Password policy

With the use of LDAP servers for authentication, is important that a LDAP server support policies regarding password expiration, failed login attempts, and password rules. Directory Server provides configurable support for all three of these kinds of policies.

Password policy is a set of rules that controls how passwords are used and administered in the IBM Directory. These rules are made to ensure that users change their passwords periodically, and that the passwords meet the organization's syntactic password requirements. These rules can also restrict the reuse of old passwords and ensure that users are locked out after a defined number of failed bind attempts.

When an administrator sends a request to turn on password policy, the ibm-pwdPolicyStartTime attribute is generated by the server. This attribute is an optional attribute which cannot be deleted or modified by a client request. Only administrators with administrative control can modify the ibm-pwdPolicyStartTime attribute. The value of this attribute is changed when the Password Policy is turned on and off by an administrator. When the ibm-pwdPolicyStartTime attribute is turned on and off, the value of the attribute gets reset and the user entry's last changed time which is evaluated based on the entry's modifyTimestamp and the ibn-pwdPolicyStartTime may get changed. As a result, some old passwords which would have expired may not expire when the password policy is turned off and on.
Note: It is essential to note that a password policy entry has to be created before it can be associated with a user or a group entry as an individual or a group password policy. If the referenced password policy entry does not exist, a message "unwilling to perform" is returned. Once a password policy entry has been referenced by a user or group entry, it cannot be renamed or deleted unless the association between the entry and the user or group entry has been removed.

For additional information about passwords see Password Guidelines.

Directory Server provides three types of password policies: individual, group, and global password policies.

Global Password Policy

When a global password policy entry (cn=pwdpolicy,cn=ibmpolicies) is created by the server, the attribute ibm-pwdPolicy is set to FALSE, which is the default value. This means that all password policy entries will be ignored by the server. Only when the ibm-pwdPolicy attribute is set to TRUE the password rules are enforced by the server. When a global password policy is enforced and the ibm-pwdGroupAndIndividualEnabled attribute in cn=pwdpolicy,cn=ibmpolicies is set to TRUE, the group and individual password policies are also considered when evaluating the password policy.

Group Password Policy

The group password policy enables members of a group to be controlled by a set of special password rules. For group password policy, ibm-pwdGroupPolicyDN attribute pointing to a password policy entry can be used in any user group objects such as accessGroup, accessRole, and groupOfNames.

Since a user entry may belong to more than one group, multiple group password policy entries will be evaluated before the user's group policy can be determined. In order to evaluate a composite group policy, group password policy entries are combined to form a union of attributes with the most restrictive attribute values taking precedence.

Individual Password Policy

Individual password policy enables every user entry to have its own password policy. For individual password policy, attribute ibm-pwdIndividualPolicyDN pointing to a password policy entry can be used to extend a user to have its own password policy entry. By changing the attributes of the password policy entry, an administrator can effectively manage password policy for a set of users without modifying any of the user entries.
Note: By assigning a value of cn=noPwdPolicy to attribute ibm-pwdIndividualPolicyDN for a password policy extended user entry, an administrator may exempt a user from any password policy controls.

Password Evaluation

To evaluate a user's effective password policy, all password policies associated with a user are taken into consideration starting with the individual password policy. Next, the group password policy is considered and finally the global password policy is taken into consideration. If an attribute is not defined in the individual password policy entry, it will be searched in the composite group password policy entry. If it is not found in the composite group policy entry, the attribute in the global password policy entry will be used. In case the attribute is not defined in the global password policy entry, then the default value will be assumed.

Note: The effective password policy extended operation (effectpwdpolicy) is used to display the effective password policy of a given user. Information about the password policy entries which are used to calculate the effective password policy is also displayed using this extended operation. For more information about this extended operation, see the IBM Tivoli Directory Server version 6.1 Command Reference.

Evaluation of a user's Group Password Policy

Since a user entry may belong to more than one group, multiple group password policy entries may be evaluated to determine a user's composite group policy. Following are the rules for determining a user's composite group password policy:
  1. If ibm-pwdPolicy is set to False in a Password policy entry, no attributes defined in the entry will be used to determine the composite group password policy. If the attribute is not set, then the default value of False is assumed for the attribute.
  2. If ibm-pwdGroupPolicyDN has a value of cn=noPwdPolicy in all the groups that a user belongs to, no composite group password will be evaluated for the user. In this case, unless the user has an individual password policy defined, no policy (not even the global) will be applied.
  3. An attribute defined with a non-default value is more restrictive than if defined with a default value which, in turn, is more restrictive than if it is not defined at all.
  4. The password policy attributes passwordMinAlphaChars, pwdMinLength, and passwordMinOtherChars are interdependent. For instance, the value of passwordMinAlphaChars must be set to less than or equal to the value in pwdMinLength minus the value in passwordMinOtherChars. Due to this inter-dependency among attribute values, if one attribute is selected from a policy, then the other two attributes are also selected from the same policy.

    The order of selection will be pwdMinLength, passwordMinOtherChars, and passwordAlphaChars. This means that the selection will be based on picking the largest value for pwdMinLength. In case of a situation where two group policies have the same value for the pwdMinLength attribute, then the one with the largest value for passwordMinOtherChars will be selected. Once an attribute is selected, the other two attributes will be selected automatically.

  5. The passwordMaxConsecutiveRepeatedChars attribute is used to restrict the maximum successive repetitions of a given character in the password. Both passwordMaxRepeatedChars and passwordMaxConsecutiveRepeatedChars can be enabled or disabled independent of each other. However, if both these attributes are enabled, then the following rules are applicable-:

    The value of passwordMaxRepeatedChars attribute must be greater than or equal to the value of passwordMaxConsecutiveRepeatedChars attribute.

    In case multiple password policies are enabled, passwordMaxConsecutiveRepeatedChars is picked up from the same policy as was used to pick up passwordMaxRepeatedChars. If passwordMaxRepeatedChars is disabled in all policies, then the most restrictive value of passwordMaxConsecutiveRepeatedChars would be picked up.

    If the passwordMaxConsecutiveRepeatedChars attribute is set to 0, then the number of consecutive repeated characters is not checked. If passwordMaxConsecutiveRepeatedChars is set to 1, then a given character cannot be immediately followed by another character of the same type. For instance, if the passwordMaxConsecutiveRepeatedChars attribute is set to 1 then 'aba' is a valid value for a password but 'aab' will be an invalid value.

    Similarly, if the passwordMaxConsecutiveRepeatedChars attribute is set to 2, then the maximum number of times a character can occur consecutively in a password is 2.

  6. Attributes in all the group password policy entries are combined to form a union of attributes with the most restrictive attribute values taking precedence. Given below is a table that describes how the most restrictive attribute values are determined:
    Table 1. Determining the most restrictive attribute values
    Pwd Policy Attribute More restrictive value Valid values Default values
    pwdAttribute N/A userPassword userPassword
    pwdMinAge Greater Greater than or equal (GE) to 0 0 - no age limit
    pwdMaxAge Less GE 0 0 - password does not expire
    pwdInHistory Greater 0 to 10 0 - no password history
    pwdCheckSyntax Greater 0, 1, 2 1 - if server not able to check the syntax, then accept password 2 - if server is not able to check the syntax, then reject the password 0
    pwdMinLength Greater GE 0 0 - no minimum length
    pwdExpireWarning Greater GE 0 0 - no warnings will be sent
    pwdGraceLoginLimit Less GE 0 0 - no grace login
    pwdLockout True True/False False
    pwdLockoutDuration Greater GE 0 0 - locked out until reset
    pwdMaxFailure Less GE 0 0 - no failure count, no lockout
    pwdFailureCountInterval Greater GE 0 0 - no count, reset by successfully authentication
    pwdMustChange True True/False True/False if cn=noPwdPolicy
    pwdAllowUserChange True True/False True
    pwdSafeMode True True/False False
    Ibm-pwdPolicy True True/False False
    passwordMinAlphaChars Greater GE 0 0 - no min alpha will be enforced
    passwordMinOtherChars Greater GE 0 0 - no min other char
    passwordMaxRepeatedChars Less GE 0 0 - no max repeated char
    passwordMaxConsecutive RepeatedChars Less GE 0 0 - no maximum consecutive repeated character
    passwordMinDiffChars Greater GE 0 0 - no minimum number of different characters between passwords
Based on the rules defined above, a user's composite group policy is determined. To gain a better understanding of how a composite group policy is determined, consider some examples given in the table below:
Table 2. Determining the composite group policy
Group X password policy Group Y password policy Group Z password policy Composite group password policy
pwdMaxAge = 86400 pwdSafeMode = True pwdMaxAge = 43200 pwdSafeMode = False pwdCheckSytax = 1 ibm-pwdPolicy = True pwdMaxAge = 43200 pwdSafeMod = True
pwdMaxFailure = 5 ibm-pwdPolicy = True ibm-pwdPolicyStarttime = 20060406200000 ibm-pwdPolicy = True ibm-pwdPolicyStarttime = 20060306200000 ibm-pwdPolicyStarttime = 20060506200000 pwdCheckSytax = 1 pwdMaxFailure = 5 ibm-pwdPolicy = True ibm-pwdPolicyStarttime = 20060306200000
pwdMaxAge = 86400 ibm-pwdPolicy = True pwdMaxAge = 43200 pwdSafeMode = True pwdMaxAge = 0 ibm-pwdPolicy = True pwdMaxAge = 86400 pwdSafeMode = False ibm-pwdPolicy = True Note: Group Y's passwd policy is not used in calculating composite group policy, since its ibm-pwdPolicy is not defined and therefore it defaults to FALSE.
pwdMinLength = 10 passwordMinOtherChars = 4 passwordMinAlphaChars= 6 ibm-pwdPolicy = True pwdMinLength = 12 ibm-pwdPolicy = True   pwdMinLength = 12 ibm-pwdPolicy = True
pwdMinLength = 10 passwordMinOtherChars = 4 passowrdMinAlphaChars = 6 ibm-pwdPolicy = True   pwdMinLength =10 passwordMinOtherChars = 5 passwordMinAlphaChars = 3 ibm-pwdPolicy = True pwdMinLength =10 passwordMinOtherChars = 5 passwordMinAlphaChars = 3 ibm-pwdPolicy = True
passwordMaxConsecutiveRepeatedChars=0 passwordMaxRepeatedChars=5 ibm-pwdPolicy = True passwordMaxConsecutiveRepeatedChars=2 ibm-pwdPolicy = True passwordMaxRepeatedChars=3 ibm-pwdPolicy = True passwordMaxRepeatedChars=3 passwordMaxConsecutiveRepeatedChars=0 ibm-pwdPolicy = True
passwordMaxConsecutiveRepeatedChars=4 passwordMaxRepeatedChars=0 ibm-pwdPolicy = True passwordMaxConsecutiveRepeatedChars=1 passwordMaxRepeatedChars=0 ibm-pwdPolicy = True   passwordMaxConsecutiveRepeatedChars=1 passwordMaxRepeatedChars=0 ibm-pwdPolicy = True
passwordMaxConsecutiveRepeatedChars=4 passwordMaxRepeatedChars=2 ibm-pwdPolicy = True passwordMaxConsecutiveRepeatedChars=2 passwordMaxRepeatedChars=3 ibm-pwdPolicy = True   passwordMaxConsecutiveRepeatedChars=4 passwordMaxRepeatedChars=2 ibm-pwdPolicy = True

Evaluation of a user's Effective Password Policy

A user's effective password policy is evaluated only if the ibm-pwdPolicy attribute is set to TRUE in the global password policy entry. Other password policies, such as individual and group policy, can still be enabled when the global policy is disabled, but these policy rules will have no effect on the user.

The attribute ibm-pwdPolicyStartTime is set to the current system time when ibm-pwdPolicy is set to TRUE. This can be done even if the global password policy entry is set to FALSE. However, the ibm-pwdPolicyStartTime value will not be used for effective policy evaluation unless the global policy is enabled. Once the global policy is enabled, the value of this attribute will be selected from a user's individual, then group and then the global policy. Since ibm-pwdPolicyStartTime exists in every active password policy, the start time of an individual policy, if it exists, will always override any other policy start time as the start time of the user's effective password policy.

Given below is a set of examples that explain how a user's effective password policy is determined.

Table 3. Determining the effective password policy
Individual password policy Group password policy Global password policy Effective password policy
pwdMaxAge = 86400 ibm-pwdPolicy = True pwdMinAge = 21600 pwdLockout = True ibm-pwdPolicyStarttime = 20060406200000 pwdMaxAge =43200 ibm-pwdPolicy = True pwdInHistory = 5 ibm-pwdPolicyStarttime = 20060306200000 ibm-pwdPolicy = True pwdMinAge = 43200 pwdInHistory = 3 pwdCheckSyntax = 0 pwdMinLength = 0 pwdExpireWarning = 0 pwdGraceLoginLimit = 0 pwdLockoutDuration = 0 pwdMaxFailure =0 pwdFailureCountInterval=0 passwordMinAlphaChars=0 passwordMinOtherChars=0 passwordMaxRepeatedChars =0 passwordMinDiffChars=0 pwdLockout=False pwdAllowUserChange=True pwdMustChange=True pwdSafeModify=False ibm-pwdPolicyStarttime = 20060506200000 pwdMaxAge = 86400 ibm-pwdPolicy = True pwdMinAge = 21600 pwdInHistory = 5 pwdCheckSyntax = 0 pwdMinLength = 0 pwdExpireWarning = 0 pwdGraceLoginLimit = 0 pwdLockoutDuration = 0 pwdMaxFailure =0 pwdFailureCountInterval =0 passwordMinAlphaChars =0 passwordMinOtherChars =0 passwordMaxRepeatedChars =0 passwordMinDiffChars =0 pwdLockout=True pwdAllowUserChange =True pwdMustChange=True pwdSafeModify=False ibm-pwdPolicyStarttime = 20060406200000
pwdMaxAge = 86400 ibm-pwdPolicy = True pwdMinAge = 21600 pwdMinLength = 8 pwdLockout = True ibm-pwdPolicyStarttime = 20060406200000 pwdMaxAge =43200 ibm-pwdPolicy = True pwdInHistory = 5 ibm-pwdPolicyStarttime = 20060306200000 ibm-pwdPolicy = True pwdMinAge = 0 pwdInHistory = 3 pwdMaxAge = 86400 ibm-pwdPolicy = True pwdMinAge = 21600 pwdInHistory = 5 pwdCheckSyntax = 0 pwdMinLength = 8 pwdExpireWarning = 0 pwdGraceLoginLimit = 0 pwdLockoutDuration = 0 pwdMaxFailure =0 pwdFailureCountInterval=0 passwordMinAlphaChars=0 passwordMinOtherChars=0 passwordMaxRepeatedChars =0 passwordMinDiffChars=0 pwdLockout=True pwdAllowUserChange =True pwdMustChange=True pwdSafeModify=False ibm-pwdPolicyStarttime = 20060406200000
passwordMaxConsecutiveRepeatedChars=1 passwordMaxRepeatedChars=0 ibm-pwdPolicy = True passwordMaxConsecutiveRepeatedChars=1 passwordMaxRepeatedChars=10 ibm-pwdPolicy = True passwordMaxRepeatedChars=4 ibm-pwdPolicy = True passwordMaxConsecutiveRepeatedChars=1 passwordMaxRepeatedChars=0 ibm-pwdPolicy = True

Password policy attributes

The password policy feature provides several operational attributes containing the password policy state information for a given directory entry. These attributes can be used to query for entries in a particular state (password has expired) and by an administrator to override certain policy conditions (unlock a locked account). See Appendix H. Password policy operational attributes

Summary of default settings

The following table shows default password policy settings for user passwords.
Table 4. User password policy settings
Web Administration Tool parameter Default setting
Password policy enabled: ibm-pwdPolicy false
Password encryption: ibm-slapdPwEncryption: sha
Users must specify old password when changing the password: pwdSafeModify false
User must change password after reset: pwdMustChange true
Password expiration: pwdMaxAge 0
Number of grace logins after expiration: pwdGraceLoginLimit 0
Account is locked out after a specified number of consecutive failed bind attempts: pwdLockout false
Number of consecutive failed bind attempts before locking out the account: pwdMaxFailure 0
Minimum time between password changes: pwdMinAge 0
Amount of time before an account lockout expires or lockouts never expire: pwdLockoutDuration 0
Amount of time before an incorrect login expires or incorrect login is cleared only with correct password: pwdFailureCountInterval 0
Minimum number of passwords before reuse: pwdInHistory 0
Check password syntax: pwdCheckSyntax 0
Minimum length: pwdMinLength 0
Minimum number of alphabetic characters: passwordMinAlphaChars 0
Minimum number of numeric and special characters: passwordMinOtherChars 0
Maximum number of repeated characters: passwordMaxRepeatedChars 0
Minimum number of characters that must be different from the old password: passwordMinDiffChars 0
Maximum number of consecutive repeated characters: passwordMaxConsecutiveRepeatedChars 0

All users except the directory administrator, members of the administrative group and the master server DN are forced to comply with the configured user password policy. The passwords for the administrator, members of the administrative group and the master server DN never expire. The directory administrator, members of the administrative group and the master server DN have sufficient access control privileges to modify users' passwords and the user password policy. Global administration group members are subject to user password policy and have the authority to modify the user password policy settings.

Configuration

You can configure behavior of the server with respect to passwords in the following areas:

  • A global "on/off" switch for enabling or disabling password policy
  • Rules for changing passwords, including:
    • Users can change their own passwords. Note that this policy applies in addition to any access control. That is, access control must give a user authority to change the userPassword attribute, as well as password policy allowing users to change their own passwords. If this policy is disabled, users cannot change their own passwords. Only an administrator or other user with authority to change the userPassword attribute can change the password for an entry.
    • Passwords must be changed after reset. If this policy is enabled, when a password is changed by anybody other than that user, the password is marked as reset and must be changed by the user before he can perform other directory operations. A bind request with a reset password is successful. To be notified that the password must be reset, the application must be password policy aware.
    • Users must send old password when changing password. If this policy is enabled, a password can be changed only by a modify request that includes both a delete of the userPassword attribute (with the old value) and an add of the new userPassword value. This ensures that only a user who knows their password can change it. The administrator, or other users authorized to change the userPassword attribute can always set the password.
  • Rules for password expiration, including:
    • Passwords never expire, or passwords expire a configurable time after they were last changed.
    • Do not warn users when a password expires, or warn users a configurable time before the password expires. To be warned of approaching password expiration, the application must be password policy aware.
    • Allow a configurable number of grace logins after the user's password has expired. A password policy aware application will be notified of the number of remaining grace logins. If no grace logins are allowed, a user cannot authenticate or change their own password once it has expired.
  • Rules for password validation, including:
    • A configurable password history size, which tells the server to keep a history of the last N passwords and reject passwords that have been previously used.
    • Password syntax checking, including a setting for how the server should behave when passwords are hashed. This setting affects whether the server should ignore the policy under either of the following conditions:
      • The server is storing hashed passwords.
      • A client presents a hashed password to the server (this can happen when transferring entries between servers using an LDIF file if the source server stores hashed passwords).

      In either of these cases the server might not be able to apply all syntax rules. The following syntax rules are supported: Minimum length, minimum number of alphabetic characters, minimum number of numeric or special characters, number of repeated characters, and number of characters in which the password must differ from the previous password.

  • Rules for failed logins, including:
    • A minimum time allowed between password changes, which prevents users from quickly cycling through a set of passwords to get back to their original password.
    • A maximum number of failed login attempts before the account is locked.
    • A configurable password lockout duration. After this time, a previous locked account can be used. This can help to lockout a hacker attempting to crack a password, while aiding a user that has forgotten their password.
    • A configurable time for which the server keeps track of failed login attempts. If the maximum number of failed login attempts occurs within this time, the account is locked. Once this time has expired, the server discards information about previous failed login attempts for the account.

The password policy settings for the directory server are stored in the object "cn=pwdpolicy, cn=ibmpolicies", which looks like this:

cn=pwdpolicy, cn=ibmpolicies  
objectclass=container 
objectclass=pwdPolicy 
objectclass=ibm-pwdPolicyExt 
objectclass=ibm-pwdGroupAndIndividualPolicies
objectclass=top 
cn=pwdPolicy 
pwdExpireWarning=0 
pwdGraceLoginLimit=0 
passwordMaxRepeatedChars=0 
pwdSafeModify=false 
pwdattribute=userpassword 
pwdinhistory=0 
pwdchecksyntax=0 
passwordminotherchars=0 
passwordminalphachars=0 
pwdminlength=0 
passwordmindiffchars=0 
pwdminage=0 
pwdmaxage=0 
pwdallowuserchange=true 
pwdlockoutduration=0 
ibm-pwdpolicy=true 
pwdlockout=true 
pwdmaxfailure=2 
pwdfailurecountinterval=0 
pwdmustchange=false 
ibm-pwdGroupAndIndividualEnabled=false
ibm-pwdPolicyStartTime=20071021141828Z
passwordMaxConsecutiveRepeatedChars=0

Password policy aware applications

The Directory Server password policy support includes a set of LDAP controls which can be used by a password policy aware application to receive notification of additional password policy related conditions.

An application can be informed of the following warning conditions:

  • Time remaining before password expiration
  • Number of grace logins remaining after the password has expired

An application can also be informed of the following error conditions:

  • Password has expired
  • Account is locked
  • Password has been reset and must be changed
  • User is not allowed to change their password
  • Old password must be supplied when changing password
  • New password violates syntax rules
  • New password is too short
  • Password has been changed too recently
  • New password is in history

Two controls are used. A password policy request control is used to inform the server that the application wishes to be informed of password policy related conditions. This control must be specified by the application on all operations for which it is interested, typically the initial bind request and any password change requests. If the password policy request control is present, a password policy response control is returned by the server when any of the above error conditions are present.

The Directory Server client APIs include a set of APIs which can be used by C applications to work with these controls. These APIs are:

  • ldap_parse_pwdpolicy_response
  • ldap_pwdpolicy_err2string

For applications not using these APIs, the controls are defined below. You must use the capabilities provided by the LDAP client APIs being used to process the controls. For example, the Java™ Naming and Directory Interface (JNDI) has built-in support for some well-known controls, and also provides a framework for supporting controls that JNDI does not recognize.

Password Policy Request Control

Control name: 1.3.6.1.4.1.42.2.27.8.5.1 
Control criticality: FALSE 
Control value: None

Password Policy Response Control

Control name: 1.3.6.1.4.1.42.2.27.8.5.1 (same as the request control) 
Control criticality: FALSE 
Control value: A BER encoded value defined in ASN.1 as follows:  
  PasswordPolicyResponseValue ::= SEQUENCE { 
  warning	[0] CHOICE OPTIONAL { 
		timeBeforeExpiration	[0] INTEGER (0 .. MaxInt), 
		graceLoginsRemaining	[1] INTEGER (0 .. maxInt) } 
  error		[1] ENUMERATED OPTIONAL { 
		passwordExpired			(0), 
		accountLocked				(1), 
		changeAfterReset			(2), 
		passwordModNotAllowed	(3), 
		mustSupplyOldPassword	(4), 
		invalidPasswordSyntax	(5), 
		passwordTooShort			(6), 
		passwordTooYoung			(7), 
		passwordInHistory			(8) } }

Like other LDAP protocol elements, the BER encoding uses implicit tagging.

Password policy operational attributes

The Directory Server maintains a set of operational attributes for each entry that has a userPassword attribute. These attributes can be searched by authorized users, either used in search filters, or returned by the search request. These attributes are:

  • pwdChangedTime - A GeneralizedTime attribute containing the time the password was last changed.
  • pwdAccountLockedTime - A GeneralizedTime attribute containing the time at which the account was locked. If the account is not locked, this attribute is not present.
  • pwdExpirationWarned - A GeneralizedTime attribute containing the time at which the password expiration warning was first sent to the client.
  • pwdFailureTime - A multi-valued GeneralizedTime attribute containing the times of previous consecutive login failures. If the last login was successful, this attribute is not present.
  • pwdGraceUseTime - A multi-valued GeneralizedTime attribute containing the times of the previous grace logins.
  • pwdReset - A Boolean attribute containing the value TRUE if the password has been reset and must be changed by the user.
  • ibm-pwdAccountLocked - A Boolean attribute indicating that the account has been administratively locked.

Replication of Password Policy

Password policy information is replicated by supplier servers to consumers. Changes to the entry cn=pwdpolicy are replicated as global changes, like changes to the schema. Password policy state information for individual entries is also replicated, so that, for example, if an entry is locked on a supplier server, that action will be replicated to any consumers. Password policy state changes on a read-only replica do not replicate to any other servers, however.