IBM Support

Collecting Data for Directory Server (TDS/SDS): PASSWORD POLICY issues

Troubleshooting


Problem

MustGather documents aid in problem determination and save time resolving Problem Management Records (PMRs), specifically IBM Security/Tivoli Directory Server problems related to password policies and the LDAP server.

Resolving The Problem


Must Gather Password Policy information based on IBM Security/Tivoli Directory Server version:

For all versions of Directory Server the basic items we need to begin diagnosing any Password Policy issues are as follows:

  1. A clear description of how you wish to define the Directory Server based password policy in your environment.
  2. A description of the behavior or problem currently observed.
  3. Details of the configuration and Directory Server password policy in use.
  4. Necessary logs and traces.
Please use the links below to find the Directory Server version specific instructions.

Must Gather information based on Directory Server version:
Versions 6.4, 6.3.1, 6.3, 6.2 or 6.1
Version 6.0
Version 5.2


Directory Server 6.4, 6.3.1, 6.3, 6.2 or 6.1 Must Gather Information
  • Collecting Version Information
  • Log and Configuration Files
  • Note that the group and user based password policy is effective only for V6.4, V6.3.1, V6.3, V6.2 or V6.1
  • Collect the output from the following commands:
    • Global password policy:
      idsldapsearch -D <adminDN> -w <adminPW> -s base -b "cn=pwdpolicy,cn=ibmpolicies" objectclass=*
    • Collect group / user based password policies:
      idsldapsearch -D <adminDN> -w <adminPW> -s sub -b " " objectclass=ibm-pwd*
    • Evaluate the effective password policy on a given user:
      idsldapexop -D <adminDN> -w <adminPW> -op effectpwdpolicy -d "<UserEntryDN>"
    • Collect password policy operational attributes on a given user:
      idsldapsearch -D <adminDN> -w <adminPW> -s base -b "<UserEntryDN>" objectclass=* +ibmpwdpolicy
    • Collect additional password policy operational attributes on a given user:
      idsldapsearch -D <adminDN> -w <adminPW> -s base -b "<UserEntryDN>" objectclass=* ++ibmpwdpolicy
  • If ibm-pwdGroupAndIndividualEnabled is set to true from above search results, then collect the following also:

    • a) If Group based password policies are in use:
    • Collect the group based password policy dn value from the group entry:
      idsldapsearch -D <adminDN> -w <adminPW> -s base -b <GroupEntryDN> objectclass=* ibm-pwdGroupPolicyDN
    b) If User based password policies are in use:
    • Collect the user based password policy dn value from the user entry:
      idsldapsearch -D <adminDN> -w <adminPW> -s base -b <UserEntryDN> objectclass=* ibm-pwdIndividualPolicyDN

    where
    <adminDN> is ldap administrator dn such as cn=root
    <adminPW> is ldap administrator password
    <UserEntryDN> is DN value of the User
    <GroupEntryDN> is DN value of the Group
  • Dynamic ASCII and Binary Tracing

    • Note: Collect ibmslapd traces during a recreate of the problem.

Return to top of page

Directory Server 6.0 Must Gather Information
  • Collecting Version Information
  • Log and Configuration Files
  • Collect the output from the following commands:
    • Collect the global password policy:
      idsldapsearch -D <adminDN> -w <adminPW> -s base -b "cn=pwdpolicy" objectclass=*
    • Collect password policy operational attributes on a given user:
      idsldapsearch -D <adminDN> -w <adminPW> -s base -b "<UserEntryDN>" objectclass=* pwdChangedTime pwdAccountLockedTime pwdExpirationWarned pwdFailureTime pwdGraceUseTime pwdReset ibm-pwdAccountLocked

    where
    <adminDN> is ldap administrator dn such as cn=root
    <adminPW> is ldap administrator password
    <UserEntryDN> is DN value of the User
  • Dynamic Ascii and Binary Tracing

    • Note: Collect ibmslapd traces during a recreate of the problem.

Return to top of page

Directory Server 5.2 Must Gather Information
  • Collecting Version information
  • Log and Configuration Files
  • Collect the output from the following commands:
    • Collect the global password policy:
      ldapsearch -D <adminDN> -w <adminPW> -s base -b "cn=pwdpolicy" objectclass=*
    • Collect password policy operational attributes on a given user:
      ldapsearch -D <adminDN> -w <adminPW> -s base -b "<UserEntryDN>" objectclass=* pwdChangedTime pwdAccountLockedTime pwdExpirationWarned pwdFailureTime pwdGraceUseTime pwdReset ibm-pwdAccountLocked

    where
    <adminDN> is ldap administrator DN such as cn=root
    <adminPW> is ldap administrator password
    <UserEntryDN> is DN value of the User
  • Dynamic ASCII and Binary Tracing

    • Note: Collect ibmslapd traces during a recreate of the problem.

Return to top of page

[{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2;6.0;6.1;6.2;6.3;6.3.1;6.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21286008

Page Feedback