Password policy parameters
Following is a list of parameters that can be set for password policy using the ap_ldap_ppolicy.pl update utility.
Usage
ap_ldap_ppolicy.pl update
--pwdMaxAge <PWD_MAX_AGE>
--pwdExpireWarning <PWD_EXPIRE_WARNING>
--pwdInHistory <PWD_IN_HISTROY>
--pwdMaxFailure <PWD_MAX_FAILURE>
--pwdLockout <PWD_LOCK_OUT>
--pwdLockoutDuration <PWD_LOCK_OUT_DURATION>
--pwdFailureCountInterval <PWD_FAILURE_COUNT_INTERVA>
--pwdMustChange <PWD_MUST_CHANGE>
--pwdAllowUserChange <PWD_ALLOW_USER_CHANGE>
--pwdSafeModify <PWD_SAFE_MODIFY>
--pwdCheckQuality <PWD_CHECK_QUALITY>
--pwdUppercase <PWD_UPPERCASE>
--pwdLowercase <PWD_LOWERCASE>
--pwdDigits <PWD_DIGITIS>
--pwdSpecialchars <PWD_SPECIAL_CHRS>
--pwdMinLength <PWD_MIN_LENGTH>
--pwdMinUppercase <PWD_UPPER>
--pwdMinLowercase <PWD_LOWER>
--pwdMinDigits <PWD_DIGITS>
--pwdMinSpecialchars <PWD_SPECIALCHARS>
--pwdMinDiffCharsfromOld <PWD_MINDIFFCHARSFROMOLD>
--pwdMaxRepeatChar <PWD_MAXREPEATCHAT>
--pwdMaxclassChars <PWD_MAXCLASSCHARS>
--pwdMinclasses <PWD_MINCLASSES>
Parameters
- PWD_MAX_AGE:
- This attribute contains the number of days after which a modified password expires. If this attribute is not present, or if its value is zero (0), then passwords never expire.
- PWD_EXPIRE_WARNING:
- This attribute controls whether and when a warning message of password expiration is returned on a login attempt. If this attribute is not present, or if the value is zero (0), no warnings are returned.
- PWD_IN_HISTORY:
- This attribute is used to specify the maximum number of used passwords that are stored in the pwdHistory attribute. If this attribute is not present, or if its value is zero (0), used passwords are not stored in pwdHistory and thus any previously used password may be reused.
- PWD_MAX_FAILURE:
- This attribute controls how many consecutive password failures are allowed before the action defined by pwdLockout is taken. If the attribute is not present or its value is zero (0), then an unlimited number of consecutive password failure attempts are allowed. Any successful login operation resets the count.
- PWD_LOCK_OUT:
- This attribute specifies the action that should be taken by the appliance when a user has made a specified number of failed login attempts. If pwdLockout is set (its value is "TRUE"), the user will not be allowed to attempt to authenticate to appliance after a specified number of consecutive failed attempts. The maximum number of consecutive failed attempts allowed is specified by the pwdMaxFailure parameter. If pwdLockout is not present, or if its value is "FALSE”, the password may be used to authenticate no matter how many consecutive failed attempts have been made.
- PWD_LOCK_OUT_DURATION:
- This attribute contains the number of seconds during which the password cannot be used to authenticate the user due to too many consecutive failed attempts. If pwdLockoutDuration is not present, or if its value is zero (0), the password cannot be used to authenticate the user to the appliance again until it is reset by an administrator.
- PWD_FAILURE_COUNT_INTERVAL:
- This attribute contains the number of seconds after which old consecutive failed attempts get reset from the failure counter, even though no successful authentication has occurred. If pwdFailureCountInterval is not present, or its value is zero (0), the failure counter is reset by a successful authentication.
- PWD_MUST_CHANGE:
- This attribute specifies whether users must change their passwords when they first log in to appliance after a password is set or reset by the administrator. If pwdMustChange has a value of "TRUE", users must change their passwords when they log in to appliance after a password is set or reset by the administrator. If pwdMustChange is not present, or its value is "FALSE", users are not required to change their password upon login after the administrator sets or resets the password.
- PWD_ALLOW_USER_CHANGE:
- This attribute specifies whether users can change their own passwords or not. If pwdAllowUserChange is set to "TRUE", or if the attribute is not present, users will be allowed to change their own passwords. If its value is "FALSE", users will not be allowed to change their own passwords.
- PWD_SAFE_MODIFY:
- This attribute denotes whether the user's existing password must be sent along with their new password when changing a password. If pwdSafeModify is set to "TRUE", the existing password must be sent along with the new password. If the attribute is not present, or its value is "FALSE", the existing password need not be sent along with the new password.
Note: The following attributes change PAM and LDAP password complexity. User can also set these
parameters to zero (0) to avoid complexity checking, which enables only patterns checking like
dictionary words and reverse of password.
- PWD_MIN_LENGTH:
- This attribute contains the minimum number of characters that are accepted in a password. The system default value is 15.
- PWD_UPPER:
- This attribute specifies minimum number of upper case characters required while changing the password. The system default value is 1.
- PWD_LOWER:
- This attribute specifies minimum number of lower case characters required while changing the password. The system default value is 1.
- PWD_DIGITS:
- This attribute specifies minimum number of digits required while changing the password. The system default value is 1.
- PWD_SPECIALCHARS:
- This attribute specifies minimum number of special case characters required while changing the password. The system default value is 1.
- PWD_MINDIFFCHARSFROMOLD:
- This attribute specifies number of minimum different characters from current password required while changing the password. The system default value is 8.
- PWD_MAXREPEATCHAT:
- This attribute specifies maximum number of repeat of a character allowed while changing the password. The system default value is 3.
- PWD_MAXCLASSCHAR:
- This attribute specifies maximum number of consecutive characters of a class allowed while changing the password. The system default value is 4.
- PWD_MINCLASSES:
- This attribute specifies the minimum number of required classes of characters for the new password. The system default value is 4.