Password policy through roles

Similar Messages

• Password Policy on Directory Server 11.1.1.7.2

  Hi,
  I'm trying to set up a password policy with DS 11.1.1.7.2 but it doesn't seem to be getting applied to the users. I went through the DSCC gui and created a new policy that is supposed to remember the last 3 passwords and also expire in a couple days just for test purposes. I then set the compatibility mode to Directory Server 6 and clicked on "Assign Policy" and selected ou=people,o=xxxxxx,o=isp where my test accounts are.
  I've then tried using ldapmodify using the credentials to the accounts who's passwords I'm changing and it allows me to reuse the same passwords. I saw something about using a virtual attribute for assigning users to a policy. Is that required also?
  dn: cn=TestPWpolicy1,o=xxxxxxx,o=isp
  cn: TestPWpolicy1
  objectclass: sunPwdPolicy
  objectclass: pwdPolicy
  objectclass: ldapsubentry
  objectclass: top
  passwordrootdnmaybypassmodschecks: on
  passwordstoragescheme: CRYPT
  pwdallowuserchange: true
  pwdattribute: userPassword
  pwdcheckquality: 2
  pwdexpirewarning: 86400
  pwdinhistory: 3
  pwdmaxage: 172800
  pwdminage: 0
  pwdminlength: 2
  pwdmustchange: false
  createtimestamp: 20150302195541Z
  creatorsname: cn=admin,cn=administrators,cn=dscc
  entrydn: cn=testpwpolicy1,o=xxxxxxxx,o=isp
  entryid: 28
  hassubordinates: FALSE
  modifiersname: cn=admin,cn=administrators,cn=dscc
  modifytimestamp: 20150302195541Z
  nsuniqueid: 0a0ca681-c11611e4-800799c3-4c540d75
  numsubordinates: 0
  parentid: 2
  subschemasubentry: cn=schema
  Thanks for any help.

  Hello,
  A user entry references a custom password policy through the value of the operational attribute pwdPolicySubentry. When referenced by a user entry, a custom password policy overrides the default password policy for the instance.
  It is unclear to me whether you want to assign the new password policy to an individual account or to every user in ou=people,o=xxxx,o=isp.
  To assign a password policy to an individual account, just ddd the password policy DN to the values of the pwdPolicySubentry attribute of the user entry e.g.
  $ cat pwp.ldif
  dn: uid=dmiller,ou=people,o=xxxxxxx,o=isp
  changetype: modify
  add: pwdPolicySubentry
  pwdPolicySubentry: cn=TestPWpolicy1,o=xxxxxxx,o=isp
  $ ldapmodify -D cn=directory\ manager -w - -f pwp.ldif
  Enter bind password:
  modifying entry uid=dmiller,ou=people,o=xxxxxxx,o=isp
  $ ldapsearch -D cn=directory\ manager -w - -b dc=xxxxxxx,o=isp \
  "(uid=dmiller)" pwdPolicySubentry
  Enter bind password:
  version: 1
  dn: uid=dmiller, ou=People, o=xxxxxxx,o=isp
  pwdPolicySubentry: cn=TestPWpolicy1,o=xxxxxxx,o=isp
  $
  See Directory Server Password Policy - 11g Release 1 (11.1.1.7.0)
  You can also assign a password policy to a set of users using cos/roles virtual attributes as described in section 8.3.4 at Directory Server Password Policy - 11g Release 1 (11.1.1.7.0)
  -Sylvain
  Please mark the response as helpful or correct when appropriate to make it easier for others to find it

• Password policy not working fully through SPML

  We've come across a problem with password policy enforcement on IdM 6.0 where the "Number of Previous Passwords that Cannot be Reused" gets ignored. Consequently I can set the password back and forth between two values without error.
  If I attempt this through the IdM password interface, I get the message:
  {color:#ff0000}*Policy Violation (Password on Lighthouse User): New password cannot match any of the 4 previous passwords for this account.*
  {color}
  This is the response I am after through the SPML interface.
  Should this be supported? If it should be, where might I be going astray.
  The "Identity system account policy" set on the organisation I'm using is correctly configured to use the password policy as far as I can tell.
  Edited by: SuperDuperJavaSnooper on Aug 19, 2009 9:44 PM

  How do I go about reporting this as a bug of IdM 6.0?

• Implementing password policie using Role and CoS

  Hy all,
  I have created a directory with the following partial structure (Sun directory 5.2 patch 2):
  ou=people,o=accounts,c=an
  |----- cn=user1
  |----- cn=user2
  |----- cn=user3
  ou=services,o=accounts,c=an
  |---------cn=user4
  |---------cn=user5
  |---------cn=user6
  I want to assign different password policies based on the ou.
  I read within the admin guide that there is a way to do that through CoS and Role: http://docs.sun.com/source/817-7613/useracct.html#wp19625
  So I create following records:
  - Customized Password Policy Container:
  dn: cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: nsContainer
  cn: Customized Password Policy
  - External User Customized Password Policy: (same as the global one)
  dn: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: passwordPolicy
  cn: externalUserPwdPolicy
  passwordInHistory: 5
  passwordWarning: 432000
  passwordExpireWithoutWarning: on
  passwordRootdnMayBypassModsChecks: on
  passwordLockout: on
  passwordMaxFailure: 3
  passwordMaxAge: 5184000
  passwordCheckSyntax: off
  passwordResetFailureCount: 1200
  passwordMinLength: 8
  passwordStorageScheme: SHA
  passwordChange: on
  passwordMinAge: 86400
  passwordMustChange: off
  passwordUnlock: off
  passwordLockoutDuration: 3600
  passwordExp: on
  - Service Account Customized Password Policy: (same as the global one except that there is no expiration for password and the password minimum age is set to 2 days instead of one)
  dn: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: passwordPolicy
  cn: serviceAccountPwdPolicy
  passwordInHistory: 5
  passwordWarning: 432000
  passwordExpireWithoutWarning: on
  passwordRootdnMayBypassModsChecks: on
  passwordLockout: on
  passwordMaxFailure: 3
  passwordMaxAge: 5184000
  passwordCheckSyntax: off
  passwordResetFailureCount: 1200
  passwordMinLength: 8
  passwordStorageScheme: SHA
  passwordChange: on
  passwordMinAge: 172800
  passwordMustChange: off
  passwordUnlock: off
  passwordLockoutDuration: 3600
  passwordExp: off
  - External User Role:
  dn: cn=externalUserRole,c=an
  objectclass: top
  objectclass: LDAPsubentry
  objectclass: nsRoleDefinition
  objectclass: nsComplexRoleDefinition
  objectclass: nsFilteredRoleDefinition
  cn: externalUserRole
  nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=people*))
  Description: Filtered role for external users
  - Service Account Role
  dn: cn=serviceAccountRole,c=an
  objectclass: top
  objectclass: LDAPsubentry
  objectclass: nsRoleDefinition
  objectclass: nsComplexRoleDefinition
  objectclass: nsFilteredRoleDefinition
  cn: externalUserRole
  nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=services*))
  Description: Filtered role for external services account
  - Template Container for Customized Password Policy:
  dn: cn=pwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: nscontainer
  - Class of Service (CoS) Definition for password policy:
  dn: cn=PwdPol_CoSDefinition, c=an
  objectClass: top
  objectClass: LDAPsubentry
  objectClass: cosSuperDefinition
  objectClass: cosClassicDefinition
  cn: PwdPol_CoSDefinition
  cosAttribute: passwordPolicySubentry operational
  cosTemplateDn: cn=pwdPolTemplateContainer, c=an
  cosSpecifier: nsRole
  - Class of Service (CoS) Template for ExternalUserRole:
  dn: cn="cn=externalUserRole, c=an", cn=PwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: extensibleObject
  objectClass: costemplate
  objectClass: LDAPsubentry
  cosPriority: 2
  passwordPolicySubentry: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
  - Class of Service (CoS) Template for ServiceAccountRole:
  dn: cn="cn=serviceAccountRole, c=an", cn=PwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: extensibleObject
  objectClass: costemplate
  objectClass: LDAPsubentry
  cosPriority: 2
  passwordPolicySubentry: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
  - The thing is that it does not to work: if I disable the global password policy, I can set a 3 caracters password even if I specified in the sub password policy that passwordminlengnt is equal to 8 caracters.
  Many thanks in advance for your help.
  Gregoire

  Hmm,
  Pretty cool.
  I just finished doing it the hard-way when I saw your post :(.
  I tried it anyways, and it did all the work that I had done by hand in the previous try. Which was ...
  1) Creating the filtered role (same in both approaches).
  2) Creating a Container for COS Templates.
  3) Creating a COS Template with a dn having a cn string of the full dn to the role in 1) above. Had to use generic entry editor to add all the additional attributes as below ...
  dn: cn="cn=TempFilter,ou=people,dc=example,dc=com",
  �cn=PolTempl,dc=example,dc=com
  objectclass: top
  objectclass: extensibleObject
  objectclass: LDAPsubentry
  objectclass: costemplate
  cosPriority: 1
  passwordPolicySubentry: cn=TempPolicy,dc=example,dc=com
  (started with a new costemplate and the added all the above attributes, also involved things like changing the naming attribute - the dn - from cosPriority to the one cn as shown above)
  4) Creatiing a COS with ...
  4.1) passwordpolicysubenty as a generated attribute that is overriding and operation (this is picked from the matched CoS template)
  4.2) Use the template container's dn from 2) above for the TemplateDN value.
  4.3) Use nsrole of the target enty to narrow down to the COS template as in 3) above. I.E. "template"->"attribute name" value is set to "nsRole"
  (So when a user's nsrole maps to a cn value of an entry under the TemplateDN subtree. That template applies.)

• How to ignore the password policy in a custom workflow?

  Hi,
  We have a custom workflow which is called via SPML to provide 'Administrator Change Password' functionality in a portal.
  Our password policy sets the String Quality rules and Number of Previous Passwords that Cannot be Reused. But we like to bypass the password policy when the password administrators (who have a admin role with a capability - 'Change Password Administrator'). At least, restriction ' Number of Previous Passwords that Cannot be Reused' need to be ignored (But password need to be added to the history... cannot disable adding passwords to history).
  Please advice me how it could be achieved?
  The workflow steps:
  1. Checkout 'ChangeUserPassword' view for the user as an administrator
  2. Set the new password in the view, set true to view.savePasswordHistory
  3. Set password on the resources
  4.Checkin the view
  Thanks
  Siva

  Thanks eTech.
  My main goal is to skip the password history check (new password can't be a last used 10 passwords) when admin change password workflow is launched. As you suggested , I created a special password policy exactly as our regular password policy excluding "Number of Previous Passwords that Cannot be Reused" setting.
  Then before change the password of a user as admin, special policy is attached , password changed, and user's password policy is reverted back to regular one. The issue is, as the special policy does not enforce the password history check, the whole password history of the user is wiped out from the user object when the password is changed by admin change password workflow. We don't want this to happen.
  Please guide me whether is anyway to achieve just ignoring the password history without any other impact on user.
  Is adding passwords to user object's password history list is triggered by "Number of Previous Passwords that Cannot be Reused" setting of the password policy??
  Thanks
  Siva

• How to search for password policy

  Hello,
  Using DS 5.2:
  I've created a test policy, dn: cn=Test Policy,ou=People, o=xxx, o=isp. I can apply the policy, I can see the policy in my backup ldifs, but I can't figure out how to search for and display it (and eventually, delete it) either from the command line using ldapsearch or form within the admin gui. Any help?

  What I would like to do is query my 8i instance for the current password policy
  Can anyone provide a query to retrieve this info?connect as sys
  in Oracle 8i and issue the command;
  select object_name,object_type from all_objects where object_name like '%PASS%';
  and
  select object_name,object_type from all_objects where object_name like '%POLICY%';
  I think , i'm not sure these policies would be transfered to 10g through migration except -if any- some of them are obsolete to 10g!!!!!
  Regards,
  Simon

• 802.1x, IP Phones, MAB and AD password policy

  I am currently working on an 802.1x pilot. I have successfully deployed certificates for PCs and users and I'm able to assign VLAN etc in a reliable fashion.
  I would like to enable MAC Authentication Bypass on the voice VLAN for IP phones. The problem is, when I create a user with the phones MAC address as a user name, or AD Domain policy does not allow the password to also be the mac address. Disabling this policy temporarily for adding these users is not a credible solution for us. I'd rather not use third party software that allows for diversity in AD password policy.
  I've seen it implied that the switch (3560 in my case) can be configured to send the Radius secret rather than the device MAC address as the device's password, is this true? If so, how?
  Thanks!

  With MAC-Auth-Bypass, the end station (phone in your case) doesn't interact with the auth method at all. The switch authenticates the MAC after being learned by the switch on behalf of the end-station.
  This is a limitation in Windows Server today. This can be controlled through a GPO in Server 2008. Another option(s) is to store the "phone user accounts" directly on the AAA server or another database that allows the ability for this.
  Also, to authenticate a phone at all, and to support PCs, you need to configure Multi-Domain-Authentication (MDA) on the 3560. See here:
  <http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA>
  Hope this helps,

• Using class of service to manage password policy

  We implemented password policy on our old DS across the board, which entailed finding all of the special administrative accounts used by software and setting an expiration date at the end of the epoch. I was wondering if a smarter way to do this is to create a class of service template for normal and special accounts and tie those into our user accounts. Has anyone done this?
  Thanks.

  Sun DS 5.2 supposedly has support for the latest LDAP password policy internet draft which allows you to explicitly setup password policy on a subtree or user basis. It uses roles and class of service under the covers. I would use that instead of rolling your own.

• Sun Directory Server Password Policy Problems

  Hi,
  I am using Sun Directory Server and Sun AM (2005Q1).
  We are using SUN DS to configure the password policy to expire user passwords after 30 days.
  Also, the warning has been set to "one day before expiry". However, when the warning IS displayed to the user and the user changes his/her password on display of the warning, even though the user's password expiration timestamp attribute contains a new timestamp (which is 30 days hence the date of change), on next login user is AGAIN thrown the warning that his/her password will expire in "HH hours: MM mins".
  I do not understand what needs to be done to fix this. Any help would be appreciated.

  How is the user authenticated ? Through Access Manager or directly to the Directory Server ?
  Access Manager can be configured to handle Password expiration, and so can Directory Server. I would advise you to check which system is actually throwing the warning.
  Regards,
  Ludovic

• How to list current password policy

  Hello all,
  This is my first post here. I just finished the DBA Workshop 1 course and my company is migrating from 8i to 10g.
  Our primary DBA is on vacation and before he left asked me to look at the new 10g install he did in our test environment. I noticed on the OEM there were some policy violations and I'm using MetaLink and hopefully this forum to resolve them.
  What I would like to do is query my 8i instance for the current password policy and apply those to our test 10g instance. Can anyone provide a query to retrieve this info?
  Thanks,
  Bill

  What I would like to do is query my 8i instance for the current password policy
  Can anyone provide a query to retrieve this info?connect as sys
  in Oracle 8i and issue the command;
  select object_name,object_type from all_objects where object_name like '%PASS%';
  and
  select object_name,object_type from all_objects where object_name like '%POLICY%';
  I think , i'm not sure these policies would be transfered to 10g through migration except -if any- some of them are obsolete to 10g!!!!!
  Regards,
  Simon

• New users with Global Password Policy requiring password "reset on first user login" are still prompted to reset password after entering incorrect password

  The setup:
  We have the option "Password must: be reset on first user login" enabled in the Global Password Policy on our 10.9 / Mavericks server. We import new user accounts into Open Directory via a delimited text file and include a default password for each user.
  What I've observed and tested:
  When a user attempts to log into a computer that's bound to our Open Directory for the first time, they can enter anything in the password field and still receive the prompt to reset their password. They are never notified that they entered their default password incorrectly. The password reset will then fail (as it should), but they still aren't notified that this is the reason for the password reset failure. To put it another way: Seeing the prompt to reset your password would reasonably imply that you entered the default password correctly, but that's not the case at all.
  The question:
  Is this expected behavior? If it is, it doesn't seem logical. If this was the case in OS X Server 10.3 through 10.7 I never noticed it. Can anyone corroborate this with their own setup? Thanks in advance.
  -- Steve

  Some follow up questions:
  - How did you migrate (dsmig ldif or binary import)
  - Did the accounts in .x have any custom password policies set?
  For a "new" and a migrated entry, can you check if a passwordpolicysubentry is configured?
  (search as directory manager and fetch the attribute)

• Unable to set Password Policy controls

  When I call oracle.ldap.util.User.autheticateUser() I receive the exception "Unable to set Password Policy controls". What is the cause of this error? I was not able to find anything useful through google searches.
  I am running everything inside ServiceMix. Furthermore, I am able to create a context and retrieve properties through oracle.ldap.util.User.getProperties().
  Here is the stack trace:
  my.company.Exception.AuthenticationException: Unable to set Password Policy controls
  at my.company.OracleLdap.authenticateClient(OracleLdap.java:171)
  at service.AuthenticationInInterceptor.isAuthenticated(AuthenticationInInterceptor.java:55)
  at service.AuthenticationInInterceptor.handleMessage(AuthenticationInInterceptor.java:32)
  at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
  at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:111)
  at org.apache.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:80)
  at org.apache.cxf.transport.http_osgi.OsgiServletController.invokeDestination(OsgiServletController.java:321)
  at org.apache.cxf.transport.http_osgi.OsgiServletController.invoke(OsgiServletController.java:107)
  at org.apache.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:53)
  at org.apache.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48)
  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159)
  at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
  at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:401)
  at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64)
  at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
  at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
  at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.handle(HttpServiceContext.java:111)
  at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:68)
  at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
  at org.mortbay.jetty.Server.handle(Server.java:326)
  at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
  at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
  at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
  at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
  at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
  at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
  at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
  Caused by: oracle.ldap.util.UtilException: Unable to set Password Policy controls
  at oracle.ldap.util.User.authenticateUser(User.java:1243)
  at my.company.OracleLdap.authenticateClient(OracleLdap.java:158)
  ... 29 more
  Edited by: user1094798 on Feb 22, 2011 12:53 PM
  Edited by: user1094798 on Feb 22, 2011 12:55 PM
  Edited by: user1094798 on Feb 22, 2011 1:17 PM

  I fixed it by changing the way my InitialDirContext is created.
  Previously I was using:
  InitialDirContext ctx = oracle.ldap.util.jndi.ConnectionUtil.getDefaultDirCtx(hostname, portNum, adminName, adminPass);
  Now I'm using:
  Hashtable env = new HashTable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "ldap://" + hostname + ":" + portNum);
  env.put(Context.SECURITY_PRINCIPAL, adminName);
  env.put(Context.SECURITY_CREDENTIALS, adminPass);
  InitialDirContext ctx = new InitialDirContext(env);
  Edited by: user1094798 on Feb 23, 2011 8:29 AM

• OAM Password policy not working.

  Hi All,
  I am configuring a password policy in OAM which enforces the user to reset his password at first login. OAM is using OID as user store and I have added oblix password related objectclasses to OAM schema. OIM is used to provision all users to OID. I have also enabled the Checkbox Change on Reset in password policy.
  I have also made certain attributes visible in OAM user manager such as obpasswordchageflag, oblastsuccesfullogin, oblastfaillogin etc.,
  Once the user is created in OID through OIM, the values for attributes obpasswordchageflag, oblastsuccesfullogin, oblastfaillogin are empty.
  Case1: obpasswordchangeflag attribute value is empty for user say oamtestuser. oamtestuser logs in to OAM protected application with default password provided in OIM. I could see the oblastsuccesfullogin attribute value updated in oamtestuser profile as expected. Similarly oblastfaillogin value also got updated for failed login as expected.
  Case2: obpasswordchangeflag set to true manually in user profile for oamtestuser. oamtestuser logs into OAM protected application with default password. Upon submit, user is redirected the change password page which prompts the user to enter current password and new password. Upon submit user will be shown another page with backup button. Upon clicking back button, user is asked to login to the application once again with new password. Upon submit, user is shown change password page again instead of logging to application with new password. I have noticed that obpasswordchangeflag attribute value is still set as true.
  Case3: After executing Case2, even after modifying the obpasschangeflag value to false or making empty, the attribute values of oblastsuccesfullogin and oblastfaillogin are not getting updated accordingly.
  Please let me know if you have any clue on this.
  This is really urgent. Would appreciate quick help.
  Thanks.
  Mahendra.

  HI Sagar,
  Thanks for the response.
  Another major update: When we tried creating user using OAM workflow, the obpasswordchangeflag got true value by default and password change functionality worked as expected. So it is obviously an issue with provisioning user through OIM. We manually created an attribute obpasswordchangeflag and provisioned a new user with value as true but still the user profile in OAM User Manager for attribute obpasswordchangeflag is empty. This means that there needs to be some mapping which we are missing i.e., an attribute in OIM has to be mapped correctly with OID attribute obpasswordchangeflag .
  So we are searching for this mapping stuff. Do you have any other opinion on this?
  Thanks
  Mahendra.

• Custom Password policy for ProxyAgent

  Solaris 10 Server Directory Server LDAP 6.3. Clients are Solaris 10.
  The clients use "proxyagent" user located in ou=profile. When I create a Global Password policy and apply to my top level dc, then this service account can "expire". I can't have my service accounts expiring...
  How do you create a custom filter with NO account lockout, expiration, etc? The DSCC wizard doesn't allow you to as the last step of the wizard must have a bug because even though you don't click the Lockout radio button, the webpage asks you to fill in a number for account lockout of 1 to 32768. Ugggh.
  Question 2: how do you apply a custom password policy to ALL of ou=people? I can do it one by one to dn's under the ou=people, but I want it on the parent so new users get the custom password policy. Everything I try, the Global Password Policy wins. (And can't seem to be done via the DSCC but rather through command line)
  Help.
  Thanks,
  Sean

  How do you create a custom filter with NO account lockout, expiration, etc?
  The DSCC wizard doesn't allow you to as the last step of the wizard must have
  a bug because even though you don't click the Lockout radio button, the
  webpage asks you to fill in a number for account lockout of 1 to 32768. Ugggh.Logged a new bug
  http://sunsolve.sun.com/search/document.do?assetkey=1-1-6787917-1
  The clients use "proxyagent" user located in ou=profile. When I create a Global Password
  policy and apply to my top level dc, then this service account can "expire". I can't have
  my service accounts expiring...Password policies have to be applied to individual accounts (manually or via CoS). So you
  may need to create a new password policy and assign it to the proxyagent user. Since DSCC
  does not seem to allow you to do that, best to munge it via the commandline (after specifying
  the lockout in dscc). Yes, it's ugly but a bug has been logged. Please contact Sun Support if
  you want a fix against 6.3 (quote the above bug number)

• OS X Server OD & Password Policy

  Here's a question for someone that has experience with OD, network accounts and password policy.
  All on 10.9 with the latest updates, there’s a Mac Mini OD Master offering DNS, File Sharing, Mail, Contacts, Calendar and another Mac Mini OD Replica. A total of 20 Macs binded to OD and using Network Accounts. Everything seems to be working fine but they have an OD Global Password Policy as follows:
  - Passwords must:
    - differ from account name
    - contain at least one letter
    - contain both uppercase and lowercase letters
    - contain at least one numeric character
    - contain at least 8 characters
    - differ from last 3 passwords used
    - be reset every 45 days
  Everything is relatively working fine except for the Password Policy because of the following:
    - Users are not getting any prompt about their password coming to expire
    - When the user’s password expires and since they are not getting any warning, users suddenly get no access to services
    - Some users are unable to successfully modify their password, they get prompted to change it and when entering the new password (when logging in through AFP), it shakes even though the new password complies with the Password Policy and the only way to get them logged in is by manually resetting the user’s password with the Server App.
  Ideas and suggestions are greatly appreciated.

  thx - solved.
  Just keep »identification« empty! :-o