Topic
  • 1 reply
  • Latest Post - ‏2013-03-11T10:09:47Z by SystemAdmin
juanes1183
juanes1183
1 Post

Pinned topic Political problem of TDS - userPassword

‏2012-05-14T14:41:04Z |
I have a problem with the password policy validation of TDS users.

The following policies work correctly:
pwdLockout
pwdPolicyStartTime
pwdLockoutDuration
pwdMaxFailure

But these policies are not validating correctly.
pwdMinAge
pwdMaxAge
pwdInHistory
pwdMinLength

The policy allocation process is as follows:

To enable individual and group policies:
idsldapmodify -D cn=root -w password -k -f C:\enablePolicies.txt -h ldap://10.155.155.23:389

The enablePolicies.txt file contains:
dn: cn=pwdpolicy,cn=ibmpolicies
ibm-pwdpolicy:true
ibm-pwdGroupAndIndividualEnabled:true

To create the policy:

idsldapadd -D cn=root -w password -k
dn:cn=myPolicy,cn=ibmPolicies
objectclass: container
objectclass: pwdPolicy
objectclass: ibm-pwdPolicyExt
objectclass: top
cn: myPolicy
pwdAttribute: userPassword
pwdLockoutDuration: 30
pwdMaxFailure: 3
pwdFailureCountInterval: 10
pwdMaxAge: 300
pwdMinLength: 8
pwdLockout: true
pwdAllowUserChange: true
pwdMustChange: true
pwdSafeModify: false
pwdInHistory: 3
pwdCheckSyntax:2
pwdMinAge:2
passwordMinAlphaChars=4
ibm-pwdpolicy:true

To assign the policy to a group (cn=myGroup,ou=groups,dc=ibm,dc=com,dc=co -> Already exist):

idsldapadd -D cn=root -w password -k
dn:cn=myGroup,ou=groups,dc=ibm,dc=com,dc=co
changetype:modify
add:ibm-pwdGroupPolicyDN
ibm-pwdGroupPolicyDN:cn= myPolicy,cn=ibmPolicies

To validate that policy is assigned to a user: (cn=user01,ou=users,dc=ibm,dc=com,dc=co -> already exist)

idsldapexop -D cn=root -w password -op effectpwdpolicy -d " cn=user01,ou=users,dc=ibm,dc=com,dc=co "
cn=myPolicy,cn=ibmPolicies
cn=pwdpolicy,cn=ibmpolicies

The effective password policy is:
ibm-pwdPolicyStartTime=20120509144017Z
pwdInHistory=3
pwdCheckSyntax=2
pwdGraceLoginLimit=0
pwdLockoutDuration=30
pwdMaxFailure=3
pwdFailureCountInterval=10
passwordMaxRepeatedChars=0
passwordMaxConsecutiveRepeatedChars=0
pwdMaxAge=300
pwdMinAge=2
pwdExpireWarning=0
pwdMinLength=8
passwordMinAlphaChars=4
passwordMinOtherChars=0
passwordMinDiffChars=0
ibm-pwdPolicy=true
pwdLockout=true
pwdAllowUserChange=true
pwdMustChange=true
pwdSafeModify=false
ibm-pwdGroupAndIndividualEnabled=true

It follows that if the user is assigned the policy assigned. But why the above policies (pwdMinAge, pwdMaxAge, pwdInHistory, pwdMinLength) does not properly validate to the user01?

Thanks in advance
Updated on 2013-03-11T10:09:47Z at 2013-03-11T10:09:47Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    800 Posts

    Re: Political problem of TDS - userPassword

    ‏2013-03-11T10:09:47Z  
    Password policy minimum length is not enforced when the password is reset by cn=root, Try changing the password with a different user with sufficient privileges.