Previous Topic: Password Security

Next Topic: Plan a Password Policy

Password Commands Requiring an LDAP Client

Some password commands can only be used with LDAP clients that are aware of LDAP password policy controls (for example, LDUA and the PAM-LDAP client).

The following commands help you enhance account control:

CA Directory uses the following command to mimic the nonstandard functionality of some other directories:

This section of the CA Directory password policy is specified in an Internet Draft on the IETF home page. The specification of its operation can change over time. Also, the name of the draft document changes as revisions are made. At the time of writing, the document name is draft-behera-ldap-password-policy-09.txt.

PasswordPolicyResponseValue ::= SEQUENCE {
warning [0] CHOICE {
timeBeforeExpiration    [0] INTEGER (0 .. maxInt),
graceLoginsRemaining    [1] INTEGER (0 .. maxInt) } OPTIONAL,
error   [1] ENUMERATED {
passwordExpired                 (0),
accountLocked                   (1),
changeAfterReset                (2),
passwordModNotAllowed           (3),
mustSupplyOldPassword           (4), <== Not required (handled by bind)
insufficientPasswordQuality     (5),
passwordTooShort                (6),
passwordTooYoung                (7),
passwordInHistory               (8) } OPTIONAL }

timeBeforeExpiration and graceLoginsRemaining are provided where appropriate. For example, password policy must be enabled in CA Directory.

More information:

set password-age-warning-period Command

set password-force-change Command


Copyright © 2009 CA. All rights reserved. Email CA about this topic