How to implement extra password policies

What is the best way to configure additional password policies? We are using the
DefaultAuthenticator, and its only password policy is Minimum length. We'd like
to add policies that force a change every 6 months, require a mix of numbers and
alphas, prevent re-use of old passwords, etc.

"Ken" <[email protected]> wrote in message
news:3f900716$[email protected]..
>
What is the best way to configure additional password policies? We areusing the
DefaultAuthenticator, and its only password policy is Minimum length. We'dlike
to add policies that force a change every 6 months, require a mix ofnumbers and
alphas, prevent re-use of old passwords, etc.There are currently no additional password policies that can be configured
for the Default
authenticator. If you need more, then you may have to move to either another
LDAP
server and use the external ldap provider or move to a custom solution and
write your
own atn provider.

Similar Messages

How to implement forgot password policy in OIM

Hi,
I want to implement forgot password Policy on OIM 11g r1.
Can any one please help me on this.
I mean from where to start and how is the follows goes..
Thanks in Advance :-)

Forgot Password functionality is OOTB.
You can configure Forgot Password Question Answers. Go to System Configuration (Advance Console) and search for different properties associated with Challenge Questions Answers.
OIM.DisableChallengeQuestions
PCQ.NO_OF_CORRECT_ANSWERS
XL.IsDupResponseAllowed
etc..
You can also add new Challenge Questions as well by adding into Lookup.WebClient.Questions

How to implement Force password change during authentication

Description of problem
Our client requires web applications to support its internal security policy beyond
normal authentication. This includes:
- force password change periodically. This should be performed at logon time.
- maintain password history so that a new password would not repeat any of its
previous 15 changes.
We already have an authentication server that satisfy these requirements. However,
we would also like to base our solution on WebLogic security framework so that
we can leverage the benefit of the container-managed declarative security (e.g.
we don't need to use our special cookie to check whether a user is authenticated
for every web page in the application). So the best scenario for us is to wrap
up this authentication server using WLS 7.0 authentication SSPI.
My initial investigation of WLS 7.0 security framework (based on edocs and the
sample customer security provider codes) convinced me that overall, this is achievable.
However, I am still left with quite a few questions, which I would like to get
your help.
Questions:
1. (web container) The J2EE-standard container-based authentication is to specify
<login-config> element. My understanding is that only FORM based authentication
is applicable. The specified form elements:
<form method="post" action="j_security_check">
<INPUT TYPE="TEXT" NAME="j_username">
<INPUT TYPE= "password" NAME="j_password">
</form>
is adequate for authentication. However, if the authentication service provider
indicates that password change is needed, what would be the most appropriate way
within WebLogic for the authentication service provider to pass such a flag to
the web container know so that our application can access it? I guess, a simpler
question, would be, using the standard <login-config>, webapp knows only about
authentication fails or succeeds. Can it possibly know more information provided
by the authentication service provider right after authentication?
2) If we don't use standard FORM-based authentication, we will code up our own
authentication control, which could give us a lot more flexibility, but can we
then bind our Subject obtained through our authentication control to the WebLogic
Subject that is running the webapp.
3) (Authentication service provider) Our design is for the custom LoginModule
to delegate login calls to the authentication server, and throws more refined
exceptions such as: FailedLoginException, PasswordExpiredException, UserAccountLockedException
(all subclassed from LoginException). Another approach is to provide detailed
information such as password expired in callbacks. Either way, when Authentication
service provider returns, how our web application can access this refined flag
of authentication result.
4) Can our customer authentication service provider use DataSource defined in
a weblogic server? I ask this question because DataSource itself is a protected
resource of WebLogic. Will referencing it during authentication initiate another
authentication cycle?
Can anyone who has experienced similar requirements and worked solutions please
give me a hint? I appreciate your guidance.
regards
Licheng

"Licheng" == Licheng <[email protected]> writes:
Licheng> Description of problem
Licheng> Our client requires web applications to support its internal security policy beyond
Licheng> normal authentication. This includes:
Licheng> - force password change periodically. This should be performed at logon time.
Licheng> - maintain password history so that a new password would not repeat any of its
Licheng> previous 15 changes.
Licheng> ..
Licheng> We already have an authentication server that satisfy these requirements. However,
Licheng> we would also like to base our solution on WebLogic security framework so that
Licheng> we can leverage the benefit of the container-managed declarative security (e.g.
Licheng> we don't need to use our special cookie to check whether a user is authenticated
Licheng> for every web page in the application). So the best scenario for us is to wrap
Licheng> up this authentication server using WLS 7.0 authentication SSPI.
I believe it's impractical to fit the requirement of forcing a password change
into the standard JAAS interface.
I think the only practical way to do this is to implement a servlet filter that
reads the persistent record of the logged-in user to check for a "force change
password flag". If it finds this, the servlet filter will forward to a page to
change your password. Note that the servlet filter may be hit again when
trying to get to the change password page, so it needs to know to not do the
check in that case.
If you implement this, I would strongly urge you to softcode the "change
password" page URL in your system configuration, and not hardcode it in the
servlet filter.
===================================================================
David M. Karr ; Java/J2EE/XML/Unix/C++
[email protected] ; SCJP; SCWCD

How to implement a password/login feature using the package OWA_SEC

HELLO.....
I have another question:
I am using the following versions of Oracle products
Connected to:
Oracle9i Release 9.2.0.5.0 - Production
JServer Release 9.2.0.5.0 - Production
SQL> select owa_util.get_version from dual;
GET_VERSION
9.0.4.0.1
(version of OWA packages)
I have successfully compiled the following package:
(It is based on a package in the text Oracle Web Application Programming for PL/SQL Developers by Susan Boardman etc page 687-688
The SPEC and BODY code is as follows:
CREATE OR REPLACE PACKAGE AUTHEN_TEST IS
FUNCTION AUTHORIZE RETURN BOOLEAN;
PROCEDURE HELLO_WORLD;
END;
CREATE OR REPLACE PACKAGE BODY AUTHEN_TEST IS
FUNCTION AUTHORIZE RETURN BOOLEAN IS
v_user VARCHAR2(10);
v_password VARCHAR2(10);
BEGIN
owa_sec.set_protection_realm('The Realm of Testing');
v_user := UPPER(owa_sec.get_user_id);
v_password := UPPER(owa_sec.get_password);
IF v_user = 'PREN' AND v_password = 'HALL' THEN
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
END AUTHORIZE;
PROCEDURE HELLO_WORLD IS
v_status BOOLEAN;
BEGIN
htp.p('TESTING');
v_status := authorize;
IF v_status = TRUE THEN
htp.p('WENT TO PASSWORD SECTION');
ELSE
htp.p('DID NOT GO TO PASSWORD SECTION');
END IF;
END HELLO_WORLD;
END AUTHEN_TEST;
As I said the code compiles!!
However what I want it to do is successfully run the following code from the above package:
owa_sec.set_protection_realm('The Realm of Testing');
v_user := UPPER(owa_sec.get_user_id);
v_password := UPPER(owa_sec.get_password);
I want the user to be asked for a password and login
Currently when I use the web based application the browser displays:
TESTING DID NOT GO TO PASSWORD SECTION
Any advice is appreciated
Thank You
Douglas

Hello,
The URL:
http://www.columbia.edu/~br111/plsqltools/configur.htm#1002513
has useful information related to my question
Also this post from Paul M was helpful:
Finding which OWA packages are available for use in the schema/database
Thanks
Doug

How to implement password policies in BI 11g?

Hi Folks,
Can someone point me to a doc that shows how to set up password policies in BI 11g? I'm talking about things like enforcing password expiration, enforcing complex passwords etc., things like that. I understand that now in 11g, users need to be set up via the Weblogic console, but I don't see it in there, and I'm not sure where to go from there.
Thanks very much,
-Adam vonNieda

Hi Adam,
Is this what you are looking for;
http://download.oracle.com/docs/cd/E21764_01/apirefs.1111/e13952/taskhelp/security/ConfigurePasswordValidationProviders.html
Cheers,
Daan Bakboord
http://obibb.wordpress.com

BAPI to get password policies in ABAP environement

Hi all,
I am new to the SAP ABAP environement. (worked to some extent on JAVA stack).
I am working on the RFCSDK using C language.
I wanted to know how to see the password policies in ABAP environment.
I went through the link
http://help.sap.com/saphelp_nw04s/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm
Now my question are as follows:
a)Which transaction should i use to see this values
b)Is there a BAPI provided to access this values. (using C language)
Best Regards
Manoj

this is not an abap question, but a basis question.
password settings are maintained with system profile parameters.
go to transaction RZ11 and search for passw parameters.
I found a FM by searching for profilepar*
in the code it uses
CALL 'C_SAPGPARAM'
     ID 'NAME' FIELD 'auth/object_disabling_active'
     ID 'VALUE' FIELD RET.
I think this one checks the parameters
regards, Rob,

Implementing password policie using Role and CoS

Hy all,
I have created a directory with the following partial structure (Sun directory 5.2 patch 2):
ou=people,o=accounts,c=an
|----- cn=user1
|----- cn=user2
|----- cn=user3
ou=services,o=accounts,c=an
|---------cn=user4
|---------cn=user5
|---------cn=user6
I want to assign different password policies based on the ou.
I read within the admin guide that there is a way to do that through CoS and Role: http://docs.sun.com/source/817-7613/useracct.html#wp19625
So I create following records:
- Customized Password Policy Container:
dn: cn=Customized Password Policy, c=an
objectClass: top
objectClass: nsContainer
cn: Customized Password Policy
- External User Customized Password Policy: (same as the global one)
dn: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
objectClass: top
objectClass: passwordPolicy
cn: externalUserPwdPolicy
passwordInHistory: 5
passwordWarning: 432000
passwordExpireWithoutWarning: on
passwordRootdnMayBypassModsChecks: on
passwordLockout: on
passwordMaxFailure: 3
passwordMaxAge: 5184000
passwordCheckSyntax: off
passwordResetFailureCount: 1200
passwordMinLength: 8
passwordStorageScheme: SHA
passwordChange: on
passwordMinAge: 86400
passwordMustChange: off
passwordUnlock: off
passwordLockoutDuration: 3600
passwordExp: on
- Service Account Customized Password Policy: (same as the global one except that there is no expiration for password and the password minimum age is set to 2 days instead of one)
dn: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
objectClass: top
objectClass: passwordPolicy
cn: serviceAccountPwdPolicy
passwordInHistory: 5
passwordWarning: 432000
passwordExpireWithoutWarning: on
passwordRootdnMayBypassModsChecks: on
passwordLockout: on
passwordMaxFailure: 3
passwordMaxAge: 5184000
passwordCheckSyntax: off
passwordResetFailureCount: 1200
passwordMinLength: 8
passwordStorageScheme: SHA
passwordChange: on
passwordMinAge: 172800
passwordMustChange: off
passwordUnlock: off
passwordLockoutDuration: 3600
passwordExp: off
- External User Role:
dn: cn=externalUserRole,c=an
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: externalUserRole
nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=people*))
Description: Filtered role for external users
- Service Account Role
dn: cn=serviceAccountRole,c=an
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: externalUserRole
nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=services*))
Description: Filtered role for external services account
- Template Container for Customized Password Policy:
dn: cn=pwdPolTemplateContainer, c=an
objectClass: top
objectClass: nscontainer
- Class of Service (CoS) Definition for password policy:
dn: cn=PwdPol_CoSDefinition, c=an
objectClass: top
objectClass: LDAPsubentry
objectClass: cosSuperDefinition
objectClass: cosClassicDefinition
cn: PwdPol_CoSDefinition
cosAttribute: passwordPolicySubentry operational
cosTemplateDn: cn=pwdPolTemplateContainer, c=an
cosSpecifier: nsRole
- Class of Service (CoS) Template for ExternalUserRole:
dn: cn="cn=externalUserRole, c=an", cn=PwdPolTemplateContainer, c=an
objectClass: top
objectClass: extensibleObject
objectClass: costemplate
objectClass: LDAPsubentry
cosPriority: 2
passwordPolicySubentry: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
- Class of Service (CoS) Template for ServiceAccountRole:
dn: cn="cn=serviceAccountRole, c=an", cn=PwdPolTemplateContainer, c=an
objectClass: top
objectClass: extensibleObject
objectClass: costemplate
objectClass: LDAPsubentry
cosPriority: 2
passwordPolicySubentry: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
- The thing is that it does not to work: if I disable the global password policy, I can set a 3 caracters password even if I specified in the sub password policy that passwordminlengnt is equal to 8 caracters.
Many thanks in advance for your help.
Gregoire

Hmm,
Pretty cool.
I just finished doing it the hard-way when I saw your post :(.
I tried it anyways, and it did all the work that I had done by hand in the previous try. Which was ...
1) Creating the filtered role (same in both approaches).
2) Creating a Container for COS Templates.
3) Creating a COS Template with a dn having a cn string of the full dn to the role in 1) above. Had to use generic entry editor to add all the additional attributes as below ...
dn: cn="cn=TempFilter,ou=people,dc=example,dc=com",
�cn=PolTempl,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: LDAPsubentry
objectclass: costemplate
cosPriority: 1
passwordPolicySubentry: cn=TempPolicy,dc=example,dc=com
(started with a new costemplate and the added all the above attributes, also involved things like changing the naming attribute - the dn - from cosPriority to the one cn as shown above)
4) Creatiing a COS with ...
4.1) passwordpolicysubenty as a generated attribute that is overriding and operation (this is picked from the matched CoS template)
4.2) Use the template container's dn from 2) above for the TemplateDN value.
4.3) Use nsrole of the target enty to narrow down to the COS template as in 3) above. I.E. "template"->"attribute name" value is set to "nsRole"
(So when a user's nsrole maps to a cn value of an entry under the TemplateDN subtree. That template applies.)

Cannot update Global Password Policies, no SSL bind, etc

Hello Community--
This is day 3 of the Apple Server Hostage Crisis, and it looks like I'll started clean slate build #5.
By way of background, I had a functioning ML/2.2.2 server that had RAID problems (and still does). Attempting to rebuild array failed and I lost the boot hard drives. I have access to dumpall.psql and all the user data (on an external drive). I attempted a couple of times to build a clean Mavericks/3.0 server but I couldn't figure out how to get the service data back. So I build a clean ML/2.2.2 system, got the wiki/calendar/contacts, etc data back in place to include establishment of an OD master using an archive. Turns out the archive was from one of my Mavericks/3.0 attempts, and while it seemed to create the OD okay, every time I tried to edit the global password policy, Server.app crashed. I decided to try to move up to Mavericks/3.0. Server.app no longer crashed but still cannot change global password policies. I get the following error:
servermgrd[]: servermgr_dirserv: +[PWPolicy setGlobalPolicyFromDict] error: policy data modification failed: Object class violation: attribute 'apple-user-passwordpolicy' not allowed ()
I deleted the OD master a couple of times and recreated it from a new archive. On the second iteration, my PositiveSSL cert was deleted....
Q1: Has anyone seen this password policy error and know how to solve it?
Additionally, although I have (had) the cert from PositiveSSL for my domain, the OD with Server 3 will not use it, instead reverting to a self-signed cert. All other services seem to work with the PositiveSSL cert. I've seen discussions in the community on this but have not found a solution.
Q2: Is this related to why I cannot create a secure binding?
I have not even gotten to the point of trying to set up Profile Manager to manage users and devices. I have not read anywhere that I *need* to have Profile Manger started to get a basic system running. From a Mavericks-based client where I've logged in with a local user, I can su <OD User> and log in, but the automount of the user's home directory fails due to an authentication issue.
Q3: In Mavericks, does a device have to be enrolled/configured in Profile Manager in order to bind and be usable?
Well, I'm off to start my next rebuild, but would still appreciate comments and suggestions as I suspect this hostage crisis is not over yet.
Thanks.
Tim

Rebuilt from scratch and reloaded databases for services and the OD archive. But something was still jacked and passwords wouldn't take. I was starting to suspect it was OD again, but then I decided to completely wipe the device_management database, which I did following these steps: http://support.apple.com/kb/ht5349.
That may have gotten me on track, which is good because I was getting ready to recreate each user account. I'll continue the effort tomorrow (day 4).
I have not decided if I will try again for Mavericks/Server 3. Sigh....
Tim

How to implement JAAS With Weblogic 10.3

I am working on a migration project. A project is to be migrated from JBOSS to Weblogic 10.3. JAAS has been used in JBOSS for security purpose.
Required classess like LoginModule, CallBackHandler are customized and put into a jar file. Next a Login page has been created with action=”j_security_check”, which is supposed to be called whenever protected resource has been requested. In web.xml Roles and Policies are defined. There is a jboss-web.xml in which roles are mentioned. In web.xml
There is a login-config.xml that has been put into Jboss server classpath. In this file, some sql queries are there.
In weblogic I am not able to understand that how to configure this login-config, how to map roles and policies. Exactly I am not able to find what are the steps needed to implement this JAAS in weblogic10.3. I also tried using the Read-Only SQL Authenticator Provider under security Realms but not sure how to use groups, because I have no Group related tables in my DB.
Kindly anyone share the knowledge.

Hi,
I also want to do the same thing. Did you get any solution for this problem. If yes then please share it with me. I am struggling with this.
Thanks,
Sanjay

How to get the password of a password protected Excel Sheet using java/jxl

Hi ,
how to get the password of a password protected Excel Sheet using java / jxl program.
plz any one help me .
Ramesh P
[email protected]

If they've implemented the password system correctly there probably isn't a way of getting the password at all.

How do I remove password protection from a PDF file in Adobe Reader

How do I remove password protection from a PDF file in Adobe Reader?

PDF security can only be implemented or removed using Adobe Acrobat.

How to implement data level security

How to implement data level security in BI Publihser?. I am using Obiee enterprise edition and bi publihser. My requirement is to show data based on User- Region relation ship.
User A - belongs to Eastern Region
User B - belongs to Southern Region
so if user A logged in he should see only Eastern Region report. If user B logged in He should see only Southern region. I am using direct sql to my oralce database as data source.
i appriciate your help

I am using a common database username and password for jdbc connection. what i am looking is based the BI Publihser login, is there any way?
say i have userregion table joined with fact. so that i can write a query to get the data
select c1,c2,c3
from userregion, fact
where fact.region=userregion.region
and userregion.user = BIPUBLIHSERUSER
but my question is ithere any variable to tell who is logged in BI Publisher? Any server varaibles?
Other related question is, In every report i want to show User name who is running the report. How can i get this?

Active directory Schema - Multiple password policies

Hi All,
I am new to AD and would need some suggestion to configure AD. I want to set up AD(2008 R2) for three categories of users: individual, dealers and organisations. Each dealer and each organisation will have further sub-categories based
on their location. I want to set up separate password policies for the above three categories using AD. I wanted to create them as separate OUs. So I would have multiple OUs for each dealer per location (e.g. individual, dealer1loc1, dealer1loc2,
dealer2loc3 and so on)
I know the concept of PSO(Password Settings Object) and that it can only be applied to OU using shadow groups and batch file (to copy users from OU to Shadow Groups). The issue is that the OUs would keep getting added as per requirement (would
be creating new OUs using C#) and then the management of PSO or shadow groups or batch file would be very complicated, not sure if it can be automated.
Also, I have budet constraints to add new servers for each domain and separate password policies.
What could be the possible solution to separate password policies and set up this user structure in Active Directory. I am using W2k8 R2.
Thanks.

Thanks Mahdi. In this case, the OUs would get created at run time, so the script needs to get updated at run time as well. I guess this will be not easy to automate.
Also, can you confirm if I can set up separate password policies by creating sub domain(e.g. example.com will be divided into sales.example.com and admin.example.com and this would further be divided as melourne.sales.example.com and sydney.sales.example.com)
and I can set separate password policies for sales.example.com and admin.example.com.
By adding child domains,it is like you are killing a mosquito with a rocket launcher, if you know what I mean. adding child domains increase the cost and administration and also adds complexity to your environment.
From technical perspective it is OK to have child domains, but if I were you I would not add that much complexity to my environment because of a script. I would spend enough time or get help form a skilled script writer to edit the script. Also I am saying
that editing your script to a fully automated script is not impossible, it just needs enough time and skills.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?

How to implement redundant with 1 CE router to 2 MPLS service providers

Dear all,
Our head-office are currently have 1 Cisco CPE 3825 router with 2 WAN connections to our branches. We are now using static routing protocol in our network infrastructure, we consider how to implement the redundancy for networks by the redundant circuits connection to 2 MPLS providers, only when the primary connection to the primary MPLS L3 provider fail, the backup link to the second MPLS Layer 2 provider automatically active. Anybody knows where can I find information, tips or examples, how we'd handle the routing for that?
We are now have:
1 G0/1 interface connect to primary MPLS L3 Provider (the 2nd G0/2 interface is a leased-line connection to our partner, and we not consider here)
1 HWIC (layer 2) card, with 4 ports, which has interface F0/2/3 connected to the backup MPLS Layer 2 provider.
Thanks in advance.
PS: Current configuration : 3727 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Router
boot-start-marker
boot system flash c3825-entservicesk9-mz.123-11.T7.bin
boot-end-marker
logging buffered 4096 debugging
logging monitor xml
no aaa new-model
ip subnet-zero
ip cef
no ftp-server write-enable
no spanning-tree vlan 4
no spanning-tree vlan 5
interface GigabitEthernet0/1
description connect to VDC MPLS$ETH-WAN$
mtu 1480
ip address 222.x.x.66 255.255.255.252
ip flow ingress
ip flow egress
service-policy output SDM-QoS-Policy-1
ip route-cache flow
duplex auto
speed auto
media-type rj45
fair-queue 64 256 256
no cdp enable
interface FastEthernet0/2/0
switchport access vlan 2
no cdp enable
interface FastEthernet0/2/3
description ToTBToverFPT
switchport access vlan 5
no cdp enable
interface Vlan2
description CONNECT TO MPLS_VDC
ip address 192.168.201.9 255.255.248.0
interface Vlan5
description Connect to HoChiMinhCity
ip address 172.16.1.5 255.255.255.252
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.16.244.0 255.255.255.0 222.255.33.65
ip route 192.168.0.0 255.255.248.0 222.255.33.65
ip route 192.168.24.0 255.255.254.0 222.255.33.65
ip route 192.168.30.0 255.255.254.0 222.255.33.65
ip route 192.168.32.0 255.255.254.0 222.255.33.65
ip route 222.x.x.68 255.255.255.252 222.255.33.65
ip route 222.255.33.72 255.255.255.252 222.255.33.65
ip route 222.x.x.196 255.255.255.252 222.255.33.65
ip route 222.x.x.200 255.255.255.252 222.255.33.65
ip http server
ip http authentication local
no ip http secure-server
ip http max-connections 3
control-plane
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password
login
transport input telnet
line vty 5 14
privilege level 15
password
login
transport input telnet
line vty 15
privilege level 15
password
login
transport input telnet
parser view SDM_Monitor
scheduler allocate 20000 1000
end

Hi Mr jianqu,
Because of our customer now has 2 main central offices, and all other sub branches are now connected to each of these main central office via one primary full-meshed MPLS VPN of 1st Service Provider, so If I use the float static routes, and when there is a failure at one link at a CENTRAL CE Router to primary link to primary MPLS VPN Service Provider, but still there is no failure at the other site from a router CE sub branch with the the PE of the primary full-meshed MPLS VPN Layer 3 Service Provider,so It cannot cause a failover to a second redundant link of the 2nd Service Provider?
So with our system, do we only have one solution like this:
-Configure BGP as the routing protocol between the CE and the PE routers.
-Use local preference and Multi Exit Discriminator (MED) when running BGP inside a our customer VPN to select the primary and backup links.
-Use AS-override feature to support overlapping AS numbers between customer sites

Adding password policies to historical instance.

Hi,
Newbie here - just inherited management of our LDAP systems so please be patient.
We've got a directory instance that has been multiply upgraded. Originally it was based on OpenLDAP then SUN DS5, through DS6 and now DS7.
We have a requirement to add password policies to a subgroup within the repository which I believe I have done but it doesn't seem to work.
So far, taken server from DS5 compat mode to DS6-mode, created password policy via admin interface and applied it to relevant group. Features of the policy are password lifetime, 3 incorrect login attempts, password dictionary etc etc.
Problem: test user tries to log in. After 3 failures there is no lockout. User can fail login any number of times then a correct attempt will work.
The custom policy is set to override the global policy for the affected group.
The question is why is the policy not being followed?
I'm concerned there may be some historical feature of the schema which is preventing the policy from functioning. If this is the case ( and how would I find out if this is so) what might be done about it?
Regards

Hello,
sunPwdPolicy objectclass contains Sun specific extension and derive from the standard password policy objectclass defined in passwordPolicy,
so in general, password policy entries contain both objectclasses as long as you start using Sun extensions
( 1.3.6.1.4.1.42.2.27.9.2.119
NAME 'sunPwdPolicy'
DESC 'Sun Directory Server Password Policy objectclass'
SUP pwdPolicy
AUXILIARY
MUST ( cn )
MAY ( description $
passwordRootdnMayBypassModsChecks $
passwordStorageScheme $
passwordExpireWithoutWarning $
pwdIsLockoutPrioritized $
pwdKeepLastAuthTime )
X-DS-USE 'internal'
X-ORIGIN 'Sun Directory Server' )
( 1.3.6.1.4.1.42.2.27.8.2.1
NAME 'pwdPolicy'
DESC 'Password Policy objectclass'
SUP top
AUXILIARY
MUST ( pwdAttribute )
MAY ( pwdMinAge $
pwdMaxAge $
pwdInHistory $
pwdCheckQuality $
pwdMinLength $
pwdExpireWarning $
pwdGraceAuthNLimit $
pwdLockout $
pwdLockoutDuration $
pwdMaxFailure $
pwdFailureCountInterval $
pwdMustChange $
pwdAllowUserChange $
pwdSafeModify)
X-DS-USE 'internal'
X-ORIGIN 'Password Policy for LDAP Directories Internet Draft' )
-Sylvain

How to implement extra password policies

Similar Messages

Maybe you are looking for