You create a password policy to provide an additional layer of security to protected resources.
To create a password policy object
The Create Password Policy pane opens.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: If the policy only applies to part of the directory, click Lookup to specify the part of the directory that the policy is to apply.
http://<server.company.org>/siteminderagent/pwcgi/smpwservicescgi.exe
Note: The default Password Services CGI path sometimes differs when you set up a custom Password Services directory. The Password Services CGI is deprecated.
http://<server.company.org>/siteminderagent/forms/smpwservices.fcc
Note: The Password Services FCC is the default redirection URL. For more information about the Password Services FCC, see the Web Agent Configuration Guide.
http://<server.company.org>/siteminderagent/pwservlet/PSWDChangeServlet
You configure password expiration settings to define events, that when triggered, the Policy Server disables the user account and optionally redirects the user to a new Web page. Examples of such events include multiple failed login attempts and account inactivity.
Note: Expiration settings are optional. If you do not want to enable an expiration setting, leave the respective fields blank.
To configure password expiration
Password expiration settings open.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: You must select the Track successful logins check box if you want to disable accounts based on account inactivity. You must select the Track failed logins check box if you want to disable accounts based on failed login attempts.
Note: If you do not need to configure passwords to expire from inactivity, we recommended that you do not set this option for performance reasons.
You configure password composition rules to control the character composition of newly created passwords.
Note: Composition rules are optional. If you do not want to enable a composition rule, leave the respective fields blank.
To configure password composition restrictions
Password composition settings open.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: If you are using Netscape 4.1 Directory Server with Password Services, do not specify a non-printable characters minimum. Netscape 4.1 Directory Server does not accept non-printable characters.
Regular expression matching for passwords allows you to specify text patterns used for string matching that each password must match or not match to be considered valid.
For example, if you require the first character in the password be a digit but not be the last character, you can configure a regular expression to enforce this requirement and all passwords will be checked against it.
The following table describes the characters you can use for constructing regular expressions for password matching. This syntax is consistent with the regular expression syntax supported for resource matching when specifying realms.
All closure operators (+, *, ?) are greedy by default, meaning that they match as many elements of the string as possible without causing the overall match to fail. If you want a closure to be reluctant (non-greedy), follow it with a ’?’. A reluctant closure matches as few elements of the string as possible when finding matches.
The regular expression syntax is a s follows:
|
Characters |
Results |
|---|---|
|
\ |
Used to quote a meta-character (like ’*’) |
|
\\ |
Matches a single ’\’ character |
|
(A) |
Groups subexpressions (affects order of pattern evaluation) |
|
[abc] |
Simple character class (any character within brackets matches the target character) |
|
[a-zA-Z] |
Character class with ranges (any character range within the brackets matches the target character) |
|
[^abc] |
Negated character class |
|
. |
Matches any character other than newline |
|
^ |
Matches only at the beginning of a line |
|
$ |
Matches only at the end of a line |
|
A* |
Matches A 0 or more times (greedy) |
|
A+ |
Matches A 1 or more times (greedy) |
|
A? |
Matches A 1 or 0 times (greedy) |
|
A*? |
Matches A 0 or more times (reluctant) |
|
A+? |
Matches A 1 or more times (reluctant) |
|
A?? |
Matches A 0 or 1 times (reluctant) |
|
AB |
Matches A followed by B |
|
A|B |
Matches either A or B |
|
\1 |
Backreference to 1st parenthesized subexpression |
|
\n |
Backreference to nth parenthesized subexpression |
Limit: Each regular expression can contain no more than 10 subexpressions, including the expression itself. The number of subexpressions equals the number of left or opening parentheses in the regular expression plus one more left parenthesis for the expression itself.
You configure regular expressions to specify text patterns that are used for string matching. A password must match or not match the expression to be valid. Each regular expression entry is a name/value pair consisting of a descriptive tag and expression definition.
Regular expression matching for passwords is optional. If you decide to use regular expression, you only specify entries for expressions that passwords must match or must not match. If you have no expression matching requirements, do not create any regular expression entries.
To configure regular expressions for passwords
You will see an empty table in the Regular Expressions group box.
The Password Regular Expression dialog opens.
If you select this option, define a regular expression that passwords must match.
If you select this option, add an entry for each regular expression that passwords must not match.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
The regular expression is added to the table. If you selected MUST NOT match, you will see a checkbox in the NO Match column.
You configure password restrictions to place restrictions on password usage. Restrictions include:
You can also prevent users from specifying words that you determine are a security risk or contain users’ personal information.
Note: Restrictions are optional. If you do not want to enable a restriction, leave the respective fields blank.
To configure password restrictions
Password restriction settings open.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: If you specify both criteria, each must be satisfied before a user can reuse a password.
Example: A password policy requires users to wait 365 days and specify 12 passwords before reusing a password. After a year, if a user only supplied six passwords, the user would have to supply another six passwords before reusing the first password.
You configure advanced password policy options to specify that submitted passwords be pre-processed before validation and storage. Advanced password policies let you assign a priority to a policy, which allows the predictable evaluation of multiple password policies that apply to the same user directory or namespace.
Note: Pre-processing options are optional. You should specify a unique password policy evaluation priority for each password policy that may be assigned to the user directory or namespace.
To configure advanced password options
Advanced password policy settings open.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: You should specify identical pre-processing options for each password policy that is applied to the same user directory or namespace.
Note: Evaluation priorities range from 0-999, where 999 is the highest.
|
Copyright © 2012 CA.
All rights reserved.
|
|