Password policy operational attributes

For user entries that are subject to LDAP password policy, there are several operational attributes that contain password policy state information. The password operational attributes in Table 1 are in the critical access class and by default, only an LDAP administrator with the appropriate authority can query and read them. See Administrative group and roles for more information. If other users require access to these attributes, the default ACLs can be changed to allow read access to these attributes. See Using access control for more information.

Table 1. Password policy operational attributes in user entries
Attribute and description
pwdChangedTime Specifies the Coordinated Universal Time in Zulu format when the userPassword value was last changed or the ibm-pwdPolicyStartTime attribute value of the effective password policy entry's start time whatever time is later. The pwdChangedTime attribute is only updated when the user's effective password policy has either the pwdMinAge attribute or the pwdMaxAge attribute set to a value other than 0. Example: `pwdChangedTime: 20091021182253.188983Z`
pwdAccountLockedTime Specifies the Coordinated Universal Time in Zulu format when the user's account was locked. If the user's account is not locked, this attribute is not present in the user's entry. If the user's password is reset by an LDAP root or password administrator, this attribute is automatically removed from the entry. Example: `pwdAccountLockedTime: 20091021183747.488417Z`
pwdExpirationWarned Specifies the Coordinated Universal Time in Zulu format of the first password expiration warning for this user. Example: `pwdExpirationWarned: 20091021181746.852469Z`
pwdFailureTime A multi-valued attribute specifying the Coordinated Universal Time in Zulu format of the previous consecutive authentication failures for this user. If the pwdLockout attribute is set to true in the effective password policy entry, then the number of consecutive authentication failures by this user is limited by the pwdMaxFailure attribute value in the effective password policy entry. On a successful authentication, all pwdFailureTime attribute values are removed from the user's entry. If the pwdLockout attribute is set to false in the effective password policy entry, then consider setting pwdLockoutDuration in the effective password policy entry to avoid recording an unlimited number of pwFailureTime values. Example: `pwdFailureTime: 20091021181836.913647Z`
pwdGraceUseTime A multi-valued attribute specifying the Coordinated Universal Time in Zulu format of the previous grace logins for this user. The number of grace logins that are allowed by this user with an expired password is limited by the pwdGraceLoginLimit attribute value in the effective password policy entry. If grace logins are not allowed by the effective password policy, this attribute is not present in the user's entry. If the user's password is changed before the grace logins limit is exceeded, all pwdGraceUseTime attribute values are removed from the user's entry. Example: `pwdGraceUseTime: 20091013183626.310768Z pwdGraceUseTime: 20091021155707.839414Z`
pwdHistory A multi-valued attribute containing the history of previously used passwords for this user entry. The number of previous password values that are stored for this user is limited by the pwdHistory attribute value in the effective password policy entry. When the current userPassword attribute value is changed for this user, the previous password values in the history are compared to ensure that the user does not reuse an old password value. The format for this attribute is: `pwdHistory: time#syntaxOID#length#data` Where, `time` is the Coordinated Universal Time in Zulu format when this password value was added to the password history. `syntaxOID` is the numeric OID that defines the syntax that is used to originally store the password value. `length` is the number of octets in the old password data. `data` is the octet representing the password in a tagged base64-encoded printable format. This portion is in the same encryption or hashing format that is used for the original userPassword attribute value. If the data after the encryption tag is not printable in the original userPassword attribute value, it is base64 encoded before it is stored in the pwdHistory attribute value. Example: `pwdHistory: 20101124182146.400909Z#1.3.6.1.4.1.1466.115.121.1.40#33#{AES:KEY}hlzJB229co0VN728TpeU0w== pwdHistory: 20101124182507.050181Z#1.3.6.1.4.1.1466.115.121.1.40#62#{SSHA}eyuSkyuA1ZmIMtZWQ7WcBplgTGqiZs1X+sBV+CFOz/tynSBu3Ay= pwdHistory: 20101124181038.800202Z#1.3.6.1.4.1.1466.115.121.1.40#18#{none}c2VjcmV0MQ==`
pwdReset A Boolean (true or false) indicating whether the user's password is changed or set by another user. When set to true, the password value must be changed by the user after successful authentication before the user is allowed to perform any other operations. If the userPassword value in this entry is changed by the user, this attribute is removed from the user's entry. Example: `pwdReset: true`
ibm-pwdAccountLocked By default, an LDAP root or directory data administrator can query these password policy operational attributes for user entries in a particular state. When a user's account is locked, the user is unable to successfully authenticate to the server. This attribute is not present in the user's entry if the account has never been administratively locked. Example: `ibm-pwdAccountLocked: true`

By default, an LDAP root or directory data administrator can query these password policy operational attributes for user entries in a particular state. Because these attributes are operational, each attribute name or the special '+' attribute must be specified on the search request so that they are returned on the search response. If the authenticated user has access to operational attributes, the '+' attribute returns all operational attributes other than the ibm-allMembers, ibm-allGroups, ibm-entryCheckSum, ibm-entryCheckSumOp, and hasSubordinates attributes.

This example uses the ldapsearch utility to retrieve operational attributes.

ldapsearch -D adminDn -w adminPw -s sub -b "c=us"  "objectclass=*" +

The pwdChangedTime attribute can be used in a search filter to retrieve a list of candidate users whose passwords might be about to expire. This example assumes that the effective password policy expiration policy is 90 days and searches for all entries of passwords expiring on August 10, 2010. Therefore, this example uses the ldapsearch utility to search for all entries when the password was last changed on May 2, 2010:

ldapsearch -D adminDn -w adminPw -s sub –b "c=us" "(!(pwdChangedTime>=20100502000000Z))" dn

The pwdAccountLockedTime attribute is used in a search filter to retrieve a list of candidate users that might be locked. Users are not always locked when this attribute is present in their entries because the effective password policy lockout duration might already be exceeded. This example uses the ldapsearch utility to search for all entries that have an pwdAccountLockedTime attribute value:

ldapsearch -D adminDn -w adminPw –s sub –b "c=us" "(pwdaccountlockedtime=*)" dn

The pwdReset attribute can be used in a search filter to retrieve a list of candidate users whose password must be changed because the password was reset or changed by another user. If the effective password policy does not enforce password reset, then this search does not retrieve all users that need to change or reset their passwords. This example uses the ldapsearch utility to search for all entries that have a pwdReset attribute value.

ldapsearch -D adminDn -w adminPw -s sub –b "c=us” "(pwdreset=true)" dn