ODSEE - How To Manage Passwords And Password Policies Using the CRYPT Algorithm (Doc ID 1446593.1)

Last updated on JUNE 14, 2017

Applies to:

Oracle Directory Server Enterprise Edition - Version 6.0 to 11.1.1.5.0 [Release 6.0 to 11gR1]
Information in this document applies to any platform.
***Checked for relevance on 06-Feb-2014***

Goal

To manage passwords and password policies using the CRYPT algorithm where the whole password (not just the first 8 characters) are used for authentication

When a password policy is created that requires more than 8 characters (in the example below, pwdminlength is set to 14) and uses the CRYPT algorithm (in the passwordstoragescheme configuration):

dn: cn=TestPwdPolicy,ou=people,dc=example,dc=com
cn: TestPwdPolicy
description: Password Policy test
objectclass: sunPwdPolicy
objectclass: pwdPolicy
objectclass: ldapsubentry
objectclass: top
passwordrootdnmaybypassmodschecks: off
passwordstoragescheme: CRYPT
pwdallowuserchange: true
pwdattribute: userPassword
pwdcheckquality: 2
pwdexpirewarning: 1
pwdfailurecountinterval: 600
pwdgraceauthnlimit: 0
pwdinhistory: 10
pwdlockout: false
pwdlockoutduration: 0
pwdmaxage: 0
pwdmaxfailure: 5
pwdminage: 0
pwdminlength: 14
pwdmustchange: false
pwdsafemodify: false

only the first 8 characters of the password set would be used.

This is due to the passwordstoragescheme attribute set to CRYPT:

passwordstoragescheme: CRYPT

For example, successful authentication should only occur with the password set with 14 characters rather than successful authentication also with the first 8 characters of the password that was set  -

# ldapmodify -a -D "cn=Directory Manager" -p <port> -w password
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: password901234

modifying entry uid=bjensen,ou=People,dc=example,dc=com

.

ldapmodify: no attributes to change or add (entry .)
# ldapmodify -a -D "uid=bjensen,ou=People,dc=example,dc=com" -p <port> -w password901234

.

ldapmodify: no attributes to change or add (entry .)
# ldapmodify -a -D "uid=bjensen,ou=People,dc=example,dc=com" -p <port> -w password

.

ldapmodify: no attributes to change or add (entry .)

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms