20.4. Managing the Password Policy

A password policy minimizes the risks of using passwords by enforcing a certain level of security. For example, a password policy can define that:
  • Users must change their passwords according to a schedule.
  • Users must provide non-trivial passwords.
  • The password syntax must meet certain complexity requirements.

Warning

When using a password administrator account or the Directory Manager (root DN) to set a password, password policies are bypassed and not verified. Do not use these accounts for regular user password management. Use them only to perform password administration tasks that require bypassing the password policies.
Directory Server supports fine-grained password policy, so password policies can be applied to the entire directory (global password policy), a particular subtree (subtree-level or local password policy), or a particular user (user-level or local password policy).
The complete password policy applied to a user account is comprised of the following elements:
  • The type or level of password policy checks. This information indicates whether the server should check for and enforce a global password policy or local (subtree/user-level) password policies.
    Password policies work in an inverted pyramid, from general to specific. A global password policy is superseded by a subtree-level password policy, which is superseded by a user-level password policy. Only one password policy is enforced for the entry; password policies are not additive. This means that if a particular attribute is configured in the global or subtree-level policy, but not in the user-level password policy, the attribute is not used for the user when a login is attempted because the active, applied policy is the user-level policy.
  • Password add and modify information. The password information includes password syntax and password history details.
  • Bind information. The bind information includes the number of grace logins permitted, password aging attributes, and tracking bind failures.

Note

After establishing a password policy, user passwords can be protected from potential threats by configuring an account lockout policy. Account lockout protects against hackers who try to break into the directory by repeatedly guessing a user's password.

20.4.1. Configuring the Global Password Policy

By default, global password policy settings are disabled. This section provides some examples how to configure a global password policy.

Note

After configuring the password policy, configure an account lockout policy. For details, see Section 20.9, “Configuring a Password-Based Account Lockout Policy”.

20.4.1.1. Configuring a Global Password Policy Using the Command Line

Use the dsconf utility to display and edit the global password policy settings:
  1. Display the current settings:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy get
    Global Password Policy: cn=config
    ------------------------------------
    passwordstoragescheme: PBKDF2_SHA256
    passwordChange: on
    passwordMustChange: off
    passwordHistory: off
    passwordInHistory: 6
    ...
  2. Adjust the password policy settings. For example, to enable the password syntax check and set the minimum length of passwords to 12 characters, enter:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdchecksyntax=on --pwdmintokenlen=12
    For a full list of available settings, enter:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --help
  3. Enable the password policy:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdlockout on

20.4.1.2. Configuring a Global Password Policy Using the Web Console

To configure a global password policy using the web console:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Open the Database menu.
  4. In the Password Policies menu, select Global Policy.
  5. Set the global password policy settings. You can set parameters in the following categories:
    • General settings, such as the password storage scheme
    • Password expiration settings, such as the time when a password expires.
    • Account lockout settings, such as after how many failed login attempts an account should be locked.
    • Password syntax settings, such as the minimum password length.
    To display a tool tip and the corresponding attribute name in the cn=config entry for a parameter, hover the mouse cursor over the setting. For further details, see the parameter's description in the Red Hat Directory Server Configuration, Command, and File Reference.
  6. Click Save.

20.4.2. Using Local Password Policies

In contrast to a global password policy, which defines settings for the entire directory, a local password policy is a policy for a specific user or subtree.
When the fine-grained password policy does not set the password syntax, you can inherit the syntax from the global policy if the nsslapd-pwpolicy-inherit-global parameter is on.
If the --pwpinheritglobal option is defined, the passwordchecksyntax option is set to OFF in the local policy and to ON in the global policy, you can inherit the following attributes from the global policy to the local policy:
  • passwordchecksyntax
  • passwordminlength
  • passwordmindigits
  • passwordminalphas
  • passwordminuppers
  • passwordminlowers
  • passwordminspecials
  • passwordmin8bit
  • passwordmaxrepeats
  • passwordmincategories
  • passwordmintokenlength

20.4.2.1. Where Directory Server Stores Local Password Policy Entries

When you use the dsconf localpwp adduser or dsconf localpwp addsubtree commands, Directory Server creates automatically an entry to store the policy attributes:
  • For a subtree (for example, ou=people,dc=example,dc=com), the following entries are added:
    • A container entry (nsPwPolicyContainer) at the subtree level for holding various password policy-related entries for the subtree and all its children. For example:
      dn: cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
      objectClass: top
      objectClass: nsContainer
      cn: nsPwPolicyContainer
    • The actual password policy specification entry (nsPwPolicyEntry) for holding all the password policy attributes that are specific to the subtree. For example:
      dn: cn="cn=nsPwPolicyEntry,ou=people,dc=example,dc=com",
       cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
      objectclass: top
      objectclass: extensibleObject
      objectclass: ldapsubentry
      objectclass: passwordpolicy
    • The CoS template entry (nsPwTemplateEntry) that has the pwdpolicysubentry value pointing to the above (nsPwPolicyEntry) entry. For example:
      dn: cn="cn=nsPwTemplateEntry,ou=people,dc=example,dc=com",
       cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
      objectclass: top
      objectclass: extensibleObject
      objectclass: costemplate
      objectclass: ldapsubentry
      cosPriority: 1
      pwdpolicysubentry: cn="cn=nsPwPolicyEntry,ou=people,dc=example,dc=com",
           cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
    • The CoS specification entry at the subtree level. For example:
      dn: cn=newpwdpolicy_cos,ou=people,dc=example,dc=com
      objectclass: top
      objectclass: LDAPsubentry
      objectclass: cosSuperDefinition
      objectclass: cosPointerDefinition
      cosTemplateDn: cn=cn=nsPwTemplateEntry\,ou=people\,dc=example,dc=com,
       cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
      cosAttribute: pwdpolicysubentry default operational
  • For a user (for example, uid=user_name,ou=people,dc=example,dc=com), the following entries are added:
    • A container entry (nsPwPolicyContainer) at the parent level for holding various password policy related entries for the user and all its children. For example:
      dn: cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
      objectClass: top
      objectClass: nsContainer
      cn: nsPwPolicyContainer
    • The actual password policy specification entry (nsPwPolicyEntry) for holding the password policy attributes that are specific to the user. For example:
      dn: cn="cn=nsPwPolicyEntry,uid=user_name,ou=people,dc=example,dc=com",
       cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
      objectclass: top
      objectclass: extensibleObject
      objectclass: ldapsubentry
      objectclass: passwordpolicy

20.4.2.2. Configuring a Local Password Policy

To configure a local password policy:

Note

Currently, you can only set up a local password policy using the command line.
  1. Verify if a local password policy already exists for the subtree or user entry. For example:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp get "ou=People,dc=example,dc=com"
    Error: The policy wasn't set up for the target dn entry or it is invalid
    If no local policy exists, create one:
    • To create a subtree password policy:
      # dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp addsubtree "ou=People,dc=example,dc=com"
    • To create a user password policy:
      # dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp adduser "uid=user_name,ou=People,dc=example,dc=com"

    Important

    When you create a new local policy, the previous commands automatically sets the nsslapd-pwpolicy-local parameter in the cn=config entry to on.
    If the local password policy should not be enabled, manually set the parameter to off:
    dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdlocal off
  2. Set local policy attributes. For example, to enable password expiration and set the maximum password age to 14 days (1209600 seconds):
    • On a subtree password policy:
      # dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp set --pwdexpire=on --pwdmaxage=1209600 "ou=People,dc=example,dc=com"
    • On a user password policy:
      # dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp set --pwdexpire=on --pwdmaxage=1209600 "uid=user_name,ou=People,dc=example,dc=com"
    For a full list of available settings, enter:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp set --help