Enable Password Policy in IBM SDS


Author(s): Tamas Bures | Created: 28 March 2018 | Last modified: 25 June 2022
Tested on: -

Enable Password Policy in IBM SDS

Enabling Global Password Policy

  1. Create an LDIF file with the following content (i.e. enableGlobalPasswordPolicy.ldif):

     dn: cn=pwdpolicy,cn=ibmpolicies
     ibm-pwdpolicy: true
     ibm-pwdGroupAndIndividualEnabled: true
  2. Execute the following command:

     idsldapmodify -D cn=root -h localhost -p 1389 -w ? -k -f enableGlobalPasswordPolicy.ldif

    Where

    • -D defines the username
    • -h defines the hostname of SDS instance
    • -p defines the port number of SDS instance
    • -w password for the user
    • -k specifies to send the server administration control
    • -f defines the file need to be executed
  3. When command asks for password, provide password for cn=root.

  4. Successful output:

     Operation 0 modifying entry cn=pwdPolicy,cn=ibmpolicies

Create password policy

  1. Create an LDIF file with the following content (i.e.: passwordPolicy.ldif):

     dn: cn=johndoe_pwd_policy,cn=ibmpolicies
     objectclass: container
     objectclass: pwdPolicy
     objectclass: ibm-pwdPolicyExt
     objectclass: top
     cn: johndoe_pwd_policy
     pwdAttribute: userPassword
     pwdInHistory: 3
     pwdAllowUserChange: true
     ibm-pwdpolicy: true
  2. Execute the following command to create the policy:

     idsldapadd -D cn=root -h localhost -p 1389 -w ? -f passwordPolicy.ldif

    Where

    • -D defines the username
    • -h defines the hostname of SDS instance
    • -p defines the port number of SDS instance
    • -w password for the user
    • -f defines the file need to be executed
  3. When command asks for password, provide password for cn=root.

  4. Successful output:

     Operation 0 adding entry johndoe_pwd_policy,cn=ibmpolicies

Attach the policy to user

  1. Create an LDIF file with the following content (i.e.: attachPolicy.ldif):

     dn: cn=johndoe,o=sample
     changetype: modify
     add: ibm-pwdIndividualPolicyDN
     ibm-pwdIndividualPolicyDN: cn=johndoe_pwd_policy,cn=ibmpolicies
  2. Execute the following command to create the policy:

     idsldapmodify -D cn=root -h localhost -p 1389 -w ? -k -f attachPolicy.ldif

    Where

    • -D defines the username
    • -h defines the hostname of SDS instance
    • -p defines the port number of SDS instance
    • -w password for the user
    • -k specifies to send the server administration control
    • -f defines the file need to be executed
  3. When command asks for password, provide password for cn=root.

  4. Successful output:

     Operation 0 modifying entry cn=johndoe,o=sample

Verify that old passwords are stored on the user

Before executing the following command, make sure, that the user has changed its password.

  1. Execute the following command:

     ./idsldapsearch -D cn=root -h localhost -p 1389 -w ? -b o=sample "(cn=johndoe)" pwdHistory

    Where

    • -D defines the username
    • -h defines the hostname of SDS instance
    • -p defines the port number of SDS instance
    • -w password for the user
    • -b specifies to use search base as the starting point for the search
  2. The possible output will similar to this:

     cn=johndoe,o=sample
     pwdHistory=20180320100202.634855Z#2.5.4.35#32#{AES256}l4FHz2p8tjc18agInNc8jw==
     pwdHistory=20180320100506.940050Z#2.5.4.35#32#{AES256}kzyHKVC9pduuTkZZVB2NNQ==
     pwdHistory=20180320100945.449621Z#2.5.4.35#32#{AES256}FIkQ0FFfjVjkF/eAsbeaVg==

    Note that pwdHistory attribute contains all previous passwords since the password policy enabled for this user.

Password policy configuration attributes

  • pwdPolicyStartTime: This attribute contains the time when the password policy was turned ON.

  • pwdAttribute: specifies the name of the attribute to which the password policy is being applied, this attribute can only be set to the userPassword attribute.

  • pwdMinAge: specifies the number of seconds that must pass since the last password modification, before modifying a password.

  • pwdMaxAge: specifies the number of seconds after which a modified password will expire (0 means password does not expire).

  • pwdInHistory: specifies the number of passwords, which are stored in the pwdHistory attribute.

  • pwdCheckSyntax: indicates whether or not the password will be checked for syntax. ( 0 means syntax checking will not be enforced, 1 means the server will check the syntax, and if the server is unable to check the syntax (due to a hashed password or other reasons) it will be accepted. 2 means the server will check the syntax, and if the server is unable to check the syntax it returns an error refusing the password).

  • pwdMinLength: specifies the minimum length of the password string.

  • pwdExpireWarning: specifies the maximum number of seconds before a password is about to expire that expiration warning messages will be returned to an authenticating user.

  • pwdGraceLoginLimit: specifies the number of times an expired password can be used to authenticate user.

  • pwdLockoutDuration: specifies the number of seconds that the password cannot be used to authenticate due to specified 'pwdMaxFailure' failed bind attempts.

  • pwdMaxFailure: specified the maximum number of consecutive failed bind attempts allowed, after which the password may not be used to authenticate.( 0 means the value of pwdLockout will be ignored).

  • pwdFailureCountInterval: specifies the number of seconds after which the password failures are removed from the failure counter even though no successful authentication has happened.

  • passwordMinAlphaChars: specifies the minimum number of alphabet characters which the password string must have. If the server is unable to check the number of alphabetic characters, then the server will continue processing depending on the value of the pwdCheckSyntax attribute.

  • passwordMinOtherChars: specifies the minimum number of numeric and special characters which the password string must have. If the server is unable to check the number of other characters, then the server will continue processing depending on the value of the pwdCheckSyntax attribute.

  • passwordMaxRepeatedChars: specifies the maximum number of times a given character can be used in a password. If the server is unable to check the actual password characters, then the server will continue processing depending on the value of the pwdCheckSyntax attribute.

  • passwordMinDiffChars: specifies the minimum number of characters in the new password that must be different from the characters in the old password, and any passwords stored in the pwdHistory. If the password has been one-way encrypted the server is unable to check actual password characters, then the server will continue processing depending on the value of the pwdCheckSyntax attribute.

  • ibm-pwdPolicy: specifies whether the password policy is turned ON or OFF.

  • pwdLockout: indicates whether or not a password may be used to authenticate after a specified number of consecutive failed bind attempts.

  • pwdAllowUserChange: specifies whether or not the users are allowed to change their own passwords

  • pwdMustChange: specifies whether or not the users must change their password when they first bind to the directory after the administrator has reset their password.

  • pwdSafeModify: specifies whether or not the existing password must be sent when changing a password.

  • pwdGroupAndIndividualEnabled: determines if the Group Password policy and the Individual Password policies have to be considered or not during the Effective Password policy evaluation.