Question & Answer
Question
How to set up a group password policy for a group of users?
Answer
Here is an example how to set up a group password policy for a group of users:
1. While global pwdPolicy was enabled, check it out:
# idsldapsearch -p 1389 -Dcn=root -w secret -b cn=pwdpolicy,cn=ibmpolicies objectclass=*
>> cn=pwdpolicy,cn=ibmpolicies
objectclass=container
objectclass=pwdPolicy
objectclass=ibm-pwdPolicyExt
objectclass=ibm-pwdGroupAndIndividualPolicies
objectclass=top
cn=pwdPolicy
pwdAttribute=userPassword
pwdCheckSyntax=0
pwdGraceLoginLimit=0
pwdLockoutDuration=0
pwdFailureCountInterval=0
passwordMaxRepeatedChars=0
pwdMinAge=0
pwdExpireWarning=0
pwdMinLength=0
passwordMinAlphaChars=0
passwordMinOtherChars=0
passwordMinDiffChars=0
pwdAllowUserChange=true
pwdMustChange=true
ibm-pwdGroupAndIndividualEnabled=true <<< Must be TRUE;otherwise it won't work
ibm-pwdpolicy=true
ibm-pwdPolicyStartTime=20160507194601Z
pwdinhistory=2
pwdlockout=true
pwdmaxage=7776000
pwdmaxfailure=3
pwdsafemodify=true
2. I already have the following users in database:
cn=Bob Garcia,ou=Austin,o=IBM,c=US
cn=Kyle Nguyen,ou=Austin,o=IBM,c=US
uid=user10,ou=Houston,o=ibm,c=us
uid=user12,ou=Houston,o=ibm,c=us
uid=user19,ou=Dallas,o=ibm,c=us
uid=user20,ou=Dallas,o=ibm,c=us
3. Create a new group with those members:
A. # cat new-group.ldif
dn:cn=Testgroup,ou=Houston,o=IBM,c=US
objectclass:top
objectclass:GroupOfNames
cn:Testgroup
member: cn=Bob Garcia,ou=Austin,o=IBM,c=US
member: cn=Kyle Nguyen,ou=Austin,o=IBM,c=US
member: uid=user10,ou=Houston,o=ibm,c=us
member: uid=user12,ou=Houston,o=ibm,c=us
member: uid=user19,ou=Dallas,o=ibm,c=us
member: uid=user20,ou=Houston,o=ibm,c=us
B. Then run:
# idsldapadd -p 1389 -D cn=root -w secret -f new-group.ldif
4. Now I want to have a special pwdpolicy for this group:
A. # cat group-pwd.ldif
dn:cn=Testgroup_pwd_policy,cn=ibmpolicies
objectclass: container
objectclass: pwdPolicy
objectclass: ibm-pwdPolicyExt
objectclass: top
cn:Testgroup_pwd_policy
pwdAttribute: userPassword
pwdMaxFailure: 2
ibm-pwdpolicy:true
B. Run:
# idsldapadd -p 1389 -D cn=root -w secret -f group-pwd.ldif
>> Operation 0 adding new entry cn=Testgroup_pwd_policy,cn=ibmpolicies
5. Now associate Testgroup_pwd_policy to group cn=Testgroup,ou=Houston,o=IBM,c=US
A. # cat assign.ldif
dn:cn=Testgroup,ou=Houston,o=IBM,c=US
changetype:modify
add:ibm-pwdGroupPolicyDN
ibm-pwdGroupPolicyDN:cn=Testgroup_pwd_policy,cn=ibmpolicies
B. Run:
# idsldapmodify -p 1389 -D cn=root -w secret -k -f assign.ldif
Test it:
----------
1. Let a member of this group bind with wrong password 1st time:
# idsldapsearch -p 1389 -D "uid=user20,ou=Houston,o=ibm,c=us" -w pw4user18
-b o=ibm,c=us objectclass=*
>> ldap_simple_bind: Invalid credentials
2. Let a member of this group bind with wrong password 2nd time:
# idsldapsearch -p 1389 -D "uid=user20,ou=Houston,o=ibm,c=us" -w pw4user22
-b o=ibm,c=us objectclass=*
>> ldap_simple_bind: DSA is unwilling to perform --- Error, Account is locked
3. Check pwdPolicy for user20:
# idsldapsearch -p 1389 -Dcn=root -w secret -b "uid=user20,ou=Houston,o=ibm,c=us"
objectclass=* +ibmpwdpolicy
>> uid=user20,ou=Houston,o=ibm,c=us
pwdChangedTime=20160507230031.000000Z
pwdAccountLockedTime=20160507231946.000000Z
pwdFailureTime=20160507231923.000000Z
pwdFailureTime=20160507231946.000000Z
[{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1;6.2;6.3;6.3.1;6.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21983138