Password policy entries
The server compatibility level must be 6 or greater and the CDBM backend must be configured to use LDAP password policy. See serverCompatLevel {3 | 4 | 5 | 6 | 7| 8} for more information about the serverCompatLevel configuration option. When the server compatibility level is 6 or greater and the CDBM backend is configured, the LDAP server automatically creates the cn=pwdpolicy,cn=ibmpolicies entry in the CDBM backend, if it does not exist.
The cn=pwdpolicy,cn=ibmpolicies entry is also known as the global password policy entry, and it controls if password policy is active in the LDAP server. By default, the global password policy is not active (set to false), but is activated by setting the ibm-pwdPolicy attribute value to true. When activated, the global password policy entry is the default password policy and applies to all TDBM, LDBM, and CDBM entries that have a userPassword attribute value. The default values specified in Table 1 are the default values of the global password policy entry.
If an individual or group needs to use a special password policy that is different from the global password policy, additional password policy entries are added under the cn=ibmpolicies suffix in the CDBM backend. In these additional password policy entries, it is only necessary to specify a password policy attribute value if it is different from the value specified in the global password policy or the default for the attribute value. Depending on the password policy attributes used in these additional password policy entries, an objectclass attribute value of pwdPolicy or ibm-pwdPolicyExt is required. Because these objectclasses are auxiliary, it is necessary to include a structural objectclass value, such as container, to these password policy entries. See Table 1 for information about the password policy attribute types.
These additional password policy entries are allowed to be referenced by individual or group entries in the directory. The distinguished name of a password policy entry is referenced by a static, dynamic, and nested group by adding or modifying the single-valued ibm-pwdGroupPolicyDN operational attribute value in a group entry. See Static, dynamic, and nested groups for more information about group entries. When referenced by a group entry, these password policy entries are referred to as group password policy entries. The distinguished name of a password policy entry is also referenced by an individual user by adding or modifying the single-valued ibm-pwdIndividualPolicyDN operational attribute value in a user entry. These password policy entries are referred to as individual password policy entries. Multiple users and groups can point to the same password policy entries. See Password policy examples for examples on modifying user and group entries to reference password policies.
- If the ibm-pwdIndividualPolicyDN attribute value is
cn=noPwdPolicyin a user entry, that user is exempt from any password policy controls. A user can also be exempted from password policy controls if the ibm-pwdGroupPolicyDN attribute value iscn=noPwdPolicyin the user's groups. - The password policy entry must be created before it can be referenced by a user or group entry as an individual or group password policy. When a password policy entry is referenced by any user or group entry in an ibm-pwdIndividualPolicyDN and ibm-pwdGroupPolicyDN attribute value, the password policy entry cannot be renamed or deleted until all references to the password policy distinguished name (DN) are removed from all individual and group entries.
- Password policy entries must be under the cn=ibmpolicies suffix in the CDBM backend. Entries located elsewhere in the directory are ignored.
See Password policy evaluation for information about determining the effective password policy if a user belongs to individual and multiple password policy groups.