Password policy examples

When the global password policy entry, cn=pwdpolicy,cn=ibmpolicies, is initially created in the CDBM backend, the policy is not enabled. This example uses the ldapmodify utility to activate the global password policy and to change its default values. For more information about the ldapmodify utility, see ldapmodify and ldapadd utilities in z/OS IBM Tivoli Directory Server Client Programming for z/OS.

ldapmodify -p port -D adminDn -w adminPw                                                        
dn: cn=pwdpolicy,cn=ibmpolicies
replace: x
ibm-pwdpolicy: true
pwdmaxage: 7776000
pwdexpirewarning: 5184000
pwdmaxfailure: 5
pwdlockout: true
pwdinhistory: 3
pwdminlength: 5
pwdchecksyntax: 1

After these modifications are made to the global password policy entry, the following policy is in effect for all existing entries that have userPassword attribute values:

• Passwords must be changed every 90 days (7776000 seconds) and password expiration warnings are sent on the PasswordPolicy response control starting 60 days (5184000 seconds) before the password expires.
• There are a maximum of five login failures before the user's account is locked and must be unlocked by an LDAP root administrator or an administrator with the appropriate authority. See Administrative group and roles for more information about administrative role authority.
• The previous three password values are kept in the user's password history and the user is unable to reuse these password values.
• The new password value must have a minimum length of five characters.

If there are a number of users that must have a password policy that differs from the global password policy, group password policies are used. These users must be placed in a static, dynamic, and nested group and those groups are updated to refer to a password policy entry. This example uses the ldapadd utility to add a password policy entry in the CDBM backend to be used as a group password policy. For more information about the ldapadd client utility, see ldapmodify and ldapadd utilities in z/OS IBM Tivoli Directory Server Client Programming for z/OS.

ldapadd -p port -D adminDn -w adminPw
dn: cn=group,cn=ibmpolicies
objectclass: pwdpolicy
objectclass: ibm-pwdpolicyext
objectclass: container
pwdminlength: 10
pwdinhistory: 5
pwdchecksyntax: 2
passwordminalphachars: 5
passwordminotherchars: 2
pwdmaxage: 5184000
pwdexpirewarning: 2592000
pwdattribute: userpassword
ibm-pwdpolicy: true

The characteristics are:

• Passwords must be changed every 60 days (5184000 seconds) and password expiration warnings are sent on the PasswordPolicy response control starting 30 days (2592000) before the password is to expire.
• The minimum length of password values is 10 characters, five must be alphabetic characters, and two must be non-alphabetic characters. Password syntax checking is enforced because the pwdCheckSyntax attribute is set to two.
• The previous five password values are kept in the user's password history and the user is unable to reuse these password values.

After the password policy entry is created, the group entry that must use this special password policy must be modified to set the ibm-pwdGroupPolicyDN operational attribute value. This example uses the ldapmodify utility to modify the existing cn=group,c=us entry to add an ibm-pwdGroupPolicyDN operational attribute value for the cn=group,cn=ibmpolicies password policy entry.

ldapmodify -p port -D adminDn -w adminPw
dn: cn=group,c=us
add: ibm-pwdgrouppolicydn
ibm-pwdgrouppolicydn: cn=group,cn=ibmpolicies

Although the cn=group,cn=ibmpolicies password policy entry created earlier is enabled by setting the ibm-pwdPolicy attribute value to true, the global password policy must be enabled to evaluate additional password policies (if it is not already). Set the ibm-pwdGroupAndIndividualEnabled attribute value to true in the global password policy entry. This example uses the ldapmodify utility to enable the evaluation of additional password policies in the LDAP server.

ldapmodify -p port -D adminDn -w adminPw                                                        
dn: cn=pwdpolicy,cn=ibmpolicies
replace: x
ibm-pwdgroupandindividualenabled: true

This example uses the ldapadd utility to add a password policy entry in the CDBM backend to be used as an individual password policy.

ldapadd -p port -D adminDn -w adminPw
dn: cn=individual,cn=ibmpolicies
objectclass: pwdpolicy
objectclass: ibm-pwdpolicyext
objectclass: container
pwdminlength: 8
pwdgraceloginlimit: 3
pwdinhistory: 4
pwdchecksyntax: 1
pwdattribute: userpassword
ibm-pwdpolicy: true

The characteristics are:

• The minimum length of a password value is eight characters with no restrictions on alphabetic or numeric characters.
• The previous four password values are kept in the user's password history and the user is unable to reuse these password values.
• There are three grace logins allowed before the user's password expires.

After the password policy entry is created, the individual users needed to use this special password policy must be modified to set the ibm-pwdIndividualPolicyDN operational attribute value. This example uses the ldapmodify utility to modify the existing cn=user5,c=us entry to add an ibm-pwdIndividualPasswordPolicyDN operational attribute value for the cn=individual,cn=ibmpolicies password policy entry.

ldapmodify -p port -D adminDn -w adminPw
dn: cn=user5,c=us
add: ibm-pwdIndividualPolicydn                              
ibm-pwdIndividualPolicydn: cn=individual,cn=ibmpolicies

Although the cn=individual,cn=ibmpolicies password policy entry created earlier is enabled by setting the ibm-pwdPolicy attribute value to true, the global password policy must be enabled to evaluate additional password policies (if it is not already). Set the ibm-pwdGroupAndIndividualEnabled attribute value to true in the global password policy entry. This example uses the ldapmodify utility to enable the evaluation of additional password policies in the LDAP server.

ldapmodify -p port -D adminDn -w adminPw                                                        
dn: cn=pwdpolicy,cn=ibmpolicies
replace: x
ibm-pwdgroupandindividualenabled: true

The Effective password policy extended operation in the ldapexop utility is used to query the effective password policy of a user or group. The Effective password policy extended operation displays the password policy attribute values and the password policy entries that have contributed to the effective password policy for the specified user or group. See The ldapexop utility for more information. This example uses the Effective password policy extended operation in the ldapexop utility to query the effective password policy for user cn=user5,c=us:

ldapexop -p port -D adminDn -w adminPw -op effectpwdpolicy -d "cn=user5,c=us"

The effective password policy is calculated based on the following entries:
cn=pwdpolicy,cn=ibmpolicies
cn=group,cn=ibmpolicies
cn=individual,cn=ibmpolicies

The effective password policy is:
ibm-pwdgroupandindividualenabled=TRUE
ibm-pwdpolicy=TRUE
ibm-pwdPolicyStartTime=20090808153021.4210567Z
passwordmaxconsecutiverepeatedchars=0
passwordmaxrepeatedchars=0
passwordminalphachars=0
passwordmindiffchars=0
passwordminotherchars=0
pwdallowuserchange=TRUE
pwdattribute=userpassword
pwdchecksyntax=2
pwdexpirewarning=2592000
pwdfailurecountinterval=0
pwdgraceloginlimit=3
pwdinhistory=4
pwdlockout=TRUE
pwdlockoutduration=0
pwdmaxage=5184000
pwdmaxfailure=5
pwdminage=0
pwdminlength=8
pwdmustchange=TRUE
pwdsafemodify=FALSE 

The Account status extended operation in the ldapexop utility is used to query if the user's account is opened, locked, or the password has expired.

ldapexop -p port -D adminDn -w adminPw -op acctstatus -d “cn=user1,c=us”
acctstatus_extended_op: Account is locked.