Overview#

EDirectory password policy object describes the password policy and which entries the policy is assigned.

Well technically, the "nsimAssignments" may hold the entries that the policy is assigned; however, the real test is if the entry has a value for the "nspmPasswordPolicyDN" attribute.

nspmPasswordPolicyDN=cn=generalusers,cn=Password Policies,cn=Security

The nspmPasswordPolicyDN is defined with the OID of 2.16.840.1.113719.1.39.43.4.6.

Determination of the password policy assignment follows this algorithm described in Determination Of Which Universal Password Policy Is Assigned

A typical NspmPasswordPolicy might be like:

• nsimPwdRuleEnforcement=FALSE
• nsimChallengeSetGUID=1224508481110 - This is a timestamp
• nsimChallengeSetDN=cn=generalChalangeSet,cn=Password Policies,cn=Security
• nsimAssignments=ou=people,dc=willeke,dc=com
• nsimAssignments=ou=Addresses,ou=people,dc=willeke,dc=com
• nsimForgottenAction=<ForgottenPassword\>\<Enabled\>true\</Enabled\>\<Sequence\>\<Authentication\>\<![CDATA[generalChalangeSet.Password Policies.Security]]\>\</Authentication\>\<Action\>ShowHint\</Action\>\</Sequence\>\</ForgottenPassword\>
• nsimForgottenLoginConfig=TRUE
• nspmCaseSensitive=TRUE
• nspmSpecialAsLastCharacter=FALSE
• nspmSpecialAsFirstCharacter=FALSE
• nspmSpecialCharactersAllowed=TRUE
• nspmNumericAsLastCharacter=TRUE
• nspmNumericAsFirstCharacter=TRUE
• nspmNumericCharactersAllowed=TRUE
• nspmMaximumLength=50
• nspmConfigurationOptions=884
• passwordUniqueRequired=FALSE
• Password Minimum Length=4
• passwordAllowChange=TRUE
• objectClass=nspmPasswordPolicy
• objectClass=Top
• description=All normal user will need to abide by these password policies
• cn=generalusers
• passwordExpirationInterval

Password Self-Service#

Novell's password self-service is implemented by defining a Novell password policy and associating the policy to a challenge set. So in our example, we have created a password policy, cn=generalusers,cn=Password%20Policies,cn=Security. This policy entry, and instance of "nspmPasswordPolicy", is linked to the nsimChallengeSet by an attribute "nsimForgottenAction" with the value:

<ForgottenPassword>
    <Enabled>true</Enabled>
    <Sequence>
        <Authentication><![CDATA[generalChalangeSet.Password Policies.Security]]></Authentication>
        <Action>ShowHint</Action>
    </Sequence>
</ForgottenPassword>

As the nsimChallengeSet is a single-valued attribute, there can be only one nsimChallengeSet for each nspmPasswordPolicy.

Also, there can only be one password policy assigned to each user.

ObjectClass Definition#

The ObjectClass Type is defined as:

• OID: 2.16.840.1.113719.1.39.43.4.6
• ObjectClass-Name: NspmPasswordPolicy
• SUP: top
• STRUCTURAL
• MUST:
  • cn
• MAY:
  • description
  • nspmPolicyPrecedence
  • nspmConfigurationOptions
  • nspmChangePasswordMessage
  • passwordExpirationInterval
  • loginGraceLimit
  • nspmMinPasswordLifetime
  • passwordUniqueRequired
  • nspmPasswordHistoryLimit
  • nspmPasswordHistoryExpiration
  • passwordAllowChange
  • passwordRequired
  • passwordMinimumLength
  • nspmMaximumLength
  • nspmCaseSensitive
  • nspmMinUpperCaseCharacters
  • nspmMaxUpperCaseCharacters
  • nspmMinLowerCaseCharacters
  • nspmMaxLowerCaseCharacters
  • nspmNumericCharactersAllowed
  • nspmNumericAsFirstCharacter
  • nspmNumericAsLastCharacter
  • nspmMinNumericCharacters
  • nspmMaxNumericCharacters
  • nspmSpecialCharactersAllowed
  • nspmSpecialAsFirstCharacter
  • nspmSpecialAsLastCharacter
  • nspmMinSpecialCharacters
  • nspmMaxSpecialCharacters
  • nspmMaxRepeatedCharacters
  • nspmMaxConsecutiveCharacters
  • nspmMinUniqueCharacters
  • nspmDisallowedAttributeValues
  • nspmExcludeList
  • nspmExtendedCharactersAllowed
  • nsimChallengeSetDN
  • nsimForgottenAction
  • nsimForgottenLoginConfig
  • nsimAssignments
  • nsimChallengeSetGUID
  • nsimPwdRuleEnforcement
  • nspmExtendedAsFirstCharacter
  • nspmExtendedAsLastCharacter
  • nspmMinExtendedCharacters
  • nspmMaxExtendedCharacters
  • nspmUpperAsFirstCharacter
  • nspmUpperAsLastCharacter
  • nspmLowerAsFirstCharacter
  • nspmLowerAsLastCharacter
  • nspmComplexityRules
  • pwdInHistory
  • nspmAdminsDoNotExpirePassword
  • nspmPasswordACL
  • nspmAD2K8Syntax
  • nspmAD2K8maxViolation
  • nspmXCharLimit
  • nspmXCharHistoryLimit
  • nspmUnicodeAllowed
  • nspmNonAlphaCharactersAllowed
  • nspmMinNonAlphaCharacters
  • nspmMaxNonAlphaCharacters
• Extended Flags:
  • X-NDS_NOT_CONTAINER: 1

Category#

eDirectory

More Information#

There might be more information for this subject on one of the following:

• 1.3.6.1.4.1.42.2.27.8.1.4
• 2.16.840.1.113719.1.1.4.1.42
• 2.16.840.1.113719.1.1.4.1.66
• 2.16.840.1.113719.1.1.4.1.67
• 2.16.840.1.113719.1.1.4.1.70
• 2.16.840.1.113719.1.1.4.1.71
• 2.16.840.1.113719.1.39.43.4.100
• 2.16.840.1.113719.1.39.43.4.102
• 2.16.840.1.113719.1.39.43.4.103
• 2.16.840.1.113719.1.39.43.4.104
• 2.16.840.1.113719.1.39.43.4.105
• 2.16.840.1.113719.1.39.43.4.200
• 2.16.840.1.113719.1.39.43.4.201
• 2.16.840.1.113719.1.39.43.4.202
• 2.16.840.1.113719.1.39.43.4.203
• 2.16.840.1.113719.1.39.43.4.204
• 2.16.840.1.113719.1.39.43.4.205
• 2.16.840.1.113719.1.39.43.4.206
• 2.16.840.1.113719.1.39.43.4.207
• 2.16.840.1.113719.1.39.43.4.208
• 2.16.840.1.113719.1.39.43.4.209
• 2.16.840.1.113719.1.39.43.4.210
• 2.16.840.1.113719.1.39.43.4.211
• 2.16.840.1.113719.1.39.43.4.212
• 2.16.840.1.113719.1.39.43.4.213
• 2.16.840.1.113719.1.39.43.4.214
• 2.16.840.1.113719.1.39.43.4.215
• 2.16.840.1.113719.1.39.43.4.216
• 2.16.840.1.113719.1.39.43.4.217
• 2.16.840.1.113719.1.39.43.4.218
• 2.16.840.1.113719.1.39.43.4.219
• 2.16.840.1.113719.1.39.43.4.220
• 2.16.840.1.113719.1.39.43.4.221
• 2.16.840.1.113719.1.39.43.4.222
• 2.16.840.1.113719.1.39.43.4.223
• 2.16.840.1.113719.1.39.43.4.224
• 2.16.840.1.113719.1.39.43.4.225
• 2.16.840.1.113719.1.39.43.4.226
• 2.16.840.1.113719.1.39.43.4.227
• 2.16.840.1.113719.1.39.43.4.228
• 2.16.840.1.113719.1.39.43.4.229
• 2.16.840.1.113719.1.39.43.4.230
• 2.16.840.1.113719.1.39.43.6.1
• 2.16.840.1.113719.1.39.44.4.10
• 2.16.840.1.113719.1.39.44.4.11
• 2.16.840.1.113719.1.39.44.4.6
• 2.16.840.1.113719.1.39.44.4.7
• 2.16.840.1.113719.1.39.44.4.8
• 2.16.840.1.113719.1.39.44.4.9
• 2.5.4.3
• Automated Password Self Service
• Cn
• Description
• Description of Attribute Usage For 2.16.840.1.113719.1.39.43.4.6
• DumpEdirectoryPasswordInformationTool
• EDirectory Password Expiration
• Edirectory Administrative Password Changes
• Edirectory Password Policy
• Novell Secure Password Manager Schema
• NovellS Challenge Response
• NovellS Challenge Response System
• NspmAdminsDoNotExpirePassword
• NspmComplexityRules
• NspmConfigurationOptions
• NspmPasswordACL
• NspmPasswordPolicy
• ObjectClass-Names
• PasswordMinimumLength
• Permissions to read Universal Password
• SASLoginConfiguration
• SASLoginSecretKey
• Simple Password
• Universal Password Policy Assignment