If you want to synchronize password policy across your organization and your applications go to the directory for authentication, then the directory can be a good place to enforce your password policy uniformly. Even if you do not depend on the directory for all your password policy, you no doubt still want to consider directory password policy if only to choose the appropriate password storage scheme. This chapter covers password policy, including examples of how to configure password policies for common use cases.

OpenDJ password policies govern not only passwords, but also account lockout, and how OpenDJ provides notification about account status. You manage OpenDJ password policies by using the dsconfig command. The dsconfig command stores password policies in the server configuration, rather than in the directory user data. As a result, password policies are not replicated. You must instead apply password policy configuration updates to each replica in your deployment. By default, OpenDJ includes two password policy configurations, one default for all users, and another for directory root DN users, such as cn=Directory Manager. You can see all the default password policy settings using the dsconfig command as follows. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password get-password-policy-prop --policy-name "Default Password Policy" --advanced Property : Value(s) ------------------------------------------:-------------------------- account-status-notification-handler : - allow-expired-password-changes : false allow-multiple-password-values : false allow-pre-encoded-passwords : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : false force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 0 s max-password-reset-age : 0 s min-password-age : 0 s password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : Random Password Generator password-history-count : 0 password-history-duration : 0 s password-validator : - previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : false skip-validation-for-administrators : false state-update-failure-policy : reactive Here you notice that many capabilities are not set by default: no lockout, no password expiration, no multiple passwords, no password validator to check that passwords contain the appropriate mix of characters. This means that if you decide to use the directory to enforce password policy, you must configure at least the default password policy to meet your needs. Yet a few basic protections are configured by default. When you import LDIF with userPassword values, OpenDJ hashes the values before storing them. When a user provides a password value during a bind for example, the server hashes the value provided to compared it with the stored value. Even the directory manager cannot see the plain text value of a user's password. $ ldapsearch -p 1389 -D "cn=Directory Manager" -w password -b dc=example,dc=com uid=bjensen userpassword dn: uid=bjensen,ou=People,dc=example,dc=com userpassword: {SSHA}QWAtw8ch/9850HNFRRqLNMIQc1YhxCnOoGmk1g== In addition, users can change their passwords provided you have granted them access to do so. OpenDJ uses the userPassword attribute to store passwords by default, rather than the authPassword attribute, which is designed to store passwords hashed by the client application. The password policy that applies to a user is identified by the operational attribute, pwdPolicySubentry. $ ldapsearch -p 1389 -b dc=example,dc=com uid=bjensen pwdPolicySubentry dn: uid=bjensen,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config

You configure password policies using the dsconfig command. Notice that password policies are part of the server configuration, and therefore not replicated. You can reconfigure the default password policy for example to enforce password expiration, check that passwords do not match dictionary words, and prevent password reuse. Enable the appropriate password validator. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-password-validator-prop --validator-name Dictionary --set enabled:true -X -n Apply the changes to the default password policy. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-password-policy-prop --policy-name "Default Password Policy" --set max-password-age:90d --set min-password-age:4w --set password-history-count:7 --set password-validator:Dictionary -X -n Check your work. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password get-password-policy-prop --policy-name "Default Password Policy" Property : Value(s) ------------------------------------------:-------------------------- account-status-notification-handler : - allow-expired-password-changes : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : false force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 12 w 6 d max-password-reset-age : 0 s min-password-age : 4 w password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : Random Password Generator password-history-count : 7 password-history-duration : 0 s password-validator : Dictionary previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : false You can add a password policy for example for new users who have not yet used their credentials to bind. Create the new password policy. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password create-password-policy --policy-name "New Account Password Policy" --set default-password-storage-scheme:"Salted SHA-1" --set force-change-on-add:true --set password-attribute:userPassword -X -n Check your work. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password get-password-policy-prop --policy-name "New Account Password Policy" Property : Value(s) ------------------------------------------:------------- account-status-notification-handler : - allow-expired-password-changes : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : true force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 0 s max-password-reset-age : 0 s min-password-age : 0 s password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : - password-history-count : 0 password-history-duration : 0 s password-validator : - previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : false If you use a password policy like this, you might want to change the user's policy again when the new user successfully updates the password.

You assign password policies by using the ds-pwp-password-policy-dn attribute. Prevent users from selecting their own password policy. $ cat protectpwp.ldif dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr = "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass word policy";deny (write)(userdn = "ldap:///self");) $ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -f protectpwp.ldif Processing MODIFY request for ou=People,dc=example,dc=com MODIFY operation successful for DN ou=People,dc=example,dc=com Update the user's ds-pwp-password-policy-dn attribute. $ cat newuser.ldif dn: uid=newuser,ou=People,dc=example,dc=com uid: newuser objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top cn: New User sn: User ou: People mail: newuser@example.com userPassword: changeme ds-pwp-password-policy-dn: cn=New Account Password Policy,cn=Password Policies, cn=config $ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -a -f newuser.ldif Processing ADD request for uid=newuser,ou=People,dc=example,dc=com ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com Check your work. $ ldapsearch -p 1389 -D "cn=Directory Manager" -w password -b dc=example,dc=com uid=newuser pwdPolicySubentry dn: uid=newuser,ou=People,dc=example,dc=com pwdPolicySubentry: cn=New Account Password Policy,cn=Password Policies,cn=config Create a virtual attribute to set the ds-pwp-password-policy-dn attribute for group members' entries. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password create-virtual-attribute --name "Dir Admin Password Policy" --type user-defined --set attribute-type:ds-pwp-password-policy-dn --set value:"cn=Root Password Policy,cn=Password Policies,cn=config" --set group-dn:"cn=Directory Administrators,ou=Groups,dc=example,dc=com" --set enabled:true -X -n Check your work. $ ldapsearch -p 1389 -b dc=example,dc=com uid=kvaughan pwdPolicySubentry dn: uid=kvaughan,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config Identify the SMTP server to which OpenDJ sends messages. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-global-configuration-prop --set smtp-server:smtp.example.com -X -n Set up OpenDJ to be able to mail users about account status. dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-account-status-notification-handler-prop --handler-name "SMTP Handler" --set enabled:true --set email-address-attribute-type:mail -X -n You can also configure the message-subject and message-template-file properties. Try interactive mode if you plan to do so. You find templates for messages by default under the config/messages directory. You can edit the templates to suit your purposes. Adjust applicable password policies to use the account status notification handler you configured. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-password-policy-prop --policy-name "Default Password Policy" --set account-status-notification-handler:"SMTP Handler" -X -n