Password policy
With the use of LDAP servers for authentication, is important that a LDAP server support policies regarding password expiration, failed login attempts, and password rules. Directory Server provides configurable support for all three of these kinds of policies.
Password policy is a set of rules that controls how passwords are used and administered in the IBM Directory. These rules are made to ensure that users change their passwords periodically, and that the passwords meet the organization's syntactic password requirements. These rules can also restrict the reuse of old passwords and ensure that users are locked out after a defined number of failed bind attempts.
For additional information about passwords see Password Guidelines.
Directory Server provides three types of password policies: individual, group, and global password policies.
Global Password Policy
When a global password policy entry (cn=pwdpolicy,cn=ibmpolicies) is created by the server, the attribute ibm-pwdPolicy is set to FALSE, which is the default value. This means that all password policy entries will be ignored by the server. Only when the ibm-pwdPolicy attribute is set to TRUE the password rules are enforced by the server. When a global password policy is enforced and the ibm-pwdGroupAndIndividualEnabled attribute in cn=pwdpolicy,cn=ibmpolicies is set to TRUE, the group and individual password policies are also considered when evaluating the password policy.
Group Password Policy
The group password policy enables members of a group to be controlled by a set of special password rules. For group password policy, ibm-pwdGroupPolicyDN attribute pointing to a password policy entry can be used in any user group objects such as accessGroup, accessRole, and groupOfNames.
Since a user entry may belong to more than one group, multiple group password policy entries will be evaluated before the user's group policy can be determined. In order to evaluate a composite group policy, group password policy entries are combined to form a union of attributes with the most restrictive attribute values taking precedence.
Individual Password Policy
Password Evaluation
To evaluate a user's effective password policy, all password policies associated with a user are taken into consideration starting with the individual password policy. Next, the group password policy is considered and finally the global password policy is taken into consideration. If an attribute is not defined in the individual password policy entry, it will be searched in the composite group password policy entry. If it is not found in the composite group policy entry, the attribute in the global password policy entry will be used. In case the attribute is not defined in the global password policy entry, then the default value will be assumed.
Evaluation of a user's Group Password Policy
- If ibm-pwdPolicy is set to False in a Password policy entry, no attributes defined in the entry will be used to determine the composite group password policy. If the attribute is not set, then the default value of False is assumed for the attribute.
- If ibm-pwdGroupPolicyDN has a value of cn=noPwdPolicy in all the groups that a user belongs to, no composite group password will be evaluated for the user. In this case, unless the user has an individual password policy defined, no policy (not even the global) will be applied.
- An attribute defined with a non-default value is more restrictive than if defined with a default value which, in turn, is more restrictive than if it is not defined at all.
- The password policy attributes passwordMinAlphaChars, pwdMinLength,
and passwordMinOtherChars are interdependent. For instance, the value
of passwordMinAlphaChars must be set to less than or equal to the
value in pwdMinLength minus the value in passwordMinOtherChars. Due
to this inter-dependency among attribute values, if one attribute
is selected from a policy, then the other two attributes are also
selected from the same policy.
The order of selection will be pwdMinLength, passwordMinOtherChars, and passwordAlphaChars. This means that the selection will be based on picking the largest value for pwdMinLength. In case of a situation where two group policies have the same value for the pwdMinLength attribute, then the one with the largest value for passwordMinOtherChars will be selected. Once an attribute is selected, the other two attributes will be selected automatically.
- The passwordMaxConsecutiveRepeatedChars attribute is used to restrict
the maximum successive repetitions of a given character in the password.
Both passwordMaxRepeatedChars and passwordMaxConsecutiveRepeatedChars
can be enabled or disabled independent of each other. However, if
both these attributes are enabled, then the following rules are applicable-:
The value of passwordMaxRepeatedChars attribute must be greater than or equal to the value of passwordMaxConsecutiveRepeatedChars attribute.
In case multiple password policies are enabled, passwordMaxConsecutiveRepeatedChars is picked up from the same policy as was used to pick up passwordMaxRepeatedChars. If passwordMaxRepeatedChars is disabled in all policies, then the most restrictive value of passwordMaxConsecutiveRepeatedChars would be picked up.
If the passwordMaxConsecutiveRepeatedChars attribute is set to 0, then the number of consecutive repeated characters is not checked. If passwordMaxConsecutiveRepeatedChars is set to 1, then a given character cannot be immediately followed by another character of the same type. For instance, if the passwordMaxConsecutiveRepeatedChars attribute is set to 1 then 'aba' is a valid value for a password but 'aab' will be an invalid value.
Similarly, if the passwordMaxConsecutiveRepeatedChars attribute is set to 2, then the maximum number of times a character can occur consecutively in a password is 2.
- Attributes in all the group password policy entries are combined
to form a union of attributes with the most restrictive attribute values taking
precedence. Given below is a table that describes how the most restrictive
attribute values are determined:
Table 1. Determining the most restrictive attribute values Pwd Policy Attribute More restrictive value Valid values Default values pwdAttribute N/A userPassword userPassword pwdMinAge Greater Greater than or equal (GE) to 0 0 - no age limit pwdMaxAge Less GE 0 0 - password does not expire pwdInHistory Greater 0 to 10 0 - no password history pwdCheckSyntax Greater 0, 1, 2 1 - if server not able to check the syntax, then accept password 2 - if server is not able to check the syntax, then reject the password 0 pwdMinLength Greater GE 0 0 - no minimum length pwdExpireWarning Greater GE 0 0 - no warnings will be sent pwdGraceLoginLimit Less GE 0 0 - no grace login pwdLockout True True/False False pwdLockoutDuration Greater GE 0 0 - locked out until reset pwdMaxFailure Less GE 0 0 - no failure count, no lockout pwdFailureCountInterval Greater GE 0 0 - no count, reset by successfully authentication pwdMustChange True True/False True/False if cn=noPwdPolicy pwdAllowUserChange True True/False True pwdSafeMode True True/False False Ibm-pwdPolicy True True/False False passwordMinAlphaChars Greater GE 0 0 - no min alpha will be enforced passwordMinOtherChars Greater GE 0 0 - no min other char passwordMaxRepeatedChars Less GE 0 0 - no max repeated char passwordMaxConsecutive RepeatedChars Less GE 0 0 - no maximum consecutive repeated character passwordMinDiffChars Greater GE 0 0 - no minimum number of different characters between passwords
Group X password policy | Group Y password policy | Group Z password policy | Composite group password policy |
---|---|---|---|
pwdMaxAge = 86400 pwdSafeMode = True | pwdMaxAge = 43200 pwdSafeMode = False | pwdCheckSytax = 1 ibm-pwdPolicy = True | pwdMaxAge = 43200 pwdSafeMod = True |
pwdMaxFailure = 5 ibm-pwdPolicy = True ibm-pwdPolicyStarttime = 20060406200000 | ibm-pwdPolicy = True ibm-pwdPolicyStarttime = 20060306200000 | ibm-pwdPolicyStarttime = 20060506200000 | pwdCheckSytax = 1 pwdMaxFailure = 5 ibm-pwdPolicy = True ibm-pwdPolicyStarttime = 20060306200000 |
pwdMaxAge = 86400 ibm-pwdPolicy = True | pwdMaxAge = 43200 pwdSafeMode = True | pwdMaxAge = 0 ibm-pwdPolicy = True | pwdMaxAge = 86400 pwdSafeMode = False ibm-pwdPolicy = True Note: Group Y's passwd policy is not used in calculating composite group policy, since its ibm-pwdPolicy is not defined and therefore it defaults to FALSE. |
pwdMinLength = 10 passwordMinOtherChars = 4 passwordMinAlphaChars= 6 ibm-pwdPolicy = True | pwdMinLength = 12 ibm-pwdPolicy = True | pwdMinLength = 12 ibm-pwdPolicy = True | |
pwdMinLength = 10 passwordMinOtherChars = 4 passowrdMinAlphaChars = 6 ibm-pwdPolicy = True | pwdMinLength =10 passwordMinOtherChars = 5 passwordMinAlphaChars = 3 ibm-pwdPolicy = True | pwdMinLength =10 passwordMinOtherChars = 5 passwordMinAlphaChars = 3 ibm-pwdPolicy = True | |
passwordMaxConsecutiveRepeatedChars=0 passwordMaxRepeatedChars=5 ibm-pwdPolicy = True | passwordMaxConsecutiveRepeatedChars=2 ibm-pwdPolicy = True | passwordMaxRepeatedChars=3 ibm-pwdPolicy = True | passwordMaxRepeatedChars=3 passwordMaxConsecutiveRepeatedChars=0 ibm-pwdPolicy = True |
passwordMaxConsecutiveRepeatedChars=4 passwordMaxRepeatedChars=0 ibm-pwdPolicy = True | passwordMaxConsecutiveRepeatedChars=1 passwordMaxRepeatedChars=0 ibm-pwdPolicy = True | passwordMaxConsecutiveRepeatedChars=1 passwordMaxRepeatedChars=0 ibm-pwdPolicy = True | |
passwordMaxConsecutiveRepeatedChars=4 passwordMaxRepeatedChars=2 ibm-pwdPolicy = True | passwordMaxConsecutiveRepeatedChars=2 passwordMaxRepeatedChars=3 ibm-pwdPolicy = True | passwordMaxConsecutiveRepeatedChars=4 passwordMaxRepeatedChars=2 ibm-pwdPolicy = True |
Evaluation of a user's Effective Password Policy
A user's effective password policy is evaluated only if the ibm-pwdPolicy attribute is set to TRUE in the global password policy entry. Other password policies, such as individual and group policy, can still be enabled when the global policy is disabled, but these policy rules will have no effect on the user.
The attribute ibm-pwdPolicyStartTime is set to the current system time when ibm-pwdPolicy is set to TRUE. This can be done even if the global password policy entry is set to FALSE. However, the ibm-pwdPolicyStartTime value will not be used for effective policy evaluation unless the global policy is enabled. Once the global policy is enabled, the value of this attribute will be selected from a user's individual, then group and then the global policy. Since ibm-pwdPolicyStartTime exists in every active password policy, the start time of an individual policy, if it exists, will always override any other policy start time as the start time of the user's effective password policy.
Given below is a set of examples that explain how a user's effective password policy is determined.
Individual password policy | Group password policy | Global password policy | Effective password policy |
---|---|---|---|
pwdMaxAge = 86400 ibm-pwdPolicy = True pwdMinAge = 21600 pwdLockout = True ibm-pwdPolicyStarttime = 20060406200000 | pwdMaxAge =43200 ibm-pwdPolicy = True pwdInHistory = 5 ibm-pwdPolicyStarttime = 20060306200000 | ibm-pwdPolicy = True pwdMinAge = 43200 pwdInHistory = 3 pwdCheckSyntax = 0 pwdMinLength = 0 pwdExpireWarning = 0 pwdGraceLoginLimit = 0 pwdLockoutDuration = 0 pwdMaxFailure =0 pwdFailureCountInterval=0 passwordMinAlphaChars=0 passwordMinOtherChars=0 passwordMaxRepeatedChars =0 passwordMinDiffChars=0 pwdLockout=False pwdAllowUserChange=True pwdMustChange=True pwdSafeModify=False ibm-pwdPolicyStarttime = 20060506200000 | pwdMaxAge = 86400 ibm-pwdPolicy = True pwdMinAge = 21600 pwdInHistory = 5 pwdCheckSyntax = 0 pwdMinLength = 0 pwdExpireWarning = 0 pwdGraceLoginLimit = 0 pwdLockoutDuration = 0 pwdMaxFailure =0 pwdFailureCountInterval =0 passwordMinAlphaChars =0 passwordMinOtherChars =0 passwordMaxRepeatedChars =0 passwordMinDiffChars =0 pwdLockout=True pwdAllowUserChange =True pwdMustChange=True pwdSafeModify=False ibm-pwdPolicyStarttime = 20060406200000 |
pwdMaxAge = 86400 ibm-pwdPolicy = True pwdMinAge = 21600 pwdMinLength = 8 pwdLockout = True ibm-pwdPolicyStarttime = 20060406200000 | pwdMaxAge =43200 ibm-pwdPolicy = True pwdInHistory = 5 ibm-pwdPolicyStarttime = 20060306200000 | ibm-pwdPolicy = True pwdMinAge = 0 pwdInHistory = 3 | pwdMaxAge = 86400 ibm-pwdPolicy = True pwdMinAge = 21600 pwdInHistory = 5 pwdCheckSyntax = 0 pwdMinLength = 8 pwdExpireWarning = 0 pwdGraceLoginLimit = 0 pwdLockoutDuration = 0 pwdMaxFailure =0 pwdFailureCountInterval=0 passwordMinAlphaChars=0 passwordMinOtherChars=0 passwordMaxRepeatedChars =0 passwordMinDiffChars=0 pwdLockout=True pwdAllowUserChange =True pwdMustChange=True pwdSafeModify=False ibm-pwdPolicyStarttime = 20060406200000 |
passwordMaxConsecutiveRepeatedChars=1 passwordMaxRepeatedChars=0 ibm-pwdPolicy = True | passwordMaxConsecutiveRepeatedChars=1 passwordMaxRepeatedChars=10 ibm-pwdPolicy = True | passwordMaxRepeatedChars=4 ibm-pwdPolicy = True | passwordMaxConsecutiveRepeatedChars=1 passwordMaxRepeatedChars=0 ibm-pwdPolicy = True |
Password policy attributes
The password policy feature provides several operational attributes containing the password policy state information for a given directory entry. These attributes can be used to query for entries in a particular state (password has expired) and by an administrator to override certain policy conditions (unlock a locked account). See Appendix H. Password policy operational attributes
Summary of default settings
Web Administration Tool parameter | Default setting |
---|---|
Password policy enabled: ibm-pwdPolicy | false |
Password encryption: ibm-slapdPwEncryption: | sha |
Users must specify old password when changing the password: pwdSafeModify | false |
User must change password after reset: pwdMustChange | true |
Password expiration: pwdMaxAge | 0 |
Number of grace logins after expiration: pwdGraceLoginLimit | 0 |
Account is locked out after a specified number of consecutive failed bind attempts: pwdLockout | false |
Number of consecutive failed bind attempts before locking out the account: pwdMaxFailure | 0 |
Minimum time between password changes: pwdMinAge | 0 |
Amount of time before an account lockout expires or lockouts never expire: pwdLockoutDuration | 0 |
Amount of time before an incorrect login expires or incorrect login is cleared only with correct password: pwdFailureCountInterval | 0 |
Minimum number of passwords before reuse: pwdInHistory | 0 |
Check password syntax: pwdCheckSyntax | 0 |
Minimum length: pwdMinLength | 0 |
Minimum number of alphabetic characters: passwordMinAlphaChars | 0 |
Minimum number of numeric and special characters: passwordMinOtherChars | 0 |
Maximum number of repeated characters: passwordMaxRepeatedChars | 0 |
Minimum number of characters that must be different from the old password: passwordMinDiffChars | 0 |
Maximum number of consecutive repeated characters: passwordMaxConsecutiveRepeatedChars | 0 |
All users except the directory administrator, members of the administrative group and the master server DN are forced to comply with the configured user password policy. The passwords for the administrator, members of the administrative group and the master server DN never expire. The directory administrator, members of the administrative group and the master server DN have sufficient access control privileges to modify users' passwords and the user password policy. Global administration group members are subject to user password policy and have the authority to modify the user password policy settings.
Configuration
You can configure behavior of the server with respect to passwords in the following areas:
- A global "on/off" switch for enabling or disabling password policy
- Rules for changing passwords, including:
- Users can change their own passwords. Note that this policy applies in addition to any access control. That is, access control must give a user authority to change the userPassword attribute, as well as password policy allowing users to change their own passwords. If this policy is disabled, users cannot change their own passwords. Only an administrator or other user with authority to change the userPassword attribute can change the password for an entry.
- Passwords must be changed after reset. If this policy is enabled, when a password is changed by anybody other than that user, the password is marked as reset and must be changed by the user before he can perform other directory operations. A bind request with a reset password is successful. To be notified that the password must be reset, the application must be password policy aware.
- Users must send old password when changing password. If this policy is enabled, a password can be changed only by a modify request that includes both a delete of the userPassword attribute (with the old value) and an add of the new userPassword value. This ensures that only a user who knows their password can change it. The administrator, or other users authorized to change the userPassword attribute can always set the password.
- Rules for password expiration, including:
- Passwords never expire, or passwords expire a configurable time after they were last changed.
- Do not warn users when a password expires, or warn users a configurable time before the password expires. To be warned of approaching password expiration, the application must be password policy aware.
- Allow a configurable number of grace logins after the user's password has expired. A password policy aware application will be notified of the number of remaining grace logins. If no grace logins are allowed, a user cannot authenticate or change their own password once it has expired.
- Rules for password validation, including:
- A configurable password history size, which tells the server to keep a history of the last N passwords and reject passwords that have been previously used.
- Password syntax checking, including a setting for how the server should
behave when passwords are hashed. This setting affects whether the
server should ignore the policy under either of the following conditions:
- The server is storing hashed passwords.
- A client presents a hashed password to the server (this can happen when transferring entries between servers using an LDIF file if the source server stores hashed passwords).
In either of these cases the server might not be able to apply all syntax rules. The following syntax rules are supported: Minimum length, minimum number of alphabetic characters, minimum number of numeric or special characters, number of repeated characters, and number of characters in which the password must differ from the previous password.
- Rules for failed logins, including:
- A minimum time allowed between password changes, which prevents users from quickly cycling through a set of passwords to get back to their original password.
- A maximum number of failed login attempts before the account is locked.
- A configurable password lockout duration. After this time, a previous locked account can be used. This can help to lockout a hacker attempting to crack a password, while aiding a user that has forgotten their password.
- A configurable time for which the server keeps track of failed login attempts. If the maximum number of failed login attempts occurs within this time, the account is locked. Once this time has expired, the server discards information about previous failed login attempts for the account.
The password policy settings for the directory server are stored in the object "cn=pwdpolicy, cn=ibmpolicies", which looks like this:
cn=pwdpolicy, cn=ibmpolicies
objectclass=container
objectclass=pwdPolicy
objectclass=ibm-pwdPolicyExt
objectclass=ibm-pwdGroupAndIndividualPolicies
objectclass=top
cn=pwdPolicy
pwdExpireWarning=0
pwdGraceLoginLimit=0
passwordMaxRepeatedChars=0
pwdSafeModify=false
pwdattribute=userpassword
pwdinhistory=0
pwdchecksyntax=0
passwordminotherchars=0
passwordminalphachars=0
pwdminlength=0
passwordmindiffchars=0
pwdminage=0
pwdmaxage=0
pwdallowuserchange=true
pwdlockoutduration=0
ibm-pwdpolicy=true
pwdlockout=true
pwdmaxfailure=2
pwdfailurecountinterval=0
pwdmustchange=false
ibm-pwdGroupAndIndividualEnabled=false
ibm-pwdPolicyStartTime=20071021141828Z
passwordMaxConsecutiveRepeatedChars=0
Password policy aware applications
The Directory Server password policy support includes a set of LDAP controls which can be used by a password policy aware application to receive notification of additional password policy related conditions.
An application can be informed of the following warning conditions:
- Time remaining before password expiration
- Number of grace logins remaining after the password has expired
An application can also be informed of the following error conditions:
- Password has expired
- Account is locked
- Password has been reset and must be changed
- User is not allowed to change their password
- Old password must be supplied when changing password
- New password violates syntax rules
- New password is too short
- Password has been changed too recently
- New password is in history
Two controls are used. A password policy request control is used to inform the server that the application wishes to be informed of password policy related conditions. This control must be specified by the application on all operations for which it is interested, typically the initial bind request and any password change requests. If the password policy request control is present, a password policy response control is returned by the server when any of the above error conditions are present.
The Directory Server client APIs include a set of APIs which can be used by C applications to work with these controls. These APIs are:
- ldap_parse_pwdpolicy_response
- ldap_pwdpolicy_err2string
For applications not using these APIs, the controls are defined below. You must use the capabilities provided by the LDAP client APIs being used to process the controls. For example, the Java™ Naming and Directory Interface (JNDI) has built-in support for some well-known controls, and also provides a framework for supporting controls that JNDI does not recognize.
Password Policy Request Control
Control name: 1.3.6.1.4.1.42.2.27.8.5.1
Control criticality: FALSE
Control value: None
Password Policy Response Control
Control name: 1.3.6.1.4.1.42.2.27.8.5.1 (same as the request control)
Control criticality: FALSE
Control value: A BER encoded value defined in ASN.1 as follows:
PasswordPolicyResponseValue ::= SEQUENCE {
warning [0] CHOICE OPTIONAL {
timeBeforeExpiration [0] INTEGER (0 .. MaxInt),
graceLoginsRemaining [1] INTEGER (0 .. maxInt) }
error [1] ENUMERATED OPTIONAL {
passwordExpired (0),
accountLocked (1),
changeAfterReset (2),
passwordModNotAllowed (3),
mustSupplyOldPassword (4),
invalidPasswordSyntax (5),
passwordTooShort (6),
passwordTooYoung (7),
passwordInHistory (8) } }
Like other LDAP protocol elements, the BER encoding uses implicit tagging.
Password policy operational attributes
The Directory Server maintains a set of operational attributes for each entry that has a userPassword attribute. These attributes can be searched by authorized users, either used in search filters, or returned by the search request. These attributes are:
- pwdChangedTime - A GeneralizedTime attribute containing the time the password was last changed.
- pwdAccountLockedTime - A GeneralizedTime attribute containing the time at which the account was locked. If the account is not locked, this attribute is not present.
- pwdExpirationWarned - A GeneralizedTime attribute containing the time at which the password expiration warning was first sent to the client.
- pwdFailureTime - A multi-valued GeneralizedTime attribute containing the times of previous consecutive login failures. If the last login was successful, this attribute is not present.
- pwdGraceUseTime - A multi-valued GeneralizedTime attribute containing the times of the previous grace logins.
- pwdReset - A Boolean attribute containing the value TRUE if the password has been reset and must be changed by the user.
- ibm-pwdAccountLocked - A Boolean attribute indicating that the account has been administratively locked.
Replication of Password Policy
Password policy information is replicated by supplier servers to consumers. Changes to the entry cn=pwdpolicy are replicated as global changes, like changes to the schema. Password policy state information for individual entries is also replicated, so that, for example, if an entry is locked on a supplier server, that action will be replicated to any consumers. Password policy state changes on a read-only replica do not replicate to any other servers, however.