Below are few points on how to manage the password policies and how to fix certain administrative tasks easily. Before going into the depth we shall know the policy structure in Oracle Directory Server.
Below is a sample directory structure provided by Oracle:
If you see the entries using a LDAP browser under cn=default,cn=pwdPolicies,cn=Common,cn=Products, cn=OracleContext path it will look like below screenshot, here we will explain what these each entry mean and how to administrate it.
Below are the explanations for all the attributes which we are going to deal with:
The number of seconds that must elapse between user modifications to the password. The default is 0.
The maximum time, in seconds, that a password can be valid. Upon reaching this age, the password is considered to have expired. The default is 10368000 seconds (120 days).
When this is true, the server locks out a user after a number of consecutive invalid login attempts. The number is specified by pwdMaxFailure. The default value ofpwdLockout is 1 (true).
When this is true, the server locks out a user after a number of consecutive invalid login attempts from the same IP address. The number is specified byorclpwdIPMaxFailure.The default is false.
The time period in seconds to lock out a user account when the threshold of invalid login attempts is reached. The default is 86400 seconds (24 hours).
The time period in seconds to lock out a user account when the threshold of invalid login attempts from the same IP address is reached. The default is 0.
The maximum number of invalid login attempts the server should allow before locking out a user account. The default value is 10.
The maximum number of invalid login attempts the server should allow from a particular IP address before locking the user account. The default is 0.
The time in seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. The default is 0.
The maximum number of seconds before a password is due to expire that expiration warning messages are returned to an authenticating user. The default value is 604800 seconds (seven days).
Enables or disables password syntax check
0–Disable all syntax checks
1–Enable password syntax value checks, except for encrypted passwords (default)
The minimum length of a password governed by this policy. The default is 5 characters
The maximum number of grace logins allowed after a password expires. The default is 5. The maximum is 250.
The maximum period in seconds where grace logins are allowed after a password expires. If orclpwdGraceLoginTimeLimit is nonzero, then pwdGraceloginLimitmust be zero. If pwdGraceloginLimit is nonzero, then orclpwdGraceLoginTimeLimit must be zero (the default).
Requires users to reset their password upon their first login after account creation or after a password has been reset by the administrator. The default is 0 (false).
A list of values that are not allowed as passwords.
The minimum number of numeric characters required i in a password. The default is 1.
The minimum number of alphabetic characters required in a password. The default is 0.
The minimum number of non-alphanumeric characters (that is, special characters) required in a password. The default is 0.
The minimum number of uppercase characters required in a password. The default is 0.
The minimum number of lowercase characters required in a password. The default is 0.
The maximum number of repeated characters allowed in a password. The default is 0.
The maximum number of used passwords stored in the pwdHistory attribute of a given entry. Passwords stored in pwdHistory cannot be used as a new password until they are purged from it. The default is 0.
Not currently used.
When this is true, the server evaluates this policy. Otherwise, the policy is ignored and not enforced. The default is 1 (true).
When set to true, enables password encryption. The default is 0 (false).
Enables or disables logins using the hashed password value. 0 = disabled (default). 1 = enabled.
Enables or disables tracking of user’s last login time. 0 = disabled (default). 1= enabled.
Amount of inactive time, in seconds, before an account is automatically expired. 0=disabled (default). The attribute orclPwdTrackLogin must be enabled iforclPwdMaxInactivity is non-zero.
Note: You need to login to LDAP using cn=orcladmin user or equivalent admin privileged user.
Q. How to increase the password expiry time?
Ans. Navigate to OracleContext -> Products -> Common -> pwdPolicies -> default and change the pwdmaxage attribute value to a new one. It’s all in secs so if you want it to increase for a year you have to put the value to 31536000(365 days)
Similarly for all other attributes you can do the same.