Appendix H. Password policy operational attributes
The following operational attributes are provided by the password policy feature:
Attribute name Syntax Description pwdChangedTime GeneralizedTime Contains the time the password was last changed or the password policy start time whichever is recent. pwdAccountLockedTime GeneralizedTime Contains the time at which the account was locked. If the account is not locked, this attribute is not present. pwdExpirationWarned GeneralizedTime Contains the time at which the password expiration warning was first sent to the client. pwdFailureTime GeneralizedTime A multi-valued attribute containing the times of previous consecutive login failures. If the last login was successful, this attribute is not present. pwdGraceUseTime GeneralizedTime A multi-valued attribute containing the times of the previous grace logins. pwdReset Boolean Contains the value TRUE if the password has been reset and must be changed by the user. The value is FALSE or not present otherwise. ibm-pwdAccountLocked Boolean Indicates that the account has been administratively locked. ibm-pwdIndividualPolicyDn GeneralizedTime DN of a password policy entry which can be associated with a user entry. ibm-pwdGroupPolicyDn GeneralizedTime DN of a password policy entry which can be associated with a group entry.
Password policy queries
The password policy operational attributes can be used to view the status of a directory entry or to query for entries matching specified criteria. Operational attributes are returned on a search request only when specifically requested by the client. To use these attributes in search operations, you must have permission to critical attributes, or permission to the specific attributes used.
To view all password policy attributes for a given entry:
ldapsearch -s base -D <adminDN> -w <adminPW> -b "uid=user1,cn=users,o=ibm" "objectclass=*" +ibmpwdpolicyTo query for entries for which the password is about to expire, use the pwdChangedTime. For example, to find passwords which expire on August 26, 2004, with a password expiration policy of 186 days, query for entries for which the password was changed at least 186 days ago (February 22, 2004):
idsldapsearch –b "cn=users,o=ibm" –s sub "(!(pwdChangedTime>=20040222000000Z))" <dn>where the filter is equivalent to pwdChangedTime is less than or equal to midnight, February 22, 2004.
To query for locked accounts, use the pwdAccountLockedTime:
idsldapsearch –b "cn=users,o=ibm" –s sub "(pwdAccountLockedTime=*)" <dn>To query for accounts for which the password must be changed because the password was reset, use the pwdReset attribute:
idsldapsearch –b "cn=users,o=ibm" –s sub "(pwdReset=TRUE)" <dn>
Overriding password policy and unlocking accounts
A directory administrator can override normal password policy behavior for specific entries by modifying the password policy operational attributes and using the server administration control (-k option of the LDAP command line utilities).
We can prevent the password for a particular account from expiring by setting the pwdChangedTime attribute to a date far in the future when setting the userPassword attribute. The following example sets the time to midnight, January 1, 2200.
idsldapmodify –D cn=root –w ? -k dn: uid=wasadmin,cn=users,o=ibm changetype: modify replace: pwdChangedTime pwdChangedTime: 22000101000000ZWe can unlock an account which has been locked due to excessive login failures by removing the pwdAccountLockedTime and pwdFailureTime attributes:
idsldapmodify –D cn=root –w ? -k dn: uid=user1,cn=users,o=ibm changetype: modify delete: pwdAccountLockedTime - delete: pwdFailureTimeWe can unlock an expired account by changing the pwdChangedTime and clearing the pwdExpirationWarned and pwdGraceUseTime attributes:
idsldapmodify –D cn=root –w ? -k dn: uid=user1,cn=users,o=ibm changetype: modify replace: pwdChangedTime pwdChangedTime: yyyymmddhhss.Z - delete: pwdExpirationWarned - delete: pwdGraceUseTimeWe can clear and then reset the "password must be changed" status by deleting and adding the pwdReset attribute:
idsldapmodify –D cn=root –w ? -k dn: uid=user1,cn=users,o=ibm changetype: modify delete: pwdReset idsldapmodify –D cn=root –w ? -k dn: uid=user2,cn=users,o=ibm changetype: modify replace: pwdReset pwdReset: TRUEAn account can be administratively locked by setting the ibm-pwdAccountLocked operational attribute to TRUE. The account can be unlocked by setting the attribute to FALSE. Unlocking an account in this way does not affect the state of the account with respect to being locked due to excessive password failures or an expired password.
The user setting this attribute must have permission to write the ibm-pwdAccountLocked attribute, which is defined as being in the CRITICAL access class.
idsldapmodify –D uid=useradmin,cn=users,o=ibm –w ? dn: uid=user1,cn=users,o=ibm changetype: modify replace: ibm-pwdAccountLocked ibm-pwdAccountLocked: TRUETo unlock the account:
idsldapmodify –D uid=useradmin,cn=users,o=ibm –w ? dn: uid=user1,cn=users,o=ibm changetype: modify replace: ibm-pwdAccountLocked ibm-pwdAccountLocked: FALSEIf the account is locked because the attribute ibm-pwdAccountLocked is set to TRUE and if the administrator clears this attribute (sets it to FALSE) and uses the administrative control (-k option), then the account is completely unlocked. The pwdAccountLockedTime and pwdFailureTime attributes are also cleared and reset.
Replicating password policy operational attributes
The user-related elements of the password policy are stored in the entries as operational attributes. These attributes are subject to modifications even on a read-only replica, so replicating these attributes must be carefully considered.
- pwdChangedTime
- The pwdChangedTime attribute must be replicated on all replicas, to enable expiration of the password.
- pwdReset
- The pwdReset attribute must be replicated on all replicas, to deny access to operations other than bind and modify password.
- pwdHistory
- The pwdHistory attribute must be replicated to writable replicas. This attribute does not need to be replicated to a read-only replica, as the password is never directly modified on this server.
- pwdAccountLockedTime, pwdExpirationWarned, pwdFailureTime, pwdGraceUseTime
- The pwdAccountLockedTime, pwdExpirationWarned, pwdFailureTime and pwdGraceUseTime attributes must be replicated to writable replicas, making the password policy global for all servers. When the user entry is replicated to a read-only replica, these attributes must not be replicated. This means that the number of failures, the number of grace logins and the locking take place on each replicated server. For example, the effective number of failed attempts on a user password is:
N x Mwhere N is the number of servers and M is the value of pwdMaxFailure attribute. Replicating these attributes to a read-only replica can reduce the number of tries globally but can also introduce some inconstancies in the way the password policy is applied.There are times when the values of pwdAccountLockedTime, pwdExpirationWarned, pwdFailureTime and pwdGraceUseTime are replicated. If the user's password is reset, thereby clearing some of these attributes, this action is replicated to the read-only replicas. Also, if an administrator on the master server uses the administrative control to overwrite the values of these attributes on the master server, this forced write of the operational attributes is also replicated to read-write and read-only replicas.
- ibm-pwdAccountLocked
- When the ibm-pwdAccountLocked attribute is set or cleared on the master server, this attribute is also replicated to the replicas. When this attribute is cleared while using the administrative control on the operation, the pwdAccountLockedTime attribute is also cleared so that the account is totally unlocked when this attribute is set to FALSE.
Forcing an add or update for an entry
When an administrative user updates or adds an entry, specifying a password policy operational attribute as one of the attributes to be changed or in the case of a new entry, the administrative user specifies a value for one or more of the operational attributes, then the administrative user is performing a forced add/update for the entry.
A forced add/update of an entry means that the normal password policy processing is not performed for that entry. Only those password policy operational attributes specified on the operation are changed as indicated.
Normally the forced add/update is indicated by using the administrative control on the operation while specifying a password policy attribute.
When updating the ibm-pwdAccountLocked attribute, the administrative control does not need to be sent.
When the administrator is performing a forced add/update to an entry, the administrator has the intention to set all of the password policy attributes as the entry requires.
Do not force an add unless all of the normal password policy operational attributes have been given an appropriate value, such as pwdReset and pwdChangedTime. If pwdChangedTime is not given a value on a forced add, then this attribute is not set until the user first attempts to bind to the server, or until another forced update creates a time for this attribute.
If any of the password policy attributes need to be specifically set on an add operation, the new entry should be created first and a separate modify operation should be used to set any other password policy attribute.
If the userpassword attribute is being modified on the modify operation, then any password policy attributes that are to be force updated must be updated separate from the userpassword modification operation. This ensures that all of the proper password policy changes that occur on an add or modify operation are performed.
[ Top of Page | Previous Page | Next Page | Contents | Index ]