Password Policy Directory 6.2

Similar Messages

• Sun Directory Server Password Policy Problems

  Hi,
  I am using Sun Directory Server and Sun AM (2005Q1).
  We are using SUN DS to configure the password policy to expire user passwords after 30 days.
  Also, the warning has been set to "one day before expiry". However, when the warning IS displayed to the user and the user changes his/her password on display of the warning, even though the user's password expiration timestamp attribute contains a new timestamp (which is 30 days hence the date of change), on next login user is AGAIN thrown the warning that his/her password will expire in "HH hours: MM mins".
  I do not understand what needs to be done to fix this. Any help would be appreciated.

  How is the user authenticated ? Through Access Manager or directly to the Directory Server ?
  Access Manager can be configured to handle Password expiration, and so can Directory Server. I would advise you to check which system is actually throwing the warning.
  Regards,
  Ludovic

• Please help me to change the password policy in Sun Directory Server 6.0

  Hi,
  Please help me to change the password policy in Sun Directory Server 6.0

  What are you trying to accomplish? Have you at least read the manual?
  http://docs.oracle.com/cd/E19693-01/819-0995/fhkrj/index.html
  As reported in earlier threads on this forum, DSEE 6.0 IS NOT a release you should use in your production environment, specially if you're starting new projects; consider moving at least to the latest 6.x release which is 6.3.1.1.1
  thanks,
  Marco

• Password Policy on Directory Server 11.1.1.7.2

  Hi,
  I'm trying to set up a password policy with DS 11.1.1.7.2 but it doesn't seem to be getting applied to the users. I went through the DSCC gui and created a new policy that is supposed to remember the last 3 passwords and also expire in a couple days just for test purposes. I then set the compatibility mode to Directory Server 6 and clicked on "Assign Policy" and selected ou=people,o=xxxxxx,o=isp where my test accounts are.
  I've then tried using ldapmodify using the credentials to the accounts who's passwords I'm changing and it allows me to reuse the same passwords. I saw something about using a virtual attribute for assigning users to a policy. Is that required also?
  dn: cn=TestPWpolicy1,o=xxxxxxx,o=isp
  cn: TestPWpolicy1
  objectclass: sunPwdPolicy
  objectclass: pwdPolicy
  objectclass: ldapsubentry
  objectclass: top
  passwordrootdnmaybypassmodschecks: on
  passwordstoragescheme: CRYPT
  pwdallowuserchange: true
  pwdattribute: userPassword
  pwdcheckquality: 2
  pwdexpirewarning: 86400
  pwdinhistory: 3
  pwdmaxage: 172800
  pwdminage: 0
  pwdminlength: 2
  pwdmustchange: false
  createtimestamp: 20150302195541Z
  creatorsname: cn=admin,cn=administrators,cn=dscc
  entrydn: cn=testpwpolicy1,o=xxxxxxxx,o=isp
  entryid: 28
  hassubordinates: FALSE
  modifiersname: cn=admin,cn=administrators,cn=dscc
  modifytimestamp: 20150302195541Z
  nsuniqueid: 0a0ca681-c11611e4-800799c3-4c540d75
  numsubordinates: 0
  parentid: 2
  subschemasubentry: cn=schema
  Thanks for any help.

  Hello,
  A user entry references a custom password policy through the value of the operational attribute pwdPolicySubentry. When referenced by a user entry, a custom password policy overrides the default password policy for the instance.
  It is unclear to me whether you want to assign the new password policy to an individual account or to every user in ou=people,o=xxxx,o=isp.
  To assign a password policy to an individual account, just ddd the password policy DN to the values of the pwdPolicySubentry attribute of the user entry e.g.
  $ cat pwp.ldif
  dn: uid=dmiller,ou=people,o=xxxxxxx,o=isp
  changetype: modify
  add: pwdPolicySubentry
  pwdPolicySubentry: cn=TestPWpolicy1,o=xxxxxxx,o=isp
  $ ldapmodify -D cn=directory\ manager -w - -f pwp.ldif
  Enter bind password:
  modifying entry uid=dmiller,ou=people,o=xxxxxxx,o=isp
  $ ldapsearch -D cn=directory\ manager -w - -b dc=xxxxxxx,o=isp \
  "(uid=dmiller)" pwdPolicySubentry
  Enter bind password:
  version: 1
  dn: uid=dmiller, ou=People, o=xxxxxxx,o=isp
  pwdPolicySubentry: cn=TestPWpolicy1,o=xxxxxxx,o=isp
  $
  See Directory Server Password Policy - 11g Release 1 (11.1.1.7.0)
  You can also assign a password policy to a set of users using cos/roles virtual attributes as described in section 8.3.4 at Directory Server Password Policy - 11g Release 1 (11.1.1.7.0)
  -Sylvain
  Please mark the response as helpful or correct when appropriate to make it easier for others to find it

• Mac OS X 10.5 Clients - Active Directory Login - Password Policy

  Hi,
  I wonder if anyone can help me or give me some pointers.
  I have a client who has a number of Mac OS X 10.5 Leopard clients who sign-in and authenticate with a Window's Active Directory server which has a password policy to prompt users to change their login password every 30 days.
  Today is the day they are required to change their login password and they do get message that says something like "0 days to change your password" but are not getting the subsequent dialogue box that allows them to change their password.
  Any ideas?

  OOPs, missed which one we were talking about, sorry.
  Does it boot to Single User Mode, CMD+s keys at bootup, if so try...
  /sbin/fsck -fy
  Repeat until it shows no errors fixed.
  (Space between fsck AND -fy important).
  Resolve startup issues and perform disk maintenance with Disk Utility and fsck...
  http://docs.info.apple.com/article.html?artnum=106214

• Questions on Password Policy

  Hi All,
  I have couple of questions on password policy behavior upon OAM-EBS integration.
  Currently "Applications SSO Auto Link User" options is set to "Disable" in my env.
  Please confirm if following is the right understanding.
  1.     Upon OAM-EBS integration, user whose EBS account is linked with OID cannot change their password from EBS console. EBS password policy (Password expiry etc) will be overridden by OID policy.
  2.     EBS user`s whose account is not linked with OID can change the password and EBS password policy will be applicable for that user.
  3.     To have the user use EBS password policy he must be unlinked by setting up USER_GUID attribute to null in FND_USER table.
  Thanks in advance.
  -Sam

  Sam,
  Your understanding is correct -- Please see these docs.
  Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On [ID 261914.1]
  USE: EBS Technology Stack OID and SSO [ID 1461466.2]
  How To Temporarily Stop User Synchronization From OID To FND User [ID 1120413.1]
  Troubleshooting Oracle Access Manager and Oracle E-Business Suite AccessGate [ID 1077460.1]
  Integrating Oracle E-Business Suite with Oracle Access Manager 10g using Oracle E-Business Suite AccessGate [ID 975182.1]
  Thanks,
  Hussein

• Migration Users with MD5 Passwords to Directory Server 6.1 on Solaris 10

  Hi,
  We are currently in a requirement of migrating some users to a application database to inside LDAP. Currently Application maintained the passwords in the MD5 hash form. Typical 32 digit Hex value - 41da76f0fc3ec62a6939e634bfb6a342
  Is there a way we can migrate these Users password to directory Server as-is so that they don't end up facing the prospect of resetting post migration.
  I have done some of the initial ground work but seems to be missing other critical info if at all it's possible.
  I believe it's possible to have CRYPT password policy (which directory server uses from underlying OS) as one of the plug-ins to configure in a way that underlying CRYPT utility starts to process/provide/support MD5 hashes. I got it to work, my using the below command on DSEE instance:
  dsconf set-plugin-prop -p 389 CRYPT argument:'$md5$'
  But for some reasons the MD5 hash (Sun MD5 library) provides does not match with the original hash value. It's 22 char long (as I have not specified any salt length) so I am assuming it's Base64 encoded. I have a perl script which converts the original 32-digit hex values to a base64 encoded representation (which I have also verified with other open source tools)
  Is there a way I can tweak CRYPT utility or something so that it understands typical standard MD5 hashes. (Confused between Sun MD5 and BSD (Linux) MD5 - none of them seems to match standard MD5 generated value).
  Any leads on this would be really helpful ?

  Just to reclarify or throw more information:
  a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
  Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
  But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
  {crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
  I used below command :
  pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
  Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
  I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
  Thanks,
  Gaurav

• Password Policy not functioning correctly

  Here's my situation, and I hope it is something obviously easy that I missed.
  Mac Mini Server with 10.9.3 running Server 3.1.2
  I have set up Open Directory, and Enabled File sharing in the inital steps to setting up this server. It will be used in a small school environment.
  The staff/teacher's passwords I have already set, and then for students, we set a generic password, and have it set that the student will change their password to whatever they want the first time the try to access the server for file sharing.
  I have set up a number of local network users already, and I am testing the student password reset function.
  My Issue:
  Every time I try to change the password at the first time prompt, I am told "Your password does not meet the policy enforced by the server "10.0.0.87". Please try again. "
  I have the global password policy set with only the "differ from account name" check box enabled, and none others. Even so, every single password I try to use is denied.
  Any help is appreciated.

  Users are using Adobe Reader to open the PDF form
  With Best Regards
  George Flowers

• Password policy not used by WebGate after upgrade (6.1 - 10g)

  Hello,
  Recently, we upgrade our environment from Oblix Netpoint 6.1 to Oracle Access Manager 10g (10.1.4.0.1)
  Together with this update we also upgraded the WebGates that are running on the machines that have OAM 10g installed. We did not perform an upgrade on the WebGates that are running on other web servers. These are still running with the old version.
  The problem we have now is that it seems that our upgraded WebGates don't respect our Password policy. The earlier versions of our WebGate still respect our policy.
  Machine A has OAM 10g installed with an upgraded WebGate (WebGate A). This machine also runs an IIS web server (web server A) which is connected to the WebGate on that machine. The WebGate is configured with OAM 10g on that same machine.
  On web server A, there is a protected website.
  Our password policy is defined as follow:
  -number of login tries allowed: 5
  -lockout duration: 20000000 hours
  -login tries reset: 200 days
  I now try to access my protected website on web server A with User1. Every time I enter a wrong password.
  When I verify this in our Active Directory, I can see that the value of oblogintrycount for User1 increments until 5. When oblogintrycount equals 5, the attribute oblockouttime is added to the profile of User1.
  My user is now supposed to be locked but when I try to login one more time, the value of oblogintrycount is 1 again and the attribute oblockouttime is gone. My user is unlocked again.
  I repeat the same test on web server B that is installed on a different machine. This machine has an earlier version of WebGate installed. This WebGate B is configured with the same OAM 10g as WebGate A.
  I can see in the Active Directory that the value of oblogintrycount for User1 is incremented until it equals 5. At this point, the oblockouttime attribute is added to the profile of User1.
  I see now in my browser a message that my user is locked. When I try to login one more time, my user stays locked.
  Has anyone an idea how this problem can be solved or how this can happen?
  Kind regards,
  Lennaart

  This is just a trial and error suggestion may not actually solve the problem.
  Can you check configuration changes that one has to make with upgraded web gates. That configuration may not be correct and hence you might be getting this problem.
  -Kiran Thakkar

• Best way to force password policy on users within 1-2 weeks?

  We have a Server 2008 R2 domain.
  I'd read that the password policy in GPO is only available for Computer Configuration, not User Configuration? Is that correct? 
  If so, that's not very flexible and will make things trickier for us.  
  And regarding enforcing a password policy with a GPO on our local domain, do you know of a way to force users to change their passwords within say 1 week?    (the only options I know of are on the AD User account properties check a box "User
  must change password at next logon" (then you'd have to force them to log out) OR relying on AD's internal formula:
  webactivedirectory.com/.../how-active-directory-calculates-account-password-expiration-dates .  The problem I see with the latter is if your user hasn't changed their pw for a year you'd have to wait a year+how many days you set for max password
  age?
  spnewbie

  To add, the password policy is applied at the domain level and only works at the domain level. It's not the fact that it's at the "Computer Level" or "User Level" or not, it's the fact that it's only set at the domain level.
  Account policies (Password, Lockout and Kerb), are all under the Computer Config because it forces it to apply to all user accounts that access all machines.
  If you tried to create a password policy at any other level (any OU), it won't work. The only option is to use PSOs, as Mahdi pointed out.
  As for that Spiceworks thread, I would suggest to post a question about a specific product to the product vendor's support forum for accurate responses.
  Here's an excerpt from MOC 6425C Configuring and Troubleshooting Windows Server 2008 Active Directory, page 10-8 (and this applies to all versions of AD):
  Active Directory supports one set of password and lockout policies for a domain. These policies are configured in a GPO that is scoped to the domain. A new domain contains a GPO called the Default Domain Policy that is linked to the domain and that includes
  the default policy settings for password, account lockout, and Kerberos policies. You can change the settings by editing the Default Domain Policy GPO.
  The best practice is to edit the Default Domain Policy GPO to specify the password policy settings for your organization. You should also use the Default Domain Policy GPO to specify account lockout policies and Kerberos policies. Do not use the Default
  Domain Policy GPO to deploy any other custom policy settings. In other words, the Default Domain Policy GPO only defines the password, account lockout, and Kerberos policies for the domain. Additionally, do not define password, account lockout, or Kerberos
  policies for the domain in any other GPO.
  The password settings configured in the Default Domain Policy affect all user accounts in the domain. The settings can be overridden, however, by the password-related properties of the individual user accounts. On the Account tab of a user's Properties dialog
  box, you can specify settings such as Password Never Expires or Store Passwords Using Reversible Encryption. For example, if five users have an application that requires direct access to their passwords, you can configure the accounts for those users to store
  their passwords by using reversible encryption.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• AD Reconciliation - Password Policy Error

  all,
  I am trying to run AD User Trusted recon. I am getting the following error for each user in AD.. I don't remember seeing this before on this system before and i have run recon successfully in the past. Is there any suggestion how to to go about debugging and fixing this issue?
  <Jan 3, 2012 12:44:24 PM EST> <Error> <oracle.iam.platform.entitymgr.provider.ldap> <IAM-0042002> <An error occurred while creating the entity in LDAP, and the corresponding error is - javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - LDAP Error 21 : [LDAP: error code 19 - Password Policy Error :9004: GSL_PWDNUMERIC_EXCP :Your Password must contain at least 1 numeric characters.
  ]]; remaining name 'cn=luten,cn=users,dc=xxxx,dc=org'>
  thanks in advance,
  Prasad

  I doubt if you can do it now. I haven't worked on LDAPSync to tell you more, but the way I see it is that LDAPSync works with event handlers and since the users are already in, the ldap create event handlers might not trigger. Can you try just by modifying a user which is in OIM and not in LDAP and see if that creates the user in LDAP? If that works, then a simple program to do some dummy update on the user would work for you, if not that you will have to delete all those bad users and rerun the trusted recon by setting the XL.Reuseid = true. Be sure to drop the index on user table for re-using the userlogin.
  -Bikash

• Any issue and/or advice with activation of global password policy (10.9 osx server) ?

  Hi Pro,
  I have an OD domain (10.9.1 server) with 20 users mobile account (10.9.1 osx) authentification, I’d like to enable a global password policy, and I'm curious what actually happens when I add some policy in Server Admin > Open Directory > gear > edit global password policy?
  If I set a "reset every 45 days" option, is that from the time the policy is enabled, or from the time the user account was created?
  Any issue with Keychain ?
  If I set a "must have one letter" or "numeric character", etc...and the user doesn't currently have a password that matches this criteria, will they be forced to set a new password immediately, or the next time one is initiated, did the account will be disable?
  I just trying to prevent any bad experience for the users.
  Thanks

  Hi,
  The 45 days will start from the moment you enable that setting for all active users, and will start whenever you create a new OD user.
  There won't be any issues with Keychain, it will updated when a new password is set. On that specific day when they login or restart, they need to choose a new password. Keychain will update automatically.
  The new policy will start working after the 45 days have been set. After 45 days that policy will be enforced, not before, users can continue to work with a less secure password. About 10 days before that deadline or earlier they will get an option in their login screen to renew their password because it will inform them it will expire soon.
  You might want to notify all users of a new password policy when you set it and then inform them again about a week before it will expire. That will ensure a smooth transition...
  Goodluck!
  Jeffrey

• Why 2 PwdPolicyEntry under Password Policy Managerment in ODM

  Hi Gurus,
  I am not sure which one I should update to set the password policies. I see 2 PwdPolicyEntry under Password Policy Management when I login to Oracle Directory Manager. Please post a reply if you have some info about the 2 PwdPolicyEntry options.
  Thanks
  Raj
  -----------

  One seems to be for the top level dit, the other for the orgasation subtree (i.e. the cn=your,dc=company, dc=co,dc=uk bit of the dit)

• New users with Global Password Policy requiring password "reset on first user login" are still prompted to reset password after entering incorrect password

  The setup:
  We have the option "Password must: be reset on first user login" enabled in the Global Password Policy on our 10.9 / Mavericks server. We import new user accounts into Open Directory via a delimited text file and include a default password for each user.
  What I've observed and tested:
  When a user attempts to log into a computer that's bound to our Open Directory for the first time, they can enter anything in the password field and still receive the prompt to reset their password. They are never notified that they entered their default password incorrectly. The password reset will then fail (as it should), but they still aren't notified that this is the reason for the password reset failure. To put it another way: Seeing the prompt to reset your password would reasonably imply that you entered the default password correctly, but that's not the case at all.
  The question:
  Is this expected behavior? If it is, it doesn't seem logical. If this was the case in OS X Server 10.3 through 10.7 I never noticed it. Can anyone corroborate this with their own setup? Thanks in advance.
  -- Steve

  Some follow up questions:
  - How did you migrate (dsmig ldif or binary import)
  - Did the accounts in .x have any custom password policies set?
  For a "new" and a migrated entry, can you check if a passwordpolicysubentry is configured?
  (search as directory manager and fetch the attribute)

• Password policy support RedHat openldap client

  I am using Directory Server 5.2 patch4 for a naming service for about 250 servers which are mostly Solaris 8 & 9 clients. But I also have some RedHat 2.1, 3.0, 4.0, HP-UX 11, and AIX 5 clients. Does anyone know if and how I can use the password policy I have created in the Directory Server to work with non-solaris clients?
  Mike

  I believe that most of pam_ldap modules on these machines understand the Sun DS password policy controls.