Setting password policy properties

Use this information to set password policy properties.

To set the password policy, use one of the following procedures.

Using Web Administration:

If you have not done so already, click Server administration in the Web Administration navigation area and then click Manage password policies in the expanded list. On this panel, you can do the following:
  • Add a new password policy in the DIT.
  • Edit an existing password policy.
  • Create a copy of an existing password policy by providing a new name and location of the policy.
  • Delete an exiting password policy.
    Note: The global password policy cannot be deleted
  • View the details of a selected password policy.

To add a password policy

To add a new password policy in the DIT, click the Add button or select Add from the Select Action list and then click Go on the Password policies table. This launches the Policy definition wizard in which the user can define a new password policy by providing a unique password policy name and the required attributes and their values.

Attribute selection

Attribute selection, Password policy settings 1, Password policy settings 2, and Password policy settings 3 panels make up the Policy definition wizard. Users can use these panels of the Policy definition wizard to add a new password policy, edit an existing password policy, and create a copy of an existing password policy.

While adding a new password policy or copying an existing password policy, user must provide a unique name for the password policy on the Attribute selection panel. Users can also provide values for the required attributes by selecting the attributes from the Attribute selection table. While editing an existing password policy, users are not allowed to modify the password policy name but can modify the values of the attributes of the selected password policy.
Note: Based on the selection of the attributes from the Attribute selection table on the Attribute selection panel, user may not be required to traverse though all the panels of the Policy definition wizard while adding a new password policy or editing or copying an existing password policy.
On this panel, you can do the following:
  • Enter a unique password policy name in the Policy name field. For Add and Copy operations, users must provide a unique password policy name. In case of the Edit operation, the Policy name field is read-only.
  • Select the attributes from the table that you want to include in the password policy overriding the values of these attributes that is in the global password policy.

Password policy settings 1

The controls on the Password policy settings 1 panel are displayed based on the selection of the attributes on the Attribute selection panel. On this panel, you can do the following:
  1. To enable the password policy, select the Enabled (ibm-pwdPolicy) check box. To disable the password policy, clear the Enabled (ibm-pwdPolicy) check box. The attribute ibm-pwdPolicy is associated with this control.
  2. To allow user to change their password, select the User can change password (pwdAllowUserChange) check box.
  3. To ensure that the user change the password after it is reset by the administrator, select the User must change password after reset (pwdMustChange) check box.
  4. To ensure that the user specify the current password while setting a new password, select the User must specify current password while changing (pwdSafeModify) check box.
  5. to set the start date and time of password policy, enter date and time in the fields under Password policy start time (ibm-pwdPolicyStartTime). To set date, users can use the calendar by clicking the calendar icon.
    Note: Only administrators and the members of local administrative group can set the start date and time of the password policy.
  6. In this group, you can set the number of days after which the password expires. If you select Days, you must enter the number of days in the field. Otherwise, to ensure that password never expires, select Password never expires.
  7. In this group, you can set the minimum age of the password. If you select Days, you must enter the number of days in the field after which the password can be changed after the last password change. Otherwise, select Password can be changed anytime.
  8. In this group, you can set the number of days before the password expires at which to display password expiry warning status. If you select Days before expiration, you must enter a value in the field for the number of days before the password expires, in order to warn the user about password expiration. Otherwise, select Never warn.
  9. In the Logins field, enter the number of grace login attempts allowed after the password has expired.
After you have finished, do one of the following:
  • Click Back to navigate to the Attribute selection panel.
  • Click Next to navigate to continue with configuring of password policy.
  • Click Cancel to discard all changes and navigate to the Manage password policies panel
  • Click Finish to save all the changes and navigate to the Manage password policies panel.

Password policy settings 2

The Password policy settings 2 panel and the controls on the Password policy settings 2 panel are displayed based on the selection of the attributes on the Attribute selection panel. On this panel, you can do the following:
  1. Set the maximum number of failed bind attempts allowed by a user before password locks out. If you select Attempts, you must enter a value for maximum number of failed bind attempts allowed before password lockout. To specify the maximum number of failed bind attempts allowed before password lockout as unlimited, select Unlimited.
  2. Set the duration for which the password authentication will remain locked. To specify the duration, you must select and then enter a value for the duration in the field and select the unit from the combo box. Otherwise, select Infinite.
  3. Set 3. Set the duration after which failed bind attempts should be flushed. To specify the duration, you must select and then enter a value for the duration in the field and select the unit from the combo box. Otherwise, select Infinite.

Password policy settings 3

The Password policy settings 3 panel and the controls on the Password policy settings 3 panel are displayed based on the selection of the attributes on the Attribute selection panel. On this panel, you can do the following:
  1. In the Minimum number of passwords before reuse (pwdInHistory) field, enter a value for the minimum number of password to be stored before reusing the old password.
  2. Select a check password syntax item from the Check password syntax (pwdCheckSyntax) list to specify whether the syntax of password should be checked or not. The items available in the Check password syntax (pwdCheckSyntax) list are Do not check syntax, Check syntax (two-way encrypted only), and Check syntax.
  3. In the Minimum length (pwdMinLength) field, enter a value for the minimum length of the password to be used.
  4. In the number of alphabetic characters (passwordMinAlphaChars) field, enter a value for the minimum numbers of alphabetic characters that a password should contain.
  5. In the Minimum number of numeric and special characters (passwordMinOtherChars) field, enter a value for the minimum numbers of numeric and special characters that a password should contain.
  6. In the Maximum number of times a character can be used in password (passwordMaxRepeatedChars) field, enter a value for the maximum numbers of repeated characters that is allowed in a password.
  7. In the Minimum number of characters different from previous password (passwordMinDiffChars) field, enter a value for the minimum numbers of characters in a new password that should be different from the previous password.
  8. In the Maximum number of consecutive repeated characters (passwordMaxConsecutiveRepeatedChars) field, enter a value for the maximum numbers of consecutive repeated characters that is allowed in a password.

To edit a password policy

To edit an existing password policy, select the required row and click the Edit button or select Edit from the Select Action list and then click Go on the Password policies table. This launches the Policy definition wizard with the selected password policy. User can edit the selected password policy by modifying the required attributes and their values.

To create a copy of an existing password policy

To create a copy of an existing password policy, select the required row and click the Copy button or select Copy from the Select Action list and then click Go on the Password policies table. This launches the Policy definition wizard with the selected password policy. To copy, user must provide a new password policy name and the location of the policy and is allowed to make changes to the attribute values.

To delete a password policy

To delete an existing password policy, select the required row and click the Delete button or select Delete from the Select Action list and then click Go on the Password policies table.
Note: The global password policy cannot be deleted.

Using the command line:

To enable the password policy, issue the following command:
ldapmodify -D <adminDN> -w <adminPW> -p <port> -k
dn: cn=pwdpolicy,cn=ibmpolicies
ibm-pwdpolicy:true
ibm-pwdGroupAndIndividualEnabled:true
To define group and individual password policies issue the following commands:
ldapadd -D <adminDN> -w <adminPW>
dn:cn=grp1_pwd_policy,cn=ibmpolicies
objectclass: container
objectclass: pwdPolicy
objectclass: ibm-pwdPolicyExt
objectclass: top
cn:grp_pwd_policy
pwdAttribute: userPassword
pwdGraceLoginLimit: 1
pwdLockoutDuration: 30
pwdMaxFailure: 2
pwdFailureCountInterval: 5
pwdMaxAge: 999
pwdExpireWarning: 0
pwdMinLength: 8
pwdLockout: true
pwdAllowUserChange: true
pwdMustChange: false
ibm-pwdpolicy:true

ldapadd -D <adminDN> -w <adminPW>
dn:cn=individual1_pwd_policy,cn=ibmpolicies
objectclass: container
objectclass: pwdPolicy
objectclass: ibm-pwdPolicyExt
objectclass: top
cn:grp_pwd_policy
pwdAttribute: userPassword
pwdGraceLoginLimit: 3
pwdLockoutDuration: 50
pwdMaxFailure: 3
pwdFailureCountInterval: 7
pwdMaxAge: 500
pwdExpireWarning: 0
pwdMinLength: 5
pwdLockout: true
pwdAllowUserChange: true
pwdMustChange: false
ibm-pwdpolicy:true
To associate the group and individual password policies with a group or a user, issue the following commands. For instance, to associate a group password policy with a group:
ldapmodify -D <adminDN> -w <adminPW> -k
dn:cn=group1,o=sample
changetype:modify
add:ibm-pwdGroupPolicyDN
ibm-pwdGroupPolicyDN:cn=grp1_pwd_policy,cn=ibmpolicies
To associate an individual password policy with a user:
ldapmodify -D <adminDN> -w <adminPW> -k
dn:cn=user1 ,o=sample
changetype:modify
add:ibm-pwdIndividualPolicyDN
ibm-pwdIndividualPolicyDN:cn= Individual1 _pwd_policy,cn=ibmpolicies

For more information about password policy, see Password policy.