Overview#
EDirectory password policy object describes the password policy and which entries the policy is assigned.
Well technically, the "nsimAssignments" may hold the entries that the policy is assigned; however, the real test is if the entry has a value for the "nspmPasswordPolicyDN" attribute.
nspmPasswordPolicyDN=cn=generalusers,cn=Password Policies,cn=Security
The nspmPasswordPolicyDN is defined with the OID of 2.16.840.1.113719.1.39.43.4.6.
Determination of the password policy assignment follows this algorithm described in Determination Of Which Universal Password Policy Is Assigned
A typical NspmPasswordPolicy might be like:
- nsimPwdRuleEnforcement=FALSE
- nsimChallengeSetGUID=1224508481110 - This is a timestamp
- nsimChallengeSetDN=cn=generalChalangeSet,cn=Password Policies,cn=Security
- nsimAssignments=ou=people,dc=willeke,dc=com
- nsimAssignments=ou=Addresses,ou=people,dc=willeke,dc=com
- nsimForgottenAction=<ForgottenPassword\>\<Enabled\>true\</Enabled\>\<Sequence\>\<Authentication\>\<![CDATA[generalChalangeSet.Password Policies.Security]]\>\</Authentication\>\<Action\>ShowHint\</Action\>\</Sequence\>\</ForgottenPassword\>
- nsimForgottenLoginConfig=TRUE
- nspmCaseSensitive=TRUE
- nspmSpecialAsLastCharacter=FALSE
- nspmSpecialAsFirstCharacter=FALSE
- nspmSpecialCharactersAllowed=TRUE
- nspmNumericAsLastCharacter=TRUE
- nspmNumericAsFirstCharacter=TRUE
- nspmNumericCharactersAllowed=TRUE
- nspmMaximumLength=50
- nspmConfigurationOptions=884
- passwordUniqueRequired=FALSE
- Password Minimum Length=4
- passwordAllowChange=TRUE
- objectClass=nspmPasswordPolicy
- objectClass=Top
- description=All normal user will need to abide by these password policies
- cn=generalusers
- passwordExpirationInterval
Password Self-Service#
Novell's password self-service is implemented by defining a Novell password policy and associating the policy to a challenge set. So in our example, we have created a password policy, cn=generalusers,cn=Password%20Policies,cn=Security. This policy entry, and instance of "nspmPasswordPolicy", is linked to the nsimChallengeSet by an attribute "nsimForgottenAction" with the value:<ForgottenPassword> <Enabled>true</Enabled> <Sequence> <Authentication><![CDATA[generalChalangeSet.Password Policies.Security]]></Authentication> <Action>ShowHint</Action> </Sequence> </ForgottenPassword>As the nsimChallengeSet is a single-valued attribute, there can be only one nsimChallengeSet for each nspmPasswordPolicy.
Also, there can only be one password policy assigned to each user.
ObjectClass Definition#
The ObjectClass Type is defined as:- OID: 2.16.840.1.113719.1.39.43.4.6
- ObjectClass-Name: NspmPasswordPolicy
- SUP: top
- STRUCTURAL
- MUST:
- MAY:
- description
- nspmPolicyPrecedence
- nspmConfigurationOptions
- nspmChangePasswordMessage
- passwordExpirationInterval
- loginGraceLimit
- nspmMinPasswordLifetime
- passwordUniqueRequired
- nspmPasswordHistoryLimit
- nspmPasswordHistoryExpiration
- passwordAllowChange
- passwordRequired
- passwordMinimumLength
- nspmMaximumLength
- nspmCaseSensitive
- nspmMinUpperCaseCharacters
- nspmMaxUpperCaseCharacters
- nspmMinLowerCaseCharacters
- nspmMaxLowerCaseCharacters
- nspmNumericCharactersAllowed
- nspmNumericAsFirstCharacter
- nspmNumericAsLastCharacter
- nspmMinNumericCharacters
- nspmMaxNumericCharacters
- nspmSpecialCharactersAllowed
- nspmSpecialAsFirstCharacter
- nspmSpecialAsLastCharacter
- nspmMinSpecialCharacters
- nspmMaxSpecialCharacters
- nspmMaxRepeatedCharacters
- nspmMaxConsecutiveCharacters
- nspmMinUniqueCharacters
- nspmDisallowedAttributeValues
- nspmExcludeList
- nspmExtendedCharactersAllowed
- nsimChallengeSetDN
- nsimForgottenAction
- nsimForgottenLoginConfig
- nsimAssignments
- nsimChallengeSetGUID
- nsimPwdRuleEnforcement
- nspmExtendedAsFirstCharacter
- nspmExtendedAsLastCharacter
- nspmMinExtendedCharacters
- nspmMaxExtendedCharacters
- nspmUpperAsFirstCharacter
- nspmUpperAsLastCharacter
- nspmLowerAsFirstCharacter
- nspmLowerAsLastCharacter
- nspmComplexityRules
- pwdInHistory
- nspmAdminsDoNotExpirePassword
- nspmPasswordACL
- nspmAD2K8Syntax
- nspmAD2K8maxViolation
- nspmXCharLimit
- nspmXCharHistoryLimit
- nspmUnicodeAllowed
- nspmNonAlphaCharactersAllowed
- nspmMinNonAlphaCharacters
- nspmMaxNonAlphaCharacters
- Extended Flags:
Category#
eDirectoryMore Information#
There might be more information for this subject on one of the following:- 1.3.6.1.4.1.42.2.27.8.1.4
- 2.16.840.1.113719.1.1.4.1.42
- 2.16.840.1.113719.1.1.4.1.66
- 2.16.840.1.113719.1.1.4.1.67
- 2.16.840.1.113719.1.1.4.1.70
- 2.16.840.1.113719.1.1.4.1.71
- 2.16.840.1.113719.1.39.43.4.100
- 2.16.840.1.113719.1.39.43.4.102
- 2.16.840.1.113719.1.39.43.4.103
- 2.16.840.1.113719.1.39.43.4.104
- 2.16.840.1.113719.1.39.43.4.105
- 2.16.840.1.113719.1.39.43.4.200
- 2.16.840.1.113719.1.39.43.4.201
- 2.16.840.1.113719.1.39.43.4.202
- 2.16.840.1.113719.1.39.43.4.203
- 2.16.840.1.113719.1.39.43.4.204
- 2.16.840.1.113719.1.39.43.4.205
- 2.16.840.1.113719.1.39.43.4.206
- 2.16.840.1.113719.1.39.43.4.207
- 2.16.840.1.113719.1.39.43.4.208
- 2.16.840.1.113719.1.39.43.4.209
- 2.16.840.1.113719.1.39.43.4.210
- 2.16.840.1.113719.1.39.43.4.211
- 2.16.840.1.113719.1.39.43.4.212
- 2.16.840.1.113719.1.39.43.4.213
- 2.16.840.1.113719.1.39.43.4.214
- 2.16.840.1.113719.1.39.43.4.215
- 2.16.840.1.113719.1.39.43.4.216
- 2.16.840.1.113719.1.39.43.4.217
- 2.16.840.1.113719.1.39.43.4.218
- 2.16.840.1.113719.1.39.43.4.219
- 2.16.840.1.113719.1.39.43.4.220
- 2.16.840.1.113719.1.39.43.4.221
- 2.16.840.1.113719.1.39.43.4.223
- 2.16.840.1.113719.1.39.43.4.224
- 2.16.840.1.113719.1.39.43.4.225
- 2.16.840.1.113719.1.39.43.4.226
- 2.16.840.1.113719.1.39.43.4.227
- 2.16.840.1.113719.1.39.43.4.228
- 2.16.840.1.113719.1.39.43.4.229
- 2.16.840.1.113719.1.39.43.4.230
- 2.16.840.1.113719.1.39.43.6.1
- 2.16.840.1.113719.1.39.44.4.10
- 2.16.840.1.113719.1.39.44.4.11
- 2.16.840.1.113719.1.39.44.4.6
- 2.16.840.1.113719.1.39.44.4.7
- 2.16.840.1.113719.1.39.44.4.8
- 2.16.840.1.113719.1.39.44.4.9
- 2.5.4.3
- Automated Password Self Service
- Cn
- Description
- Description of Attribute Usage For 2.16.840.1.113719.1.39.43.4.6
- DumpEdirectoryPasswordInformationTool
- EDirectory Password Expiration
- Edirectory Administrative Password Changes
- Edirectory Password Policy
- NMAS_E_MISSING_KEY
- Novell Secure Password Manager Schema
- NovellS Challenge Response
- NovellS Challenge Response System
- NspmAdminsDoNotExpirePassword
- NspmComplexityRules
- NspmConfigurationOptions
- NspmExtendedCharactersAllowed
- NspmPasswordACL
- NspmPasswordPolicy
- ObjectClass-Names
- PasswordMinimumLength
- Permissions to read Universal Password
- SASLoginConfiguration
- SASLoginSecretKey
- Simple Password
- Universal Password Policy Assignment