policy attributes that are specific to the subtree |
| The CoS Template Entry |
The |
| The CoS definition entry at the subtree level | CoS definition entry |
Example 5.1. The nsPwPolicyContainer entry for a subtree ou=people,dc=example,dc=com
dn: cn=nsPwPolicyContainer,ou=people,dc=example,dc=com objectClass: top objectClass: nsContainer cn: nsPwPolicyContainer
Example 5.2. The nsPwPolicyEntry entry for a subtree ou=people,dc=example,dc=com
dn: cn="cn=nsPwPolicyEntry,ou=people,dc=example,dc=com", cn=nsPwPolicyContainer,ou=people,dc=example,dc=com objectclass: top objectclass: extensibleObject objectclass: ldapsubentry objectclass: passwordpolicy
Example 5.3. The nsPwTemplateEntry entry for a subtree ou=people,dc=example,dc=com
dn: cn="cn=nsPwTemplateEntry,ou=people,dc=example,dc=com", cn=nsPwPolicyContainer,ou=people,dc=example,dc=com objectclass: top objectclass: extensibleObject objectclass: costemplate objectclass: ldapsubentry cosPriority: 1 pwdpolicysubentry: cn="cn=nsPwPolicyEntry,ou=people,dc=example,dc=com", cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
Example 5.4. The CoS specification entry for a subtree ou=people,dc=example,dc=com
dn: cn=newpwdpolicy_cos,ou=people,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=cn=nsPwTemplateEntry\,ou=people\,dc=example,dc=com, cn=nsPwPolicyContainer,ou=people,dc=example,dc=com cosAttribute: pwdpolicysubentry default operational
For a user, the following entries are added:
Entry name | Description | Contents |
---|---|---|
| A container entry at the parent level | Various password policy-related entries for the user and all its children |
| The actual password policy specification entry | All the password policy attributes that are specific to the user |
Example 5.5. The nsPwPolicyContainer entry for a user uid=user_name,ou=people,dc=example,dc=com
dn: cn=nsPwPolicyContainer,ou=people,dc=example,dc=com objectClass: top objectClass: nsContainer cn: nsPwPolicyContainer
Example 5.6. The nsPwPolicyEntry entry for a user uid=user_name,ou=people,dc=example,dc=com
dn: cn="cn=nsPwPolicyEntry,uid=user_name,ou=people,dc=example,dc=com", cn=nsPwPolicyContainer,ou=people,dc=example,dc=com objectclass: top objectclass: extensibleObject objectclass: ldapsubentry objectclass: passwordpolicy
5.5. Configuring a local password policy using the command line
In contrast to a global password policy, which defines settings for the entire directory, a local password policy is a policy for a specific user or subtree. Currently, you can only set up a local password policy using the command line.
Prerequisites
- User or subtree entries that you want to create the policy for already exist in the directory.
Procedure
Verify if a local password policy already exists for the subtree or user entry. For example:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp get "ou=People,dc=example,dc=com" Enter password for cn=Directory Manager on ldap://server.example.com: Error: No password policy was found for this entry
If no local policy exists, create one:
To create a subtree password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp addsubtree "ou=People,dc=example,dc=com"
To create a user password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp adduser "uid=user_name,ou=People,dc=example,dc=com"
Set local policy attributes. For a full list of available settings, enter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp set --help
For example, to enable password expiration and set the maximum password age to 14 days (
1209600
seconds):On a subtree password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp set --pwdexpire on --pwdmaxage 1209600 "ou=People,dc=example,dc=com"
On a user password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp set --pwdexpire on --pwdmaxage 1209600 "uid=user_name,ou=People,dc=example,dc=com"
5.6. Disabling a local password policy using the command line
When you create a new local policy, the nsslapd-pwpolicy-local
parameter in the cn=config
entry is automatically set to on
. If the local password policy should not be enabled, you can disable it manually using the command line.
Procedure
Disable all local policies or remove a particular local policy:
To disable all local password policies:
# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdlocal off
To remove a single existing subtree password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp remove "ou=People,dc=example,dc=com"
To remove a single existing user password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp remove "uid=user_name,ou=People,dc=example,dc=com"
5.7. Tracking password change time
Password change operation is a typical modify operation on an entry, and Directory Server records the update time to the lastModified
operational attribute. However, to make it easier to update passwords in Active Directory synchronization or to connect with other LDAP clients, you can record the time of the last password change separately.
Configure the passwordTrackUpdateTime
parameter within a global or local password policy to record the time of the last password change to the pwdUpdateTime
operation attribute of the user entry.
Prerequisites
-
You have
root
permissions.
Procedure
Set the
passwordTrackUpdateTime
parameter toon
:For the global policy, run:
# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdtrack on
For the subtree or user-level policy, run:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp set "ou=people,dc=example,dc=com" --pwdtrack on
Verification
Display the current settings of the policy:
For the global policy, run:
# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy get Global Password Policy: cn=config ------------------------------------ nsslapd-pwpolicy-local: on passwordstoragescheme: PBKDF2-SHA512 ... passwordtrackupdatetime: on ...
For the subtree or user-level policy, run:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp get "ou=people,dc=example,dc=com" Local Subtree Policy Policy for "ou=people,dc=example,dc=com": cn=cn\3DnsPwPolicyEntry_subtree\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com ------------------------------------ ... passwordtrackupdatetime: on
Additional resources