Previous Topic: Example: Multiple Password PoliciesNext Topic: Use Password Settings to Administer User Accounts

Administration GuideManage User Accounts and PasswordsTest Your Password Policy

Test Your Password Policy

To check whether a DSA supports the password policy control, you need to query the root DSE.

You can use this example to show that the CA Directory password policy is functioning correctly.

Client applications using this feature need to be able to parse the password policy response control. In test 1 and 2, the password policy response control is empty (no information to report).

  1. In the Democorp directory, create the following password settings: 
    set password-policy = true; 
set password-retries = 1;
  2. Edit the Craig Link entry to include a password.
  3. Use the LDUA to ensure that the DSA supports the password policy control: 
    ldua> bind-req
----> remote-addr = {
---->     nsap = ip "hostname" port 19389
----> }
ldua> unbind-req;
ldua> search-req
----> base-object = <>
----> attrs = supportedControl;
ldua> 
<- LDAP SEARCH-CONFIRM 
invoke-id = 2   credit = 24
	Entry:    <>
	Contents:  
	(supportedControl "1.3.6.1.4.1.42.2.27.8.5.1")
ldua>

    Note: The supportedControl attribute is in the sunone.dxc schema.

  4. Use the following to bind with the password policy control: 
    ldua> bind-req
----> user =  <c au>
---->         <o Democorp>
---->         <ou Corporate>
---->         <ou Administration>
---->         <cn "Craig link">
----> password = "wrong"
----> remote-addr = {
----> nsap = ip "hostname" port 19389
----> }
----> controls = { password-policy };
ldua>

Test 1: Test with an Incorrect Password

  1. Try to log in with an incorrect password.
  2. The bind is refused.
  3. The following response appears: 
    <- LDAP BIND-REFUSE 
		invoke-id = 0   credit = 24
	Bind Error:    Security Error:  Invalid credentials
	Controls:
		password-policy response

Test 2 Test with an Incorrect Password Again

  1. Try to log in again with an incorrect password.
  2. The bind is refused again, and the account is suspended.
  3. The following response appears: 
    <- LDAP BIND-REFUSE 
		invoke-id = 0   credit = 24
	Bind Error:    Security Error:  Invalid credentials
	Controls:
		password-policy response

Test 3: Test with the Correct Password, but Account Suspended

  1. Try to log in using the correct password.
  2. The bind is refused because the account is suspended.
  3. The following response appears: 
    <- LDAP BIND-REFUSE 
		invoke-id = 0   credit = 24
	Bind Error:    Security Error:  Invalid credentials
	Controls:
		password-policy response
		Error: account-locked