Can you please explain how to use and implement eTrust Directory Password Policy settings?

Document ID : KB000055349
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction

Password policy settings can become a little confusing. Hopefully, what setting to use and when, will become clearer after reading this Techdoc.

The password policy settings control areas such as:

  • authentication (bind/compare of userPassword)

  • password strength (modify of userPassword)

  • other (account control etc)

Please Note:This techdoc has been verified using CA Directory r8.1 build 1072. Please ensure that you are using this build or higher when you are testing the information contained in this techdoc.
To download the latest Service Release of CA Directory please visit our product download page located at:
http://supportconnectw.ca.com/public/etrust/etrust_dir/downloads/etrustdir_updates.asp

Authentication

For the purposes of this document an account refers to a user entry. An account can be in one of the following states depending on how DXserver is configured:

  • Active

  • Expired

  • Suspended

  • Locked

Authentication with a valid password (Active -> Expired)

The following password policy settings control when an account moves from active to expired. If a default is not specified in the value column then this indicates that feature is off. An account expires when the password has not been modified for the configured period.

Setting
Value
Effect
Operational Attribute
password-age

days > 0

a password needs to be changed in 'password-age' days after the last password update, otherwise the account will expire.

dxPwdLastChange

password-age-warning-period

days > 0

Can only be used in conjunction with:

  • Behera password policy request control
  • password-mimic-netscape-response-controls = true
  • During normal operation the above mechanisms will cause bind or password compare responses from DXserver to always append a LDAP control containing the number of seconds before an account expires. The password-age-warning-period will only start appending the password expiry notification control this many days before the password expires.

 
password-allow-ignore-expired

true/false

An account will not expire if this setting is enabled and the 'dxPwdIgnoreExpired' attribute with a value of true is present in the user's entry.

Note: This is useful for administrative accounts and accounts used by mission critical applications.

dxPwdIgnoreExpired

password-grace-logins

num > 0

When an account has expired, user bind and password compares will be successful 'password-grace-logins' times before being refused due to expiry.

Behera password policy request control - When this control is present, a LDAP control containing the number of grace logins remaining will be appended to successful bind/password compare responses.

dxPwdGraceLogins

dxPwdGraceUseTime

Time-line of an account

  • 14 day password age (password-age)

  • 7 day password age warning (password-age-warning)

  • 3 grace logins (password-grace-logins)
          |<-------- 14 days --------->|
    --|-------------|--------------|- - - - - - - -|--
    | |<-- 7 days -->|<-- 3 binds -->|
    / / / /
    password password expiry password grace logins
    updated warning period expired exceeded

Expired -> Active

Once expired and grace logins exceeded password will need to be reset by an administrator. I.e. modified by a different (non-anonymous) user.

Setting
Value
Effect
Operational Attribute
password-force-change

true/false

Can only be used in conjunction with:

  • Behera password policy request control
  • password-mimic-netscape-response-controls = true
  • When an account has been reset, 'password-force-change' will allow a user to connect with the password assigned by the admin and only permitting a password change. All other operations will be refused until the password has been updated. This functionality requires the use of LDAP controls so that the client connecting to the directory can be notified (via bind/password compare confirm) that the password has expired and the user must change it.

    Warning: This feature should not be used when applications exist that perform a single bind to directory for authentication. For these applications the user would never be required to change their password.

dxPwdMustChange

Authentication with an invalid password or too long since account used (Active -> Suspended)

The following password policy settings control when an account moves from active to suspended. An account becomes suspended when the user logs in with invalid credentials too many times or fails to login in the period specified.

Setting
Value
Effect
Operational Attribute
password-last-use

days > 0

An account requires a successful bind/password compare in 'password-last-use' number of days. If this does not occur the account will become suspended.

dxPwdLoginTime

password-retries

num > 0

default 3

If the number of user binds and password compares with an invalid password exceeds 'password-retries', then the account will become suspended.

dxPwdFailedAttempts

password-allow-ignore-suspended

true/false

An account will not suspend if this setting is enabled and the 'dxPwdIgnoreSuspended' attribute with a value of true is present in the user's entry.

Note: This is useful for administrative accounts and accounts used by mission critical applications.

dxPwdIgnoreSuspended

password-max-suspension

secs > 0

An account will remain suspended for 'password-max-suspension' seconds after the last failed bind/password compare.

Note: Only applies to account suspended due to 'password-retries' being exceeded

dxPwdFailedTime

password-suspended-trap

true/false

When an account becomes suspended send an SNMP trap to a monitoring application

 

Suspended -> Active

Once suspended the account will need to be reset by an administrator. I.e. modified by a different (non-anonymous) user.

Administrative lock (Active -> Locked)

SettingValueEffectOperational Attribute
password-allow-locking

true/false

An account can be locked administratively by setting 'password-allow-locking' and storing the 'dxPwdLocked' attribute with a value of true against the user's account.

dxPwdLocked

Password Strength

The following password policy settings affect what value a password can be and when it can be updated. The password update will be refused if the password strength conditions aren't met.

Setting Value EffectOperational Attribute
password-min-age

days > 0

A password cannot be changed again until 'password-min-age' days have passed.

Note: This feature will stop user's trying to keep their existing password by flushing their password history.

dxPwdLastChange

password-history

num > 0

DXserver will keep 'password-history' old passwords so that they cannot be reused.

dxPwdHistory

password-min-length
(was password-length)

num > 0

default 6

A new password must be at least 'password-min-length' characters long.

 
password-max-length

num > 0

A new password must can be no longer than 'password-max-length' characters.

 
password-numeric

num > 0

A new password must contain at least 'password-numeric' numerical (0-9) characters.

 
password-lowercase

num > 0

A new password must contain at least 'password-lowercase' lowercase (a-z) characters.

 
password-uppercase

num > 0

A new password must contain at least 'password-uppercase' uppercase (A-Z) characters.

 
password-alpha

num > 0

A new password must contain at least 'password-alpha' alpha (a-z, A-Z) characters.

 
password-alpha-num

num > 0

A new password must contain at least 'password-alpha-num' alpha numeric (a-z, A-Z, 0-9) characters.

 
password-non-alpha

num > 0

A new password must contain at least 'password-non-alpha' non-alpha (space`~!@#$%^&*()-_=+\pipe]}[{'";:/?.>,< 0-9) characters.

 
password-non-alpha-num

num > 0

A new password must contain at least 'password-non-alpha-num' non-alpha numeric (space`~!@#$%^&*()-_=+\pipe]}[{'";:/?.>,<) characters.

 
password-max-repetition

num > 0

A new password cannot have a single character repeated more than 'password-max-repetition' times. For example, if this were set to 2, a password of 'helllo' would fail. A password of 'hello' would be ok.

 
password-username-substring

true/false

If enabled a new password cannot be a substring of the user's name (last RDN in DN) and vice versa. For example, a user with a name <cn "Craig Link"> could not have a password of 'Craig' or 'Link'. Likewise a user <cn "John"> could not have a password 'Johnny'.

 
password-max-substring-repetition

num > 0

A password cannot have a substring starting at length 'password-min-length-repeated-substring' (see below) repeated more than 'password-max-substring-repetition' times. For example if the length of a substring is 3 and max repetitions is 1 a password of 'moomoo' would fail. A password of 'mooomooo' will fail also.

 
password-min-length-repeated-substring

num > 1

default 2

Used in conjunction with 'password-max-substring-repetition'.

 
password-substring-attrs

comma seperated attribute list

A new password cannot be a substring, or have as a substring, the values from the list of attributes stored against the DN being modified.

 
password-enforce-quality-on-reset

true/false

When enabled, the password quality rules in this section apply even when updating someone else's password (resetting).

 

Other

Some password policy settings that help with account control.

SettingValueEffect
password-proxy-user

User DN

When password compares and modifies are performed as this user then pretend to be the user whose account is affected.

Note: This is useful for applications that make a single connection to the directory but wish to make use of the directory's password policy capabilities (Eg Siebel)

password-mimic-netscape-response-controls

true/false

As touched on in the account expiry section it is possible for DXserver to attach netscape compatible password policy response controls on bind/compare responses.

password-netscape-op-attrs

true/false

When replicating to netscape (or equivalient) and password policy is enabled it is possible to keep some password policy attributes synchronised. Enabling this feature will cause DXserver to DXserver password policy attributes when specified by 'ldap-names' in the dxserver.dxc schema file. For example, dxPwdFailedAttempts can be replicated to netscape by setting ldap-names = 'passwordRetryCount' for that attribute.