Using OUD 11g / 12c - How to Assign a Password Policy to an Individual or Group
(Doc ID 2434257.1)
Last updated on FEBRUARY 12, 2024
Applies to:
Oracle Unified Directory - Version 11.1.2.3.170117 and laterInformation in this document applies to any platform.
Goal
Assign a password policy to an individual or group
Password policies can be configured under cn=Password Policies,cn=config (which is not replicated) or in the Directory Information Tree (DIT) which is automatically replicated.
The password policy DN is stored in the user entry using either -
pwdpolicysubentry, or ds-pwp-password-policy-dn
For example -
$ ./ldapsearch -p <LDAP_PORT> -D "cn=<DS_ADMIN>" -w <PASSWORD> -b "dc=<SUFFIX_DN>" "uid=*" pwdpolicysubentry ds-pwp-password-policy-dn | more
dn: uid=<USER.0>,ou=People,dc=<SUFFIX_DN>
pwdpolicysubentry: cn=Default Password Policy,cn=Password Policies,cn=config
dn: uid=<USER.1>,ou=People,dc=<SUFFIX_DN>
pwdpolicysubentry: cn=Default Password Policy,cn=Password Policies,cn=config
dn: uid=<USER.2>,ou=People,dc=<SUFFIX_DN>
pwdpolicysubentry: cn=Default Password Policy,cn=Password Policies,cn=config
...
dn: uid=<USER.5>,ou=People,dc=<SUFFIX_DN>
ds-pwp-password-policy-dn: cn=<Pwd_Policy_Test>,cn=Password Policies,cn=config
pwdpolicysubentry: cn=<Pwd_Policy_Test>,cn=Password Policies,cn=config
dn: uid=<USER.6>,ou=People,dc=<SUFFIX_DN>
ds-pwp-password-policy-dn: cn=<Pwd_Policy_Test>,cn=Password Policies,cn=config
pwdpolicysubentry: cn=<Pwd_Policy_Test>,cn=Password Policies,cn=config
...
The assignment of a password policy can be verified by using the manage-account command specifying the admin port, regardless of the attribute it is stored in -
For example -
Password Policy DN: cn=<Pwd_Policy_Test>,cn=Password Policies,cn=config
or by explicitly returning the pwdpolicysubentry attribute using ldapsearch (see example below).
Groups can be assigned a password policy using a virtual attribute configuration.
Individual users can be assigned a password policy by adding the ds-pwp-password-policy-dn attribute.
If there is an attempt to assign a password policy using the pwdpolicysubentry attribute, it will fail with this error -
$ ./ldapmodify -p <LDAP_PORT> -D "cn=<DS_ADMIN>" -w <PASSWORD>
dn: uid=<USER.8>,ou=people,dc=<SUFFIX_DN>
changetype: modify
add: pwdpolicysubentry
pwdpolicysubentry: cn=Default Password Policy,cn=Password Policies,cn=config
Processing MODIFY request for uid=<USER.8>,ou=people,dc=<SUFFIX_DN>
MODIFY operation failed
Result Code: 53 (Unwilling to Perform)
Additional Information: Entry uid=<USER.8>,ou=people,dc=<SUFFIX_DN> cannot be modified because the modification attempted to update attribute pwdpolicysubentry which is defined as NO-USER-MODIFICATION in the server schema
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |