Previous Topic: Sm_PolicyApi_PasswordMsgField_tNext Topic: Sm_PolicyApi_Policy_t


Sm_PolicyApi_PasswordPolicy_t

Defines a SiteMinder password policy object.

Syntax

typedef struct Sm_PolicyApi_PasswordPolicy_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                    /* Required */
   char pszDesc[BFSIZE];
   bool bEntireDir;                         /* Required */
   bool bIsEnabled;                         /* Required */
   char pszUserDirectoryOid[BFSIZE];        /* Required */
   char pszPath[BFSIZE];                    /* Required */
   char pszClass[BFSIZE];                   /* Required */
   int nResolution;                         /* Required */
   int nLoginMaxFailures;                   /* Required */
   int nLoginMaxInactivity;                 /* Required */
   int nLoginInactivityWarn;
   int nLoginDaysGrace;                     /* Required */
   char pszDictionaryName[BFSIZE];
   int nDictionaryPartial;                  /* Required */
   int nExpirationDelay;                    /* Required */
   int nReenablement;                       /* Required */
   int nPasswordBehavior;                   /* Required */
   char pszPasswordServicesRedirect[BFSIZE];
   int nPWMaxLength;                        /* Required */
   int nPWMinLength;                        /* Required */
   int nPWMaxRepeatingChar;                 /* Required */
   int nPWMinAlphaNum;                      /* Required */
   int nPWMinAlpha;                         /* Required */
   int nPWMinNonAlpha;                      /* Required */
   int nPWMinNonPrintable;                  /* Required */
   int nPWMinNumbers;                       /* Required */
   int nPWMinPunctuation;                   /* Required */
   int nPWReuseCount;                       /* Required */
   int nPWReuseDelay;                       /* Required */
   int nPWPercentDifferent;                 /* Required */
   int nPWPercentSequence;                  /* Required */
   int nPWSpecialsLength;                   /* Required */
   struct Sm_PolicyApi_PasswordPolicy_s* next;
   int nPriority;                           /* Required */
   int nPWMinLowerAlpha;                    /* Required */
   int nPWMinUpperAlpha;                    /* Required */
   int nReserved1;
   int nReserved2;
   int nReserved3;
   int nReserved4[BFSIZE];
} Sm_PolicyApi_PasswordPolicy_t;

Field

Description

iStructId

Password policy data structure ID, defined in Sm_PolicyApi_Structs_t.

pszOid

The object identifier of the password policy object.

pszName

Name of the password policy.

pszDesc

Brief description of the password policy object.

bEntireDir

Flag: Set to true to apply the password policy to the entire LDAP directory.

bIsEnabled

Flag: Set to true to enable the password policy.

pszUserDirectoryOid

Object identifier of the user directory to which the password policy will apply.

pszPath

If bEntireDir is set to false, use this field to specify the users to whom the password policy applies. For example, values you can specify include:

  • A complete user DN
  • A complete DN of an organization or group containing the users to whom the password policy applies
  • A search expression that represents the users to whom the password policy applies

See nResolution for more information.

pszClass

If bEntireDir is set to false, use this field to specify the object class where the password policy applies.

Specify the object class as understood by a particular user directory, such as organizationalUnit in LDAP or User in NT.

nResolution

A constant that shows how the password policy applies to the users specified in pszPath. For example:

  • If pszPath is the path to a group, the following constant indicates that the password policy applies to the members of the group:

Sm_PolicyResolution_UserGroup

  • If pszPath is a search expression that searches for all groups containing a particular attribute, the following constant indicates that the password policy applies to the members of the matching groups:

Sm_PolicyResolution_GroupProp

Policy resolution constants are defined in Sm_PolicyResolution_t.

nLoginMaxFailures

Maximum number of failed login attempts a user can make before the user account is disabled.

nLoginMaxInactivity

Number of days of inactivity allowed before a user's password expires. The account is not disabled until the user tries to log in after the expiration.

nLoginInactivityWarn

Reserved.

nLoginDaysGrace

Number of days in advance to notify user that the password will expire.

pszDictionaryName

The location of a dictionary file that lists words that cannot be used in a password.

nDictionaryPartial

The minimum number of letters to qualify for dictionary checking. For example, set this field to 5 to avoid checking words of 4 or fewer characters. Set this field to 0 to reject only passwords that match a word in the dictionary exactly.

nExpirationDelay

Number of days of inactivity allowed before user account is disabled.

nReenablement

Specifies the number of minutes a user must wait before attempting to log in again or before the user's account is re-enabled.

The condition that applies after the nReenablement time period is determined by the following flag (which is set through nPasswordBehavior):

Sm_PasswordPolicyBehavior_
    FullReenable

nPasswordBehavior

Bit mask flags expressing the behavior of the password policy, as defined in Sm_PasswordPolicyBehavior_t.

You can also set recursive behavior for the password policy through the additional password behavior flag below. Use this flag to indicate that the password policy applies to the group specified in pszPath and to any groups nested within it:

Sm_PolicyBehavior_Recursive_Yes

All password behavior flags are defined in SmApi.h.

pszPasswordServices
  Redirect

The URL to which the user should be redirected when an invalid password is entered. This must be the URL of the Password Services CGI.

nPWMaxLength

The maximum length for user passwords.

nPWMinLength

Minimum length for user passwords.

nPWMaxRepeatingChar

Maximum number of identical characters that can appear consecutively in a password.

nPWMinAlphaNum

Minimum number of alphabetic or numeric characters (A-Z, a-z, or 0-9) that a password must contain. May be set in conjunction with PWMinAlpha or PWMinNumbers. For example, if PWMinAlphaNum and PWMinNumbers are set to 4, the password 1234 is valid.

nPWMinAlpha

Minimum number of alphabetic characters (A-Z, a-z) a password must contain.

nPWMinNonAlpha

Minimum number of non-alphanumeric characters a password must contain. These characters include punctuation marks and other symbols located on the keyboard, such as "@", "$", and "*."

nPWMinNonPrintable

Minimum number of non-printable characters that must be in a password. These characters cannot be displayed on a computer screen.

nPWMinNumbers

Minimum number of numeric characters (0-9) a password must contain.

nPWMinPunctuation

Minimum number of punctuation marks a password must contain. These characters include periods, commas, exclamation marks, slashes, hyphens, dashes, and other marks used for punctuation.

nPWReuseCount

Number of new passwords that must be used before an old one can be reused.

nPWReuseDelay

Number of days a user must wait before reusing a password.

nPWPercentDifferent

The percentage of characters a new password must contain that differ from characters in the previous password. If the value is set to 100, the new password may contain no characters that were in the previous password, unless nPWPercentSequence is set to 0.

nPWPercentSequence

Flag that indicates whether to ignore sequence (character position) when the different-from-previous-characters percentage is calculated. To ignore character position, set nPWPercentSequence to 1. This flag works in conjunction with nPWPercentDifferent. For examples of how this parameter works with nPWPercentDifferent, see Figure 31 on page 150.

nPWSpecialsLength

Specifies the minimum character sequence to check against the user's personal information. For example, if this value is set to 4, SiteMinder prohibits the use of any four consecutive characters found in the user's personal information, such as the four last digits of the user's telephone number.

This field prevents a user from incorporating personal information in a password. SiteMinder checks the password against attributes in the user's directory entry.

next

Pointer to the next registration scheme structure.

nPriority

Priority of password policy, when multiple password policies apply. The value can be any integer, including a negative one. The higher number has priority over the lower number.

nPWMinLowerAlpha

Minimum number of lowercase alphabetic characters.

nPWMinUpperAlpha

Minimum number of uppercase alphabetic characters.