Setting password policy properties
Use this information to set password policy properties.
Using Web Administration:
- Add a new password policy in the DIT.
- Edit an existing password policy.
- Create a copy of an existing password policy by providing a new name and location of the policy.
- Delete an exiting password policy. Note: The global password policy cannot be deleted
- View the details of a selected password policy.
To add a password policy
To add a new password policy in the DIT, click the Add button or select Add from the Select Action list and then click Go on the Password policies table. This launches the Policy definition wizard in which the user can define a new password policy by providing a unique password policy name and the required attributes and their values.
Attribute selection
Attribute selection, Password policy settings 1, Password policy settings 2, and Password policy settings 3 panels make up the Policy definition wizard. Users can use these panels of the Policy definition wizard to add a new password policy, edit an existing password policy, and create a copy of an existing password policy.
- Enter a unique password policy name in the Policy name field. For Add and Copy operations, users must provide a unique password policy name. In case of the Edit operation, the Policy name field is read-only.
- Select the attributes from the table that you want to include in the password policy overriding the values of these attributes that is in the global password policy.
Password policy settings 1
- To enable the password policy, select the Enabled (ibm-pwdPolicy) check box. To disable the password policy, clear the Enabled (ibm-pwdPolicy) check box. The attribute ibm-pwdPolicy is associated with this control.
- To allow user to change their password, select the User can change password (pwdAllowUserChange) check box.
- To ensure that the user change the password after it is reset by the administrator, select the User must change password after reset (pwdMustChange) check box.
- To ensure that the user specify the current password while setting a new password, select the User must specify current password while changing (pwdSafeModify) check box.
- to set the start date and time of password policy, enter date
and time in the fields under Password policy start time (ibm-pwdPolicyStartTime).
To set date, users can use the calendar by clicking the calendar icon. Note: Only administrators and the members of local administrative group can set the start date and time of the password policy.
- In this group, you can set the number of days after which the password expires. If you select Days, you must enter the number of days in the field. Otherwise, to ensure that password never expires, select Password never expires.
- In this group, you can set the minimum age of the password. If you select Days, you must enter the number of days in the field after which the password can be changed after the last password change. Otherwise, select Password can be changed anytime.
- In this group, you can set the number of days before the password expires at which to display password expiry warning status. If you select Days before expiration, you must enter a value in the field for the number of days before the password expires, in order to warn the user about password expiration. Otherwise, select Never warn.
- In the Logins field, enter the number of grace login attempts allowed after the password has expired.
- Click Back to navigate to the Attribute selection panel.
- Click Next to navigate to continue with configuring of password policy.
- Click Cancel to discard all changes and navigate to the Manage password policies panel
- Click Finish to save all the changes and navigate to the Manage password policies panel.
Password policy settings 2
- Set the maximum number of failed bind attempts allowed by a user before password locks out. If you select Attempts, you must enter a value for maximum number of failed bind attempts allowed before password lockout. To specify the maximum number of failed bind attempts allowed before password lockout as unlimited, select Unlimited.
- Set the duration for which the password authentication will remain locked. To specify the duration, you must select and then enter a value for the duration in the field and select the unit from the combo box. Otherwise, select Infinite.
- Set 3. Set the duration after which failed bind attempts should be flushed. To specify the duration, you must select and then enter a value for the duration in the field and select the unit from the combo box. Otherwise, select Infinite.
Password policy settings 3
- In the Minimum number of passwords before reuse (pwdInHistory) field, enter a value for the minimum number of password to be stored before reusing the old password.
- Select a check password syntax item from the Check password syntax (pwdCheckSyntax) list to specify whether the syntax of password should be checked or not. The items available in the Check password syntax (pwdCheckSyntax) list are Do not check syntax, Check syntax (two-way encrypted only), and Check syntax.
- In the Minimum length (pwdMinLength) field, enter a value for the minimum length of the password to be used.
- In the number of alphabetic characters (passwordMinAlphaChars) field, enter a value for the minimum numbers of alphabetic characters that a password should contain.
- In the Minimum number of numeric and special characters (passwordMinOtherChars) field, enter a value for the minimum numbers of numeric and special characters that a password should contain.
- In the Maximum number of times a character can be used in password (passwordMaxRepeatedChars) field, enter a value for the maximum numbers of repeated characters that is allowed in a password.
- In the Minimum number of characters different from previous password (passwordMinDiffChars) field, enter a value for the minimum numbers of characters in a new password that should be different from the previous password.
- In the Maximum number of consecutive repeated characters (passwordMaxConsecutiveRepeatedChars) field, enter a value for the maximum numbers of consecutive repeated characters that is allowed in a password.
To edit a password policy
To edit an existing password policy, select the required row and click the Edit button or select Edit from the Select Action list and then click Go on the Password policies table. This launches the Policy definition wizard with the selected password policy. User can edit the selected password policy by modifying the required attributes and their values.
To create a copy of an existing password policy
To create a copy of an existing password policy, select the required row and click the Copy button or select Copy from the Select Action list and then click Go on the Password policies table. This launches the Policy definition wizard with the selected password policy. To copy, user must provide a new password policy name and the location of the policy and is allowed to make changes to the attribute values.
To delete a password policy
Using the command line:
ldapmodify -D <adminDN> -w <adminPW> -p <port> -k
dn: cn=pwdpolicy,cn=ibmpolicies
ibm-pwdpolicy:true
ibm-pwdGroupAndIndividualEnabled:true
ldapadd -D <adminDN> -w <adminPW>
dn:cn=grp1_pwd_policy,cn=ibmpolicies
objectclass: container
objectclass: pwdPolicy
objectclass: ibm-pwdPolicyExt
objectclass: top
cn:grp_pwd_policy
pwdAttribute: userPassword
pwdGraceLoginLimit: 1
pwdLockoutDuration: 30
pwdMaxFailure: 2
pwdFailureCountInterval: 5
pwdMaxAge: 999
pwdExpireWarning: 0
pwdMinLength: 8
pwdLockout: true
pwdAllowUserChange: true
pwdMustChange: false
ibm-pwdpolicy:true
ldapadd -D <adminDN> -w <adminPW>
dn:cn=individual1_pwd_policy,cn=ibmpolicies
objectclass: container
objectclass: pwdPolicy
objectclass: ibm-pwdPolicyExt
objectclass: top
cn:grp_pwd_policy
pwdAttribute: userPassword
pwdGraceLoginLimit: 3
pwdLockoutDuration: 50
pwdMaxFailure: 3
pwdFailureCountInterval: 7
pwdMaxAge: 500
pwdExpireWarning: 0
pwdMinLength: 5
pwdLockout: true
pwdAllowUserChange: true
pwdMustChange: false
ibm-pwdpolicy:true
ldapmodify -D <adminDN> -w <adminPW> -k
dn:cn=group1,o=sample
changetype:modify
add:ibm-pwdGroupPolicyDN
ibm-pwdGroupPolicyDN:cn=grp1_pwd_policy,cn=ibmpolicies
ldapmodify -D <adminDN> -w <adminPW> -k
dn:cn=user1 ,o=sample
changetype:modify
add:ibm-pwdIndividualPolicyDN
ibm-pwdIndividualPolicyDN:cn= Individual1 _pwd_policy,cn=ibmpolicies
For more information about password policy, see Password policy.