enhanced-pwd-policy
Whether the LDAP registries that ISAM uses provide password policy enforcement for LDAP accounts.
enhanced-pwd-policy = {yes|true|no|false}The appliance embedded LDAP server does not support this configuration option. ISAM uses LDAP account passwords for authentication. This means that Security Verify Access is subject to LDAP registry password policies. When the enhanced-pwd-policy option is enabled, Security Verify Access efficiently identifies the underlying LDAP registry password policy and reacts appropriately. The Security Verify Access password policy is enforced concurrently and is not affected by the enhanced-pwd-policy option.This option is supported for Sun Directory Server 6.3.1 and Security Directory Server. For Security Directory Server with the enhanced-pwd-policy option disabled, ISAM provides only limited support for handling LDAP registry password policies. The enhanced-pwd-policy option enhances such support.
When you set the auth-using-compare option to no, a user password is authenticated by creating a connection to the LDAP registry and binding the connection with the user password. Success or failure of the binding is noted and the connection is closed. If you set the enhanced-pwd-policy option is set to yes when auth-using-compare is set to no, the user password changes occur on the connection used to authenticate the user. Such behavior increases the duration of the connection and might cause the number of simultaneous instances to increase. If the increase in simultaneous connections is not acceptable, use the max-auth-connections option to limit the number of simultaneous connections. For detailed information about the max-auth-connections option, see the max-auth-connections section. Only Security Directory Server supports enabling of the auth-using-compare option. For other LDAP servers, Security Verify Access considers this option disabled.
Security Verify Access WebSEAL takes advantage of enhanced-pwd-policy. The password policies and account states supported by ISAM are:
- Password reset
- Locked accounts
- Expired accounts
- Grace login for expired accounts
- Accounts whose passwords are going to expire
Options
- yes|true
- When the enhanced-pwd-policy option is set to true, Security Verify Access efficiently identifies the underlying LDAP registry password policy and reacts appropriately.
- no|false
- When the enhanced-pwd-policy option is set to false, the behavior of ISAM towards LDAP registry password policy enforcement remains unchanged.
Default value
The default value of enhanced-pwd-policy is no|false
Example
An example of this feature is: LDAP reports that an account is expired and allows grace login. The user is informed the account is expired, and is provided a grace login page and an option to change the password.
- Use enhanced-pwd-policy with Security Directory Server
If we enable enhanced-pwd-policy for the Security Directory Server when using Security Directory Server for the registry, we must take several steps.