Friday, September 11, 2009

Configuring the Global Password Policy in Sun Directory Server 5.2

I spent the whole week trying to debug a Global Password Policy issue with Sun Directory Server 5.2 deployment in one of the local defense agency. 

Using the GUI support via Sun Java System Server Console is convenient. However, one does not have such luxury in a tightly-controlled environment. 

How do you proceed then? Well, ldapsearch/ldapmodify CLI is your friend.

bash-3.00# ldapsearch -p 389 -D "cn=Directory Manager" -b "cn=Password Policy,cn=config" objectclass=*
Enter bind password: 
version: 1
dn: cn=Password Policy,cn=config
objectClass: top
objectClass: passwordPolicy
cn: Password Policy
passwordInHistory: 0
passwordStorageScheme: SSHA
passwordUnlock: on
passwordMustChange: off
passwordNonRootMayResetUserpwd: off
passwordWarning: 86400
passwordExpireWithoutWarning: on
passwordLockout: off
passwordMinLength: 6
passwordMaxFailure: 3
passwordMaxAge: 8640000
passwordResetFailureCount: 600
passwordisglobalpolicy: off
passwordChange: on
passwordExp: off
passwordLockoutDuration: 3600
passwordCheckSyntax: off
passwordMinAge: 0
passwordRootdnMayBypassModsChecks: off

Note: The global password policy applies to all users in the directory who do not have an individual policy defined. However, the global password policy does not apply to the Directory Manager. Read more here.

No comments:

Post a Comment