Password policies

General

A password policy is a set of rules defining how passwords are used in a given environment. The password policy helps securing your environment: it dictates how long and how difficult passwords should be, whether new users have to change their passwords, the interval at which user's should change passwords, whether passwords can be reused, after how long an idle time users will be disconnected automatically, etc.

iPlanet/SunONE GUI

The password policy can be managed easily from the graphical user interface: the Configuration tab contains a Database folder in which you can select Passwords. The fields have the following meaning:

  • Password change after reset”: when enabled, users must changed their password after first login, and every time the password is reset by an administrator. This feature is by default disabled.

  • User-defined passwords”: the users can chose their own passwords. Enabled by default.

  • Password expiration”: enforced password change after X days. It is common to have users change their passwords every 30 to 90 days. By default, passwords don't expire.

  • Expiration warning”: how many days in advance are users notified that they have to change their passwords. The default is one day. Client applications must support LDAP messaging.

  • Password syntax checking”: enforced checking of the password: is it long enough, not too simple, not based on a dictionary word. Turned off by default.

  • Password lenght”: can be forced to be anything between 2 and 512 characters. A good lenght is 8: long enough to be safe, but still simple enough so that users don't have to write it down. Not set by default.

  • Password minimum age”: minimum time users have to wait after changing their password, before they can change it again. This is to prevent users from cycling through the password history. A value of zero means that users can change their passwords immediately.

  • Password history”: if history is enabled, the last X passwords that a user has set, are remembered and cannot be reused. Not enabled by default.

  • Password storage scheme”: type of encryption. SHA is the default (Secure Hash Algorithm), can also be set to none or crypt, the default UNIX-style encryption.

  • Password failure counter reset”: time, in minutes, before a locked account is re-enabled.

  • Lockout duration”: time, in minutes, that the account will remain disabled after X failed logins.

The password policy is stored in the entry “cn=Password Policy”.

OpenLDAP

Password expiration is arranged using the PAM (Password Authentication Modules) pam_ldap module - Solaris also uses PAM - adapted for LDAP.

The same settings as on a Solaris system are translated into attributes to user entries:

  • userPassword

  • shadowLastChange”: days since Jan 1, 1970 that password was last changed

  • shadowMin”: days before password may be changed

  • shadowMax”: days after which password must be changed

  • shadowWarning”: days before password is to expire that user is warned

  • shadowInactive”: days after password expires that account is disabled

  • shadowExpire”: days since Jan 1, 1970 that account is disabled

  • shadowFlag”: reserved field

Installing and using the “diradmin” package enables the following setting by default:

userPassword:: <base 64 encoded value>
shadowMax: 30
shadowWarning: 7
shadowInactive: 2
shadowLastChange: <X_days>