Using the LDAP Password Management Feature
This topic describes support and limitations for LDAP password management.
LDAP Password Management Feature Overview
The password management feature enables users who access an LDAP server to manage their passwords through the access management framework using the policies defined on the LDAP server. For example, if a user tries to sign in to the system with an LDAP password that is about to expire, the system notices the user through the interface, and then passes the user’s response back to the LDAP server without requiring the user to sign in to the LDAP server separately.
Users, administrators, and help desk administrators who work in environments where passwords have set expiration times may find the password management feature very helpful. If users are not informed that their passwords are about to expire, they can change them themselves through the system rather than call the help desk.
Once this feature is enabled, the system performs a series of queries to determine user account information, such as when the user’s password was last set, whether the account is expired, and so on. The access management framework does this by using its internal LDAP or Samba client. Many servers, such as Microsoft Active Directory, offer an Administrative Console to configure account and password options.
LDAP-based password management works with only three types of LDAP servers:
- Microsoft Active Directory. For Active Directory, password policy attributes can be configured in the user entry container level or any organization level above the user container. If these attributes are configured at multiple levels, the level closest to the user node takes precedence. The password management feature is not supported on the Active Directory Global Catalog because password policy attributes are not fully populated in the Active Directory Global Catalog.
- For Active Directory 2008, the access management framework supports the Fine Grained Password Policy (FGP) configured in the AD user container.
LDAP-based password management does not work on generic LDAP servers such as OpenLDAP.
The system relies on the back-end server to pinpoint the cause of error when a password change operation fails. However, although LDAP servers may report errors accurately to human operators, they do not always do so when communicating programmatically to systems. Therefore, reported errors might be generic or cryptic.
The system does not support customized password policies.
Enabling LDAP Password Management
To enable password management, you must first create an instance of the LDAP server. Next, you associate the LDAP server with the applicable realms. Finally, you select the enable password management feature at the realm level.
LDAP Password Management Support
The access management framework supports password management with the following LDAP directories:
- Microsoft Active Directory/Windows NT
- Generic LDAP directories, such as IBM Secure Directory and OpenLDAP
The below table describes supported password management functions, their corresponding function names in the individual LDAP directories, and any additional relevant details. These functions must be set through the LDAP server itself before the system can pass the corresponding messages, functions, and restrictions to end users.
The Active Directory attribute names shown are specific to the Domain Security Policy object. Similar attributes for the corresponding functions are used for the Active Directory 2008 Fine-Grained Password Policy. Refer to Microsoft documentation for details.
When authenticating against a generic LDAP server, such as IBM Secure Directory, the system supports only authentication and allowing users to change their passwords. Password management functions are not supported when the CHAP family protocols are used for authentication. All functions are available when the JUAC protocol is used for authentication.
|
Function |
Active Directory |
eDirectory |
Generic |
|---|---|---|---|
|
Authenticate user |
unicodePwd |
userPassword |
userPassword |
|
Allow user to change password if enabled |
Server tells us in bind response (uses ntSecurityDescriptor) |
If passwordAllowChange == TRUE |
Yes |
|
Log out user after password change |
Yes |
Yes |
Yes |
|
Force password change at next log in |
If pwdLastSet == 0 |
If pwdMustChange == TRUE |
- |
|
Expired password notification |
userAccountControl== 0x80000 |
Check date/time value |
- |
|
Password expiration notification (in X days/hours) |
if pwdLastSet - now() < maxPwdAge - 14 days (Read from domain attributes) (The system displays warning if less than 14 days) |
If now() - passwordExpirationTime< 14 days (The system displays warning if less than 14 days) |
- |
|
Disallow authentication if "account disabled/locked |
userAccountControl== 0x2 (Disabled) accountExpires userAccountControl == 0x10 (Locked) lockoutTime |
Bind ErrorCode: 53 "Account Expired" Bind ErrorCode: 53 "Login Lockout" |
- |
|
Honor "password history" |
Server tells us in bind response |
Server tells us in bind response |
- |
|
Enforce "minimum password length" |
If set, the system displays message telling user minPwdLength |
If set, the system displays message telling user passwordMinimumLength |
- |
|
Disallow user from changing password too soon
|
If pwdLastSet - now() < minPwdAge, then we disallow
|
Server tells us in bind response
|
- |
|
Honor "password complexity" |
If pwdProperties == 0x1, then enabled. Complexity means the new password does not contain username, first or last name, and must contain characters from 3 of the following 4 categories: English uppercase, English lowercase, Digits, and Non-alphabetic characters (ex. !, $, %) |
Server tells us in bind response |
- |
Note the following expected behavior:
- The system displays a warning about password expiration only if the password is scheduled to expire in 14 days or less. The system displays the message during each sign-in attempt. The warning message contains the remaining number of days, hours, and minutes that the user has to change the password before it expires on the server. The default value is 14 days, but you can change it on the password configuration page of the admin console.
LDAP Password Management for Windows AD Versions
The access management framework supports password management with the following Windows servers:
- Microsoft Active Directory 2008
- Microsoft Active Directory 2003
- Windows NT 4.0
Table describes supported password management functions. These functions are not supported for a layer 2 connection when CHAP, MS-CHAP, or PAP are used as authentication protocols.
|
Function |
Active Directory |
Active Directory 2003 |
Active Directory 2008 FGP |
Windows NT |
|---|---|---|---|---|
|
Authenticate user |
Yes |
Yes |
Yes |
Yes |
|
Allow user to change password if licensed and if enabled |
Yes |
Yes |
Yes |
Yes |
|
Log out user after password change |
Yes |
Yes |
Yes |
Yes |
|
Force password change at next log in |
Yes |
Yes |
Yes |
Yes |
|
Password expired notification |
Yes |
Yes |
Yes |
Yes |
|
Account disabled |
Yes |
Yes |
Yes |
Yes |
|
Account expired |
Yes |
Yes |
Yes |
Yes |
Note the following expected behavior:
- Changes on the Active Directory domain security policy can take 5 minutes or longer to propagate among Active Directory domain controllers. Additionally, this information does not propagate to the domain controller on which it was originally configured for the same time period. This issue is a limitation of Active Directory.
- When changing passwords in Active Directory using LDAP, the system automatically switches to LDAPS, even if LDAPS is not the configured LDAP method. To support LDAPS on the Active Directory server, you must install a valid SSL certificate into the server’s personal certificate store. The certificate must be signed by a trusted CA, and the CN in the certificate’s Subject field must contain the exact hostname of the Active Directory server, (for example: adsrv1.company.com). To install the certificate, select the Certificates Snap-In in the Microsoft Management Console (MMC).
- The Account Expires option in the User Account Properties tab only changes when the account expires, not when the password expires. Microsoft Active Directory calculates the password expiration using the Maximum Password Age and Password Last Set values retrieved from the User object and Fine-Grained Password Policy objects or the Domain Security Policy LDAP objects.
- The system displays a warning about password expiration only if the password is scheduled to expire in 14 days or less. The system displays the message during each sign-in attempt. The warning message contains the remaining number of days, hours, and minutes that the user has to change the password before it expires on the server. The default value is 14 days, but you can change it on the password configuration page of the admin console.
Troubleshooting LDAP Password Management
When you troubleshoot, provide any pertinent system logs, server logs, configuration information, and a TCP trace from the system. If you are using LDAPS, switch to the “Unencrypted” LDAP option LDAP server configuration while taking the LDAP TCP traces.