About password policies
DS password policies govern passwords, account lockout, and account status notification.
DS servers support per-server password policies stored in the configuration, and subentry password policies stored in the (replicated) directory data:
Type | Notes |
---|---|
|
|
|
Per-server password policies
You manage per-server password policies with the dsconfig
command.
When changing a per-server policy, you must update each replica in your deployment.
By default, there are two per-server password policies:
-
The
Default Password Policy
for users. -
The
Root Password Policy
for the directory superuser,uid=admin
.
Make sure you keep per-server password policy settings aligned across replicated DS servers. When per-server password policy settings differ between replicas, the results can be surprising to end users. As an example, suppose the user’s password policy depends on a password storage scheme enabled on the replica where the user changes their password and disabled on the replica where they later authenticate:
|
The following example displays the default per-server password policy for users:
$ dsconfig \
get-password-policy-prop \
--hostname localhost \
--port 4444 \
--bindDN uid=admin \
--bindPassword password \
--policy-name "Default Password Policy" \
--advanced \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePassword:file /path/to/opendj/config/keystore.pin \
--no-prompt
Property : Value(s)
------------------------------------------:------------------------------------
account-status-notification-handler : -
allow-expired-password-changes : false
allow-multiple-password-values : false
allow-pre-encoded-passwords : false
allow-user-password-changes : true
default-password-storage-scheme : PBKDF2-HMAC-SHA256
deprecated-password-storage-scheme : -
expire-passwords-without-warning : false
force-change-on-add : false
force-change-on-reset : false
grace-login-count : 0
idle-lockout-interval : 0 s
java-class : org.opends.server.core.PasswordPoli
: cyFactory
last-login-time-attribute : -
last-login-time-format : -
lockout-duration : 0 s
lockout-failure-count : 0
lockout-failure-expiration-interval : 0 s
max-password-age : 0 s
max-password-reset-age : 0 s
min-password-age : 0 s
password-attribute : userPassword
password-change-requires-current-password : false
password-expiration-warning-interval : 5 d
password-generator : Random Password Generator
password-history-count : 0
password-history-duration : 0 s
password-validator : At least 8 characters, Common
: passwords
previous-last-login-time-format : -
require-change-by-time : -
require-secure-authentication : true
require-secure-password-changes : true
skip-validation-for-administrators : false
state-update-failure-policy : reactive
For detailed descriptions of each property, refer to Password Policy.
These settings are configured by default:
-
When granted access, users can change their passwords.
-
DS servers use the standard
userPassword
attribute to store passwords.DS servers also support the alternative standard
authPassword
attribute. -
When you import LDIF with
userPassword
values, DS servers apply a one-way hash to the passwords before storing them.When a user provides a password value during a bind, for example, the server hashes the incoming password, and compares it with the stored value. This mechanism helps prevent even the directory superuser from recovering the plain text password:
$ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password \ --baseDN dc=example,dc=com \ "(uid=bjensen)" \ userpassword dn: uid=bjensen,ou=People,dc=example,dc=com userpassword: {PBKDF2-HMAC-SHA256}10:<hash>
-
The server can set a random password when a password administrator resets a user’s password.
Many capabilities are not set by default:
-
No lockout.
-
No password expiration.
-
No password validator to check that passwords contain the appropriate mix of characters.
If the directory service enforces password policy, configure at least the default password policy accordingly.
DS subentry password policies
You manage password policies as LDAP subentries in the application data. Replication applies updates to subentry password policies to all other replicas. Password policy administrators do not need access to the server configuration.
The DS subentry password policy entries have the object classes:
-
ds-pwp-password-policy
for most password policy features. -
A set of password validator object classes for specific validators that derive from the abstract
ds-pwp-validator
class for password validation configuration. -
ds-pwp-random-generator
for password generation on reset.
The following tables describe password policy attributes per object class:
Core policy attributes
Object class: ds-pwp-password-policy
Attribute | Description | ||
---|---|---|---|
|
The attribute type used to hold user passwords. |
||
|
Names of enabled password storage schemes used to encode plaintext passwords. Default: PBKDF2-HMAC-SHA256. |
||
|
Name of the password policy |
||
|
Whether users can change their passwords, assuming access control allows it. Default: true. |
||
|
Names of enabled account status notification handlers to use with this policy. Use the |
||
|
Whether the user can change an expired password with the password modify extended operation. Default: false. |
||
|
Whether user entries can have multiple distinct passwords. Any password is sufficient to authenticate. Default: false. |
||
|
Whether users can change their passwords by providing a pre-encoded value. Default: false. |
||
|
Names of deprecated password storage schemes for this policy. On successful authentication, encode the password with the default. |
||
|
Whether to allow a user’s password to expire even if that user has never received an expiration warning notification. Default: false. |
||
|
Whether users are forced to change their passwords upon first authentication after their accounts are added. Use the Default: false. |
||
|
Whether users are forced to change their passwords after password reset by an administrator. For this purpose, anyone with permission to change a given user’s password other than that user is an administrator. Use the Default: false. |
||
|
Number of grace logins that a user is allowed after the account has expired so the user can update their password. Default: 0 (disabled). |
||
|
Maximum number of seconds that an account may remain idle (the associated user does not authenticate to the server) before that user is locked out. Requires maintaining a last login time attribute. Default: 0 seconds (inactive). |
||
|
Name or OID of the attribute type that is used to hold the last login time for users. Default: The |
||
|
Format string that is used to generate the last login time value for users. The format string must match the syntax of the Default: |
||
|
Duration that an account is locked after too many authentication failures. Default: 0 seconds (account remains locked until the administrator resets the password). |
||
|
Maximum number of authentication failures that a user is allowed before the account is locked out. Default: 0 (disabled). |
||
|
Duration before an authentication failure is no longer counted against a user for the purposes of account lockout. Default: 0 seconds (never expire). |
||
|
Duration that a user can continue using the same password before it must be changed (the password expiration interval). Default: 0 seconds (passwords never expire). |
||
|
Maximum number of seconds that users have to change passwords after they have been reset by an administrator before they become locked. Users are only required to change their password after it is reset if
Default: 0 seconds. |
||
|
Minimum duration after a password change before the user is allowed to change the password again. Default: 0 seconds. |
||
|
Whether user password changes must include the user’s current password before the change is allowed. This can be done with either the password modify extended operation, or a modify operation using delete and add. Default: false. |
||
|
Duration before a user’s password actually expires that the server begins to include warning notifications in bind responses for that user. Default: 5 days. |
||
|
Maximum number of former passwords to maintain in the password history. A value of zero indicates that either no password history is to be maintained if the password history duration has a value of zero seconds, or that there is no maximum number of passwords to maintain in the history if the password history duration has a value greater than zero seconds. Default: 0.
|
||
|
Maximum number of seconds that passwords remain in the password history. Default: 0 seconds (inactive). |
||
|
Format string(s) that might have been used with the last login time at any point in the past for users associated with the password policy. Default: |
||
|
Time by which all users with the associated password policy must change their passwords. Specified in generalized time form. |
||
|
Whether users with the associated password policy are required to authenticate in a secure manner. Default: false. |
||
|
Whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials. Default: false. |
||
|
Whether passwords set by administrators are allowed to bypass the password validation process. Default: false. |
||
|
How the server deals with the inability to update password policy state information during an authentication attempt. One of the following:
|
Value validator attributes
Object class: ds-pwp-attribute-value-validator
Attribute | Description | |||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Whether this password validator should test the reversed value of the provided password as well as the order in which it was given. Default: false. |
|||||||||||||||||||||
|
Name(s) of the attribute(s) whose values should be checked to determine whether they match the provided password. If no values are provided, then the server checks if the proposed password matches the value of any user attribute in the user’s entry. The server does not check values of operational attributes. |
|||||||||||||||||||||
|
Whether this password validator is to match portions of the password string against attribute values and portions of attribute values against the password string. When false, the server checks whether the entire password matches any user attribute values. When true, the server checks whether the password contains portions of attribute values and whether the attribute values contain portions of the password. Consider the case of Babs Jensen (
In summary:
Default: false. |
|||||||||||||||||||||
|
The minimal length of the substring within the password when substring checking is enabled. Default: 0. |
Character set attributes
Object class: ds-pwp-character-set-validator
Attribute | Description |
---|---|
|
Whether this password validator allows passwords to contain characters outside of any of the user-defined character sets and ranges. Default: false. |
|
Minimum number of character sets and ranges that a password must contain. Use in conjunction with optional character sets and ranges (those requiring zero characters). The value must include any mandatory character sets and ranges (those requiring greater than zero characters). This is useful in situations where a password must contain characters from mandatory character sets and ranges, and characters from at least N optional character sets and ranges. For example, it is quite common to require that a password contains at least one non-alphanumeric character as well as characters from two alphanumeric character sets (lower-case, upper-case, digits). In this case, this property should be set to 3. |
|
A character set containing characters that a password may contain, and a value indicating the minimum number of characters required from that set. Each value must be an integer (indicating the minimum required characters from the set which may be zero,
indicating that the character set is optional) followed by a colon and the characters to include in that set.
For example, Multiple character sets can be defined in separate values, although no character can appear in more than one character set. |
|
A character range containing characters that a password may contain, and a value indicating the minimum number of characters required from that range. Each value must be an integer (indicating the minimum required characters from the range which may be zero, indicating that the character range is optional) followed by a colon and one or more range specifications. A range specification is 3 characters: the first character allowed, a minus, and the last character allowed.
For example, |
Dictionary attributes
Object class: ds-pwp-dictionary-validator
Attribute | Description |
---|---|
|
A gzipped password dictionary, one word per line. This is a single-valued attribute. |
|
Whether this password validator should treat password characters in a case-sensitive manner. Default: false. |
|
Whether this password validator is to match portions of the password string against dictionary words. Default: false (match only the entire password against dictionary words). |
|
The minimal length of the substring within the password in case substring checking is enabled. Default: 0. |
|
Whether this password validator should test the reversed value of the provided password as well as the order in which it was given. Default: false. |
Password length attributes
Object class: ds-pwp-length-based-validator
Attribute | Description |
---|---|
|
Minimum plaintext password length. Default: 0 (undefined). |
|
Minimum plaintext password length. Default: 6. |
Repeated characters attributes
Object class: ds-pwp-repeated-characters-validator
Attribute | Description |
---|---|
|
The maximum number of times that any character can appear consecutively in a password value. Default: 0 (no maximum limit is enforced). |
|
Whether this password validator should treat password characters in a case-sensitive manner. Default: false. |
Similarity attributes
Object class: ds-pwp-similarity-based-validator
Attribute | Description |
---|---|
|
The minimum difference the new and old password. The implementation uses the Levenshtein Distance algorithm to determine the minimum number of changes
(where a change may be inserting, deleting, or replacing a character) to transform one string into the other.
It can prevent users from making only minor changes to their current password when setting a new password.
Note that for this password validator to be effective, it must have access to the user’s current password.
Therefore, if this password validator is to be enabled,
also set Default: 0 (no difference between passwords is acceptable). |
Unique characters attributes
Object class: ds-pwp-unique-characters-validator
Attribute | Description |
---|---|
|
Whether this password validator should treat password characters in a case-sensitive manner. Default: false. |
|
The minimum number of unique characters that a password will be allowed to contain. Default: 0 (no minimum value is enforced). |
Generator attributes
Object class: ds-pwp-random-generator
Attribute | Description |
---|---|
|
Named character sets.
The format of the character set is the name of the set followed by a colon and the characters that are in that set.
For example, the value |
|
The format to use for the generated password.
The value is a comma-delimited list of elements in which each of those elements
is comprised of the name of a character set defined in the password-character-set property,
a colon, and the number of characters to include from that set.
For example, a value of |
Interoperable password policies
DS servers support the Internet-Draft,
Password Policy for LDAP Directories (version 09).
The password policies are expressed as LDAP subentries with objectClass: pwdPolicy
.
An Internet-Draft password policy effectively overrides settings in the default per-server password policy for users,
inheriting settings that it does not support or does not include from the per-server password policy.
The following table describes Internet-Draft policy attributes:
Internet-Draft attributes
Object class: pwdPolicy
Attribute | Description |
---|---|
|
The attribute type used to hold user passwords. |
|
Whether users can change their passwords. Default: true. |
|
Maximum number of seconds before a user’s password actually expires that the server begins to include warning notifications in bind responses for that user. Default: 432000 seconds. |
|
Length of time before an authentication failure is no longer counted against a user for the purposes of account lockout. Default: 0 seconds (never expire). |
|
Number of grace logins that a user is allowed after the account has expired so the user can update their password. Default: 0 (disabled). |
|
Maximum number of former passwords to maintain in the password history. Default: 0 (disabled). |
|
Number of seconds that an account is locked after too many authentication failures. Default: 0 seconds (account remains locked indefinitely). |
|
Maximum number of seconds that a user can continue using the same password before it must be changed (the password expiration interval). Default: 0 seconds (disabled). |
|
Maximum number of authentication failures that a user is allowed before the account is locked out. Default: 0. |
|
Minimum number of seconds after a password change before the user is allowed to change the password again. Default: 0 seconds (disabled). |
|
Whether users are forced to change their passwords after password reset by an administrator. Default: false. |
|
Whether user password changes must use the password modify extended operation, and must include the user’s current password before the change is allowed. Default: false. |
Overrides
The following table lists Internet-Draft policy attributes that override the per-server policy properties:
Internet-Draft policy attribute | Overrides this server policy property |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ignored attributes
DS servers ignore the following Internet-Draft password policy attributes:
-
pwdCheckQuality
, because DS servers have password validators. -
pwdMinLength
, because you can use a length-based password validator instead. -
pwdLockout
, because DS servers use other lockout-related password policy attributes.
Inheritance
Internet-Draft based password policies inherit these settings from the default per-server policy for users:
-
account-status-notification-handlers
-
allow-expired-password-changes
-
allow-multiple-password-values
-
allow-pre-encoded-passwords
-
default-password-storage-schemes
-
deprecated-password-storage-schemes
-
expire-passwords-without-warning
-
force-change-on-add
-
idle-lockout-interval
-
last-login-time-attribute
-
last-login-time-format
-
max-password-reset-age
-
password-generator
-
password-history-duration
-
password-validators
-
previous-last-login-time-formats
-
require-change-by-time
-
require-secure-authentication
-
require-secure-password-changes
-
skip-validation-for-administrators
-
state-update-failure-policy