Configuration of the password policy options
The following WebSEAL options are available in the [acnt-mgt] stanza to use the password policy and account state for LDAP users.[acnt-mgt] enable-passwd-warn = yes passwd-warn = passwd_warn.html passwd-warn-failure = passwd_warn.html account-inactivated = acct_locked.htmlThese options have no effect unless the corresponding Security Verify Access LDAP option is also enabled ([ldap] enhanced-pwd-policy=yes) and is supported for the particular LDAP registry type.The enable-passwd-warn stanza entry enables WebSEAL to detect the attribute REGISTRY_PASSWORD_EXPIRE_TIME added to a user's credential when the LDAP password policy indicates the user's password is soon to expire. The value of this new attribute is the number of seconds until the user's password expires. If this attribute is detected, a password warning form will be displayed when the user logs in to WebSEAL.
The page macro EXPIRE_SECS is available containing the number of seconds before the password expires. We can use this macro in the password warning form to display the time left for the user to change his password.
The account-inactivated stanza entry specifies a page to display if the value of nsAccountLock is true for a user in the Sun Directory when he attempts to log in. This page is only displayed if the user provides the correct password during login.
The passwd-warn stanza entry specifies the page to display after login if WebSEAL detects the LDAP password is soon to expire.
The passwd-warn-failure stanza entry specifies the page to display if the user fails to change his password that is due to expire. This page is often the same as the one specified by the passwd-warn stanza entry to give the users another chance to change their password. Pages specified by the passwd-warn and passwd-warn-failure entries must provide a (hidden) field called warn when posting to the /pkmspasswd.form. Keep the value of the warn field short, as the value is ignored. The /pkmspasswd.form management URL detects this hidden field and proceeds to use the warning versions of the password change page. If the warn field is not detected then the non-warning forms are used instead.
<input type="HIDDEN" name="warn" value="*">You can use the /pkmsskip WebSEAL Management URL to allow the passwd-warn page to skip changing the password and continue on with the login. This URL effectively redirects the users to the page they were originally trying to access before being interrupted by the login process.We can use the local response redirect options: passwd_warn, passwd_warn_failure, and acct_inactivated. See Operation for local response redirection for more information.
Parent topic: Account management page configuration