Setting advanced password policy
Use this information to set advanced password policy properties.
The password policy capabilities of IBM Tivoli Directory Server for i can be extended to enforce rules for advanced password syntax checking in addition to the standard default rules. Password complexity rules help to strengthen the security of authentication mechanisms.
Note: Note: The advanced password policy rules apply to all the users in the directory instance.
Unlike the default password policy, the advanced rules cannot be configured for specific groups or
users.
Use the following attributes to specify the rules for advanced password policy settings:
- pwdNoSpaces
- Specifies whether the password can use spaces.
- Valid values are true and false, where true means the password cannot have spaces and false means the password can use spaces.
- pwdMinSpecialChars
- Specifies the minimum number of special characters that a password must contain.
- The valid value is a number. If you specify 0 as the value of this attribute, this rule is disabled.
- pwdMinNumericChars
- Specifies the minimum number of numeric characters that a password must contain.
- The valid value is a number. If you specify 0 as the value of this attribute, this rule is disabled.
- pwdMinLowercaseChars
- Specifies the minimum number of lowercase characters that a password must contain.
- The valid value is a number. If you specify 0 as the value of this attribute, this rule is disabled.
- pwdMinUppercaseChars
- Specifies the minimum number of uppercase characters that a password must contain.
- The valid value is a number. If you specify 0 as the value of this attribute, this rule is disabled.
- pwdMaxAscChars
- Specifies the maximum number of ascending characters that a password can contain. The characters can be alphabetic or numeric.
- The valid value is a number.
- For example, you can specify the value 2, if you want to disallow strings like ABC, xyz, or 123.
- pwdMaxDscChars
- Specifies the maximum number of descending characters that a password can contain. The characters can be alphabetic or numeric.
- The valid value is a number.
- For example, you can specify the value 2, if you want to disallow strings like CBA, zyx, or 321.
Examples
This example illustrates the configuration to specify the following advanced password policy rules. The password:
- Cannot have spaces.
- Must contain at least one special character, one numeric character, one lowercase character, and one uppercase character.
- Must not contain more than three ascending characters or three descending characters.
dn: cn=Directory, cn=RDBM Backends, cn=IBM Directory, cn=Schemas, cn=Configuration
cn: Directory
ibm-slapdCachedAttributeAutoAdjust: FALSE
ibm-slapdCachedAttributeAutoAdjustTime: T000000
ibm-slapdCachedAttributeAutoAdjustTimeInterval: 2
ibm-slapdCachedAttributeSize: 16384
ibm-slapdDbConnections: 4
ibm-slapdDbInstance: /QSYS.LIB/QUSRDIRDB.LIB
ibm-slapdDbName: *SYSTEM
ibm-slapdDbUserID: none
ibm-slapdDbUserPW: none
ibm-slapdEnableRemotePWPExOps: TRUE
ibm-slapdGroupMembersCacheBypassLimit: 25000
ibm-slapdGroupMembersCacheSize: 25
ibm-slapdLanguageTagsEnabled: FALSE
ibm-slapdNumRetry: 5
ibm-slapdPagedResAllowNonAdmin: TRUE
ibm-slapdPagedResLmt: 2
ibm-slapdPlugin: database /QSYS.LIB/QGLDRDBM.SRVPGM rdbm_backend_init
ibm-slapdPlugin: replication /QSYS.LIB/QGLDREPL.SRVPGM replInit
ibm-slapdPlugin: preoperation /QSYS.LIB/QGLDADVPP.SRVPGM customPwdPolicyInit
pwdNoSpaces=true pwdMinSpecialChars=1 pwdMinNumericChars=1 pwdMinLowercaseChars=1
pwdMinUppercaseChars=1 pwdMaxAscChars=3 pwdMaxDscChars=3
#ibm-slapdPlugin: extendedop /QSYS.LIB/QGLDRDBM.SRVPGM initUniqueAttr
ibm-slapdReadOnly: FALSE
ibm-slapdrepldbconns: 4
ibm-slapdSortKeyLimit: 3
ibm-slapdSortSrchAllowNonAdmin: TRUE
ibm-slapdSuffix: cn=localhost
ibm-slapdSuffix: cn=ibmpolicies
ibm-slapdTombstoneEnabled: FALSE
ibm-slapdTombstoneLifetime: 168
objectclass: top
objectclass: ibm-slapdConfigEntry
objectclass: ibm-slapdRdbmBackend
