Password policy

Password policy is a set of rules that controls how passwords are used and administered in the LDAP server. These password policy rules are enforced to ensure that password values are changed periodically and meet the syntactic password requirements of your organization. These rules also restrict the reuse of old passwords, ensure that users are locked out after a defined number of failed bind attempts, and automatically expire passwords after a period of time.

The LDAP password policy rules only apply to entries that have a userPassword value stored in a TDBM, LDBM, or CDBM backend. Entries that are outside of a configured backend suffix and have their password values stored in the LDAP server configuration file rather than in a TDBM, LDBM, or CDBM are not subject to LDAP password policy. These users include the LDAP root administrator defined in the configuration file (adminDN configuration option) when the password value is specified in the adminPW configuration option, the master server DN when the password is specified in the masterServerPW configuration option, and the peer server DN when the password value is specified in the peerServerPW configuration option.

LDAP password policy is checked during authentication and compare operations involving the userPassword attribute value to ensure that the password has not expired or the user's account has not been locked from authenticating to the directory. The only supported bind mechanisms for password policy checking are simple, CRAM-MD5, and DIGEST-MD5 when the authenticating user's entry and password resides in a TDBM, LDBM, or CDBM backend. Because LDAP password policy is checked during simple, CRAM-MD5, and DIGEST-MD5 authentications and compare operations involving the userPassword attribute value, when the term, authentication, is referenced in this section, it indicates each of these scenarios. LDAP password policy is not checked during anonymous, Kerberos (GSSAPI), or EXTERNAL binds as these authentication mechanisms do not access a password value. LDAP password policy also does not apply to TDBM, LDBM, or CDBM entries participating in native authentication or entries in the SDBM backend. The z/OS® security manager handles the password policy for these users. See Binding with SDBM using password policy and Password policy with native authentication for more information.

During add and modify requests of password values in the TDBM, LDBM, and CDBM backends, the LDAP password policy is checked to verify that the password syntax is correct, the password is allowed to be changed now, and if the password must be changed currently for the user.