How can I get the dxPwdLoginTime but not enforce the password-policy rules?

Document ID : KB000053315
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

Sometimes you may want to query the dxPwdLoginTime (Last login time for a particular user) operational attribute. At the same time you may not want to enforce any default password-policy rules e.g. (number of retries, password minimum length, etc). The following procedure explains how you can achieve this.

Solution

Scenario:

  • You do not have password-policy enabled on your DSA.
  • You want to query the last login time (dxPwdLoginTime) of a particular user.
  • But not enforce any password-policy rules.

Scenario Solution:

You can add the following settings in your DSA's settings file.

set password-policy = true;
set password-last-use = 1000000;
set password-min-length = 0;
set password-retries = 0;

Following is the explanation of the above settings:

  1. set password-policy = true;
    • Enables password policy on the DSA
  2. set password-last-use = 1000000; 
    • An account requires a successful bind/password compare in 'password-last-use' number of days. If this does not occur the account will become suspended.
    • To avoid the account to become suspended we set this value to a very high number. (Approximately 2739 years before account is suspended).
    • This is needed for the DSA to store the value for the "dxPwdLoginTime" operational attribute.
  3. set password-min-length = 0;
    • A new password must be at least 'password-min-length' characters long.
    • The default value is "6" therefore we need to set it to "0" so that this check is disabled.
  4. set password-retries = 0;
    • If the number of user binds and password compares with an invalid password equals the 'password-retries', then the account will become suspended.
    • The default value is "3" therefore we need to set it to "0" so that this check is disabled.