My Oracle Support Banner

Using OUD 11g / 12c - How to Assign a Password Policy to an Individual or Group (Doc ID 2434257.1)

Last updated on FEBRUARY 12, 2024

Applies to:

Oracle Unified Directory - Version 11.1.2.3.170117 and later
Information in this document applies to any platform.

Goal

Assign a password policy to an individual or group

Password policies can be configured under cn=Password Policies,cn=config (which is not replicated) or in the Directory Information Tree (DIT) which is automatically replicated.

The password policy DN is stored in the user entry using either -
pwdpolicysubentry, or ds-pwp-password-policy-dn

For example -

$ ./ldapsearch -p <LDAP_PORT> -D "cn=<DS_ADMIN>" -w <PASSWORD> -b "dc=<SUFFIX_DN>" "uid=*" pwdpolicysubentry ds-pwp-password-policy-dn | more
dn: uid=<USER.0>,ou=People,dc=<SUFFIX_DN>
pwdpolicysubentry: cn=Default Password Policy,cn=Password Policies,cn=config

dn: uid=<USER.1>,ou=People,dc=<SUFFIX_DN>
pwdpolicysubentry: cn=Default Password Policy,cn=Password Policies,cn=config

dn: uid=<USER.2>,ou=People,dc=<SUFFIX_DN>
pwdpolicysubentry: cn=Default Password Policy,cn=Password Policies,cn=config

...

dn: uid=<USER.5>,ou=People,dc=<SUFFIX_DN>
ds-pwp-password-policy-dn: cn=<Pwd_Policy_Test>,cn=Password Policies,cn=config
pwdpolicysubentry: cn=<Pwd_Policy_Test>,cn=Password Policies,cn=config

dn: uid=<USER.6>,ou=People,dc=<SUFFIX_DN>
ds-pwp-password-policy-dn: cn=<Pwd_Policy_Test>,cn=Password Policies,cn=config
pwdpolicysubentry: cn=<Pwd_Policy_Test>,cn=Password Policies,cn=config

...


The assignment of a password policy can be verified by using the manage-account command specifying the admin port, regardless of the attribute it is stored in -

For example -

$ ./manage-account -h localhost -p <LDAP_PORT> -X -D "cn=<DS_ADMIN>" -j <PWD_FILE> get-password-policy-dn --targetDN "uid=<USER.8>,ou=people,dc=<SUFFIX_DN>"
Password Policy DN: cn=<Pwd_Policy_Test>,cn=Password Policies,cn=config

 or by explicitly returning the pwdpolicysubentry attribute using ldapsearch (see example below).


Groups can be assigned a password policy using a virtual attribute configuration.
Individual users can be assigned a password policy by adding the ds-pwp-password-policy-dn attribute.

If there is an attempt to assign a password policy using the pwdpolicysubentry attribute, it will fail with this error -

$ ./ldapmodify -p <LDAP_PORT> -D "cn=<DS_ADMIN>" -w <PASSWORD>
dn: uid=<USER.8>,ou=people,dc=<SUFFIX_DN>
changetype: modify
add: pwdpolicysubentry
pwdpolicysubentry: cn=Default Password Policy,cn=Password Policies,cn=config

Processing MODIFY request for uid=<USER.8>,ou=people,dc=<SUFFIX_DN>
MODIFY operation failed
Result Code: 53 (Unwilling to Perform)
Additional Information: Entry uid=<USER.8>,ou=people,dc=<SUFFIX_DN> cannot be modified because the modification attempted to update attribute pwdpolicysubentry which is defined as NO-USER-MODIFICATION in the server schema

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.