Password policy If you want to synchronize password policy across your organization and your applications go to the directory for authentication, then the directory can be a good place to enforce your password policy uniformly. Even if you do not depend on the directory for all your password policy, you no doubt still want to consider directory password policy if only to choose the appropriate password storage scheme. This chapter covers password policy, including examples of how to configure password policies for common use cases.

OpenDJ password policies govern not only passwords, but also account lockout, and how OpenDJ provides notification about account status. OpenDJ supports password policies as part of the server configuration, and also subentry password policies as part of the (replicated) user data.

You manage server based password policies in the OpenDJ configuration by using the dsconfig command. As they are part of the server configuration, such password policies are not replicated. You must instead apply password policy configuration updates to each replica in your deployment. By default, OpenDJ includes two password policy configurations, one default for all users, and another for directory root DN users, such as cn=Directory Manager. You can see all the default password policy settings using the dsconfig command as follows. $ dsconfig get-password-policy-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Default Password Policy" --advanced Property : Value(s) ------------------------------------------:-------------------------- account-status-notification-handler : - allow-expired-password-changes : false allow-multiple-password-values : false allow-pre-encoded-passwords : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : false force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 0 s max-password-reset-age : 0 s min-password-age : 0 s password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : Random Password Generator password-history-count : 0 password-history-duration : 0 s password-validator : - previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : false skip-validation-for-administrators : false state-update-failure-policy : reactive See the OpenDJ Configuration Reference page on Password Policy for detailed descriptions of each property. Here you notice that many capabilities are not set by default: no lockout, no password expiration, no multiple passwords, no password validator to check that passwords contain the appropriate mix of characters. This means that if you decide to use the directory to enforce password policy, you must configure at least the default password policy to meet your needs. Yet a few basic protections are configured by default. When you import LDIF with userPassword values, OpenDJ hashes the values before storing them. When a user provides a password value during a bind for example, the server hashes the value provided to compared it with the stored value. Even the directory manager cannot see the plain text value of a user's password. $ ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com uid=bjensen userpassword dn: uid=bjensen,ou=People,dc=example,dc=com userpassword: {SSHA}QWAtw8ch/9850HNFRRqLNMIQc1YhxCnOoGmk1g== In addition, users can change their passwords provided you have granted them access to do so. OpenDJ uses the userPassword attribute to store passwords by default, rather than the authPassword attribute, which is designed to store passwords hashed by the client application.

Replication Password policy You manage subentry password policies by adding the subentries alongside the user data. Thus OpenDJ can replicate subentry password policies across servers. Password policy Behera Internet-Draft Subentry password policies support the Internet-Draft Password Policy for LDAP Directories (version 09). A subentry password policy effectively overrides settings in the default password policy defined in the OpenDJ configuration. Settings not supported or not included in the subentry password policy are thus inherited from the default password policy. As a result, the following Internet-Draft password policy attributes override the default password policy when you set them in the subentry. pwdAllowUserChange, corresponding to the OpenDJ password policy property allow-user-password-changes pwdMustChange, corresponding to the OpenDJ password policy property force-change-on-reset pwdGraceAuthNLimit, corresponding to the OpenDJ password policy property grace-login-count pwdLockoutDuration, corresponding to the OpenDJ password policy property lockout-duration pwdMaxFailure, corresponding to the OpenDJ password policy property lockout-failure-count pwdFailureCountInterval, corresponding to the OpenDJ password policy property lockout-failure-expiration-interval pwdMaxAge, corresponding to the OpenDJ password policy property max-password-age pwdMinAge, corresponding to the OpenDJ password policy property min-password-age pwdAttribute, corresponding to the OpenDJ password policy property password-attribute pwdSafeModify, corresponding to the OpenDJ password policy property password-change-requires-current-password pwdExpireWarning, corresponding to the OpenDJ password policy property password-expiration-warning-interval pwdInHistory, corresponding to the OpenDJ password policy property password-history-count The following Internet-Draft password policy attributes are not taken into account by OpenDJ. pwdCheckQuality, as OpenDJ has password validators. You can set password validators to use in the default password policy. pwdMinLength, as this is handled by the Length Based Password Validator. You can configure this as part of the default password policy. pwdLockout, as OpenDJ can deduce whether lockout is configured based on the values of other lockout-related password policy attributes. Values of the following properties are inherited from the default password policy for Internet-Draft based password policies. account-status-notification-handlers allow-expired-password-changes allow-multiple-password-values allow-pre-encoded-passwords default-password-storage-schemes deprecated-password-storage-schemes expire-passwords-without-warning force-change-on-add idle-lockout-interval last-login-time-attribute last-login-time-format max-password-reset-age password-generator password-history-duration password-validators previous-last-login-time-formats require-change-by-time require-secure-authentication require-secure-password-changes skip-validation-for-administrators state-update-failure-policy

The password policy that applies to a user is identified by the operational attribute, pwdPolicySubentry. $ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen pwdPolicySubentry dn: uid=bjensen,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config

You configure server based password policies using the dsconfig command. Notice that server based password policies are part of the server configuration, and therefore not replicated. Alternatively, you can configure a subset of password policy features using subentry based password policies that are stored with the replicated server data. This section covers both server based and subentry based password policies. Password policy Default You can reconfigure the default password policy for example to enforce password expiration, check that passwords do not match dictionary words, and prevent password reuse. This default policy is a server based password policy. Enable the appropriate password validator. $ dsconfig set-password-validator-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --validator-name Dictionary --set enabled:true --set check-substrings:true --set min-substring-length:4 --trustAll --no-prompt Apply the changes to the default password policy. $ dsconfig set-password-policy-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Default Password Policy" --set max-password-age:90d --set min-password-age:4w --set password-history-count:7 --set password-validator:Dictionary --trustAll --no-prompt Check your work. $ dsconfig get-password-policy-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Default Password Policy" Property : Value(s) ------------------------------------------:-------------------------- account-status-notification-handler : - allow-expired-password-changes : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : false force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 12 w 6 d max-password-reset-age : 0 s min-password-age : 4 w password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : Random Password Generator password-history-count : 7 password-history-duration : 0 s password-validator : Dictionary previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : false You can add a password policy for example for new users who have not yet used their credentials to bind. Create the new password policy. $ dsconfig create-password-policy --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "New Account Password Policy" --set default-password-storage-scheme:"Salted SHA-1" --set force-change-on-add:true --set password-attribute:userPassword --type password-policy --trustAll --no-prompt Check your work. $ dsconfig get-password-policy-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "New Account Password Policy" Property : Value(s) ------------------------------------------:------------- account-status-notification-handler : - allow-expired-password-changes : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : true force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 0 s max-password-reset-age : 0 s min-password-age : 0 s password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : - password-history-count : 0 password-history-duration : 0 s password-validator : - previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : false If you use a password policy like this, you might want to change the user's policy again when the new user successfully updates the password. You can add a subentry to configure a password policy that applies to Directory Administrators. Create the entry that specifies the password policy. $ cat /path/to/subentry-pwp.ldif dn: cn=Subentry Password Policy,dc=example,dc=com objectClass: top objectClass: subentry objectClass: pwdPolicy cn: Subentry Password Policy pwdAttribute: userPassword pwdLockout: TRUE pwdMaxFailure: 3 pwdFailureCountInterval: 300 pwdLockoutDuration: 300 pwdAllowUserChange: TRUE pwdSafeModify: TRUE subtreeSpecification: {base "ou=people", specificationFilter "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" } Add the policy to the directory. $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename /path/to/subentry-pwp.ldif Processing ADD request for cn=Subentry Password Policy,dc=example,dc=com ADD operation successful for DN cn=Subentry Password Policy,dc=example,dc=com Check that the policy applies as specified. In the example, the policy should apply to a Directory Administrator, while a normal user has the default password policy. Here, Kirsten Vaughan is a member of the Directory Administrators group, and Babs Jensen is not a member. $ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan pwdPolicySubentry dn: uid=kvaughan,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Subentry Password Policy,dc=example,dc=com $ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen pwdPolicySubentry dn: uid=bjensen,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config

You assign subentry based password policies for a subtree of the DIT by adding the policy to an LDAP subentry whose immediate superior is the root of the subtree. In other words you can add the subtree based password policy under ou=People,dc=example,dc=com, to have it apply to all entries under ou=People,dc=example,dc=com. You can further use the capabilities of LDAP subentries to refine the scope of application. You assign server based password policies by using the ds-pwp-password-policy-dn attribute. Prevent users from selecting their own password policy. $ cat protectpwp.ldif dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr = "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass word policy";deny (write)(userdn = "ldap:///self");) $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename protectpwp.ldif Processing MODIFY request for ou=People,dc=example,dc=com MODIFY operation successful for DN ou=People,dc=example,dc=com Update the user's ds-pwp-password-policy-dn attribute. $ cat newuser.ldif dn: uid=newuser,ou=People,dc=example,dc=com uid: newuser objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top cn: New User sn: User ou: People mail: newuser@example.com userPassword: changeme ds-pwp-password-policy-dn: cn=New Account Password Policy,cn=Password Policies, cn=config $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename newuser.ldif Processing ADD request for uid=newuser,ou=People,dc=example,dc=com ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com Check your work. $ ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com uid=newuser pwdPolicySubentry dn: uid=newuser,ou=People,dc=example,dc=com pwdPolicySubentry: cn=New Account Password Policy,cn=Password Policies,cn=config Create a subentry defining the collective attribute that sets the ds-pwp-password-policy-dn attribute for group members' entries. $ cat pwp-coll.ldif dn: cn=Password Policy for Dir Admins,dc=example,dc=com objectClass: collectiveAttributeSubentry objectClass: extensibleObject objectClass: subentry objectClass: top cn: Password Policy for Dir Admins ds-pwp-password-policy-dn;collective: cn=Root Password Policy,cn=Pass word Policies,cn=config subtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf= cn=Directory Administrators,ou=Groups,dc=example,dc=com)"} $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename pwp-coll.ldif Processing ADD request for cn=Password Policy for Dir Admins,dc=example,dc=com ADD operation successful for DN cn=Password Policy for Dir Admins,dc=example,dc=com Check your work. $ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan pwdPolicySubentry dn: uid=kvaughan,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config