Administration Guide › Manage User Accounts and Passwords › Password Policies › Password Commands Requiring an LDAP Client

Password Commands Requiring an LDAP Client

Some password commands can only be used with LDAP clients that are aware of LDAP password policy controls (for example, LDUA and the PAM-LDAP client).

The following commands help you enhance account control:

• set password-force-change command
• set password-age-warning-period command

CA Directory uses the following command to mimic the nonstandard functionality of some other directories:

• set password-mimic-netscape-response-controls command

This section of the CA Directory password policy is specified in an Internet Draft on the IETF home page. The specification of its operation can change over time. Also, the name of the draft document changes as revisions are made. At the time of writing, the document name is draft-behera-ldap-password-policy-09.txt.

PasswordPolicyResponseValue ::= SEQUENCE {

warning [0] CHOICE {
timeBeforeExpiration    [0] INTEGER (0 .. maxInt),
graceLoginsRemaining    [1] INTEGER (0 .. maxInt) } OPTIONAL,

error   [1] ENUMERATED {
passwordExpired                 (0),
accountLocked                   (1),
changeAfterReset                (2),
passwordModNotAllowed           (3),
mustSupplyOldPassword           (4), <== Not required (handled by bind)
insufficientPasswordQuality     (5),
passwordTooShort                (6),
passwordTooYoung                (7),
passwordInHistory               (8) } OPTIONAL }

timeBeforeExpiration and graceLoginsRemaining are provided where appropriate. For example, password policy must be enabled in CA Directory.

More information:

set password-age-warning-period Command

set password-force-change Command