Policy Server GuidesPolicy Design GuidePassword Policies › Create Password Policies

Previous Topic: Change the Default Redirect URL

Next Topic: Configure Password Expiration

Create Password Policies

You use the Password Policy Properties dialog in the Policy Server User Interface to configure password policy objects.

Note: When you create or modify a Policy Server object in the Policy Server User Interface, use ASCII characters. Object creation or modification with non-ASCII characters is not supported.

To create a password policy object

  1. In the Policy Server User Interface, create a password policy object to open the Password Policy Properties dialog.
  2. In the Name field, enter the name of the new password policy.
  3. Optionally, in the Description field, enter a brief description.
  4. In the User Directory Information group box, select the User Directory to which the password policy will apply.
  5. If you want to apply the password policy you are creating to the entire directory, select the Password Policy applies to the whole directory radio button.
  6. If you want to apply the password policy to part of the directory you specified, elect the Password Policy applies to part of the Directory radio button and then use the Lookup button to select the namespace to which you want to apply the password policy.

    Note: For more information about LDAP User Directories, see LDAP Overview. For information about relational database directories, see ODBC Database Overview.

  7. Select the Allow Nested Groups check box if your password policy is associated with nested groups within your LDAP directory.
  8. In the Password Policy Enabled State group box, enable the password policy by selecting the Enabled check box.

    If you want to create and configure a password policy but not apply it to a user directory, leave the Enabled check box cleared.

  9. Enter the URL to which users should be redirected when the password policy determines that an invalid password has been entered in the Redirection URL field. To enable redirection, you must specify the virtual path to the Password Services CGI or servlet. By default, the Policy Server fills in the path to the Password Services CGI:

    http://myserver.mycompany.org/siteminderagent/pwcgi/
    smpwservicescgi.exe

    If you want to use the Password Services servlet, you should specify its path:

    http://myserver.mycompany.org/siteminderagent/pwservlet/PSWDChangeServlet

    If you choose to set up a custom Password Services directory on a non-default web server, be sure to do the following:

    When a user is redirected to the Password Services CGI or servlet, it takes the information from the Policy Server, determines why the password is invalid, and displays a form that provides information or requests additional credentials from the user.

    Make sure that the Password Services CGI or servlet is not protected. If SiteMinder is protecting directories above the servlet, create a realm that specifies the following:

    Do not create a policy for this realm.

    Note: If a user who is accessing resources through an Agent that is not using an SSL connection must change passwords, the user’s new password information will be received over the non-secure connection. To provide a secure change of passwords, set up a password policy that redirects the user over an SSL connection using the Redirection URL field.

  10. Click Apply to save the new password policy or click OK to save the new password policy and return to the Policy Server User Interface.

Once you have created a basic password policy and bound it to an LDAP Directory by following the steps in this procedure, you can configure the policy to reflect your desired password logic. For more information, see the following sections:

More information:

Password Policy Dialog