20.4. Managing the Password Policy
A password policy minimizes the risks of using passwords by enforcing a certain level of security. For example, a password policy can define that:
- Users must change their passwords according to a schedule.
- Users must provide non-trivial passwords.
- The password syntax must meet certain complexity requirements.
Warning
When using a password administrator account or the
Directory Manager
(root DN) to set a password, password policies are bypassed and not verified. Do not use these accounts for regular user password management. Use them only to perform password administration tasks that require bypassing the password policies.
Directory Server supports fine-grained password policy, so password policies can be applied to the entire directory (global password policy), a particular subtree (subtree-level or local password policy), or a particular user (user-level or local password policy).
The complete password policy applied to a user account is comprised of the following elements:
- The type or level of password policy checks. This information indicates whether the server should check for and enforce a global password policy or local (subtree/user-level) password policies.Password policies work in an inverted pyramid, from general to specific. A global password policy is superseded by a subtree-level password policy, which is superseded by a user-level password policy. Only one password policy is enforced for the entry; password policies are not additive. This means that if a particular attribute is configured in the global or subtree-level policy, but not in the user-level password policy, the attribute is not used for the user when a login is attempted because the active, applied policy is the user-level policy.
- Password add and modify information. The password information includes password syntax and password history details.
- Bind information. The bind information includes the number of grace logins permitted, password aging attributes, and tracking bind failures.
Note
After establishing a password policy, user passwords can be protected from potential threats by configuring an account lockout policy. Account lockout protects against hackers who try to break into the directory by repeatedly guessing a user's password.
20.4.1. Configuring the Global Password Policy
By default, global password policy settings are disabled. This section provides some examples how to configure a global password policy.
Note
After configuring the password policy, configure an account lockout policy. For details, see Section 20.9, “Configuring a Password-Based Account Lockout Policy”.
20.4.1.1. Configuring a Global Password Policy Using the Command Line
Use the
dsconf
utility to display and edit the global password policy settings:
- Display the current settings:
# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy get Global Password Policy: cn=config ------------------------------------ passwordstoragescheme: PBKDF2_SHA256 passwordChange: on passwordMustChange: off passwordHistory: off passwordInHistory: 6 ...
- Adjust the password policy settings. For example, to enable the password syntax check and set the minimum length of passwords to
12
characters, enter:# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdchecksyntax=on --pwdmintokenlen=12
For a full list of available settings, enter:# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --help
- Enable the password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdlockout on
20.4.1.2. Configuring a Global Password Policy Using the Web Console
To configure a global password policy using the web console:
- Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
- Select the instance.
- Open the Database menu.
- In the Password Policies menu, select Global Policy.
- Set the global password policy settings. You can set parameters in the following categories:
- General settings, such as the password storage scheme
- Password expiration settings, such as the time when a password expires.
- Account lockout settings, such as after how many failed login attempts an account should be locked.
- Password syntax settings, such as the minimum password length.
To display a tool tip and the corresponding attribute name in thecn=config
entry for a parameter, hover the mouse cursor over the setting. For further details, see the parameter's description in the Red Hat Directory Server Configuration, Command, and File Reference. - Click Save.
20.4.2. Using Local Password Policies
In contrast to a global password policy, which defines settings for the entire directory, a local password policy is a policy for a specific user or subtree.
When the fine-grained password policy does not set the password syntax, you can inherit the syntax from the global policy if the
nsslapd-pwpolicy-inherit-global
parameter is on.
If the
--pwpinheritglobal
option is defined, the passwordchecksyntax
option is set to OFF in the local policy and to ON in the global policy, you can inherit the following attributes from the global policy to the local policy:
passwordchecksyntax
passwordminlength
passwordmindigits
passwordminalphas
passwordminuppers
passwordminlowers
passwordminspecials
passwordmin8bit
passwordmaxrepeats
passwordmincategories
passwordmintokenlength
20.4.2.1. Where Directory Server Stores Local Password Policy Entries
When you use the
dsconf localpwp adduser
or dsconf localpwp addsubtree
commands, Directory Server creates automatically an entry to store the policy attributes:
- For a subtree (for example,
ou=people,dc=example,dc=com
), the following entries are added:- A container entry (
nsPwPolicyContainer
) at the subtree level for holding various password policy-related entries for the subtree and all its children. For example:dn: cn=nsPwPolicyContainer,ou=people,dc=example,dc=com objectClass: top objectClass: nsContainer cn: nsPwPolicyContainer
- The actual password policy specification entry (
nsPwPolicyEntry
) for holding all the password policy attributes that are specific to the subtree. For example:dn: cn="cn=nsPwPolicyEntry,ou=people,dc=example,dc=com", cn=nsPwPolicyContainer,ou=people,dc=example,dc=com objectclass: top objectclass: extensibleObject objectclass: ldapsubentry objectclass: passwordpolicy
- The CoS template entry (
nsPwTemplateEntry
) that has thepwdpolicysubentry
value pointing to the above (nsPwPolicyEntry
) entry. For example:dn: cn="cn=nsPwTemplateEntry,ou=people,dc=example,dc=com", cn=nsPwPolicyContainer,ou=people,dc=example,dc=com objectclass: top objectclass: extensibleObject objectclass: costemplate objectclass: ldapsubentry cosPriority: 1 pwdpolicysubentry: cn="cn=nsPwPolicyEntry,ou=people,dc=example,dc=com", cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
- The CoS specification entry at the subtree level. For example:
dn: cn=newpwdpolicy_cos,ou=people,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=cn=nsPwTemplateEntry\,ou=people\,dc=example,dc=com, cn=nsPwPolicyContainer,ou=people,dc=example,dc=com cosAttribute: pwdpolicysubentry default operational
- For a user (for example,
uid=user_name,ou=people,dc=example,dc=com
), the following entries are added:- A container entry (
nsPwPolicyContainer
) at the parent level for holding various password policy related entries for the user and all its children. For example:dn: cn=nsPwPolicyContainer,ou=people,dc=example,dc=com objectClass: top objectClass: nsContainer cn: nsPwPolicyContainer
- The actual password policy specification entry (
nsPwPolicyEntry
) for holding the password policy attributes that are specific to the user. For example:dn: cn="cn=nsPwPolicyEntry,uid=user_name,ou=people,dc=example,dc=com", cn=nsPwPolicyContainer,ou=people,dc=example,dc=com objectclass: top objectclass: extensibleObject objectclass: ldapsubentry objectclass: passwordpolicy
20.4.2.2. Configuring a Local Password Policy
To configure a local password policy:
Note
Currently, you can only set up a local password policy using the command line.
- Verify if a local password policy already exists for the subtree or user entry. For example:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp get "ou=People,dc=example,dc=com" Error: The policy wasn't set up for the target dn entry or it is invalid
If no local policy exists, create one:- To create a subtree password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp addsubtree "ou=People,dc=example,dc=com"
- To create a user password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp adduser "uid=user_name,ou=People,dc=example,dc=com"
Important
When you create a new local policy, the previous commands automatically sets thensslapd-pwpolicy-local
parameter in thecn=config
entry toon
.If the local password policy should not be enabled, manually set the parameter tooff
:dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdlocal off
- Set local policy attributes. For example, to enable password expiration and set the maximum password age to 14 days (
1209600
seconds):- On a subtree password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp set --pwdexpire=on --pwdmaxage=1209600 "ou=People,dc=example,dc=com"
- On a user password policy:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp set --pwdexpire=on --pwdmaxage=1209600 "uid=user_name,ou=People,dc=example,dc=com"
For a full list of available settings, enter:# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp set --help