Password quality checking is performed when accounts on managed endpoints are created or modified or when CA IdentityMinder user passwords are set. Password quality checking on accounts is limited to checks based on the characters in the password. Checks of global user passwords that are based on the history of recent changes (frequency of password update and frequency of password reuse) are not performed on accounts because CA IdentityMinder cannot intercept all password changes for account passwords. Therefore, it cannot have an accurate password change history with which to perform these checks.
The checking of account passwords is controlled by the following domain configuration parameters:
The value for each parameter specifies for each managed endpoint the level of checking that should be performed. The endpoint can be specified in the following ways:
ALL -ALL <NamespaceName> -<NamespaceName> <NamespaceName>:<DirectoryName> -<NamespaceName>:<DirectoryName>
The forms that include a minus (-) sign, disable the parameter. The forms without it enable the parameter. The [-]<NamespaceName> forms control all endpoints of the indicated endpoint type, while the
[-]<NamespaceName>:<DirectoryName> forms control individual endpoints. The [-]ALL forms control all endpoints of all endpoint types. The default value for both parameters is -ALL.
Each of these parameters can be specified many times. If multiple values specify the same endpoint, the last value is used. You can place general rules first and specific rules later to override the general rule.
The Check Account Passwords parameter provides checking equivalent to global user password quality checking. With this parameter enabled for an endpoint, CA IdentityMinder checks any password in a requested change for an existing account, including attempts to set an empty password. During account creation, if no password is provided, password quality checking is not performed.
Check Empty Account Passwords provides the added checking of empty passwords when creating accounts. If the password profile is enabled and requires at least a single-character password, an empty password causes account creation to fail. This parameter is separate from Check Account Passwords because in some endpoint types it is acceptable to create an account with no password.
Note: Account password quality checking is skipped for synchronized account passwords if the supplied password matches the current global user password.
|
Copyright © 2013 CA.
All rights reserved.
|
|