Use enhanced-pwd-policy with Security Directory Server

If we enable enhanced-pwd-policy for the Security Directory Server when using Security Directory Server for the registry, we must take several steps.

• Manually update the access control lists (ACL) of the server so that users can change their passwords.

• Set auth-using-compare to no in each configuration file where we set enhanced-pwd-policy to yes.

To ensure that users can change their passwords, suffixes that contain or will contain ISAM user accounts must have an LDAP ACL that permits users to change their passwords. An example of the suffix that we create is o=ibm,c=us. An example of a suffix that Security Verify Access creates is secAuthority=Default. Each of these suffixes requires an LDAP ACL to let the users change their passwords.

Complete the following steps to update LDAP access control lists:

Steps

1. For the suffix that we created, create a file, for example, addacl1.ldif, containing the following statements:

   dn:o=ibm,c=us
   changetype:modify
   add:aclEntry
   aclEntry:access-id:cn=this:at.userPassword:rwsc

2. Run the command:

   idsldapmodify -D "cn=root" -w "password"
    -h your.ldap.host.name -f "addacl1.ldif"

• Behavior of ISAM policy server LDAP accounts and policies
  The pwdMustChange option in the LDAP policy prevents the policy server from starting during configuration.

Parent topic: enhanced-pwd-policy