Manuals / Sun Microsystems / Computer Equipment / Server

Sun Microsystems 8190994 manual Password Policy Compatibility

Models: 8190994

1 148

Download 148 pages 5.33 Kb

Page 75

New Password Policy

■The password is too young

■The password already exists in history

The LDAP_CONTROL_PWP control indicates warning and error conditions. The control value is a BER octet string, with the format {tii}, which has the following meaning:

■t is a tag defining which warning is set, if any. The value of t can be one of the following:

LDAP_PWP_WARNING_RESP_NONE (0x00L) LDAP_PWP_WARNING_RESP_EXP (0x01L) LDAP_PWP_WARNING_RESP_GRACE (0x02L)

■The firsti indicates warning information.

The warning depends on the value set for t as follows:

■If t is set to LDAP_PWP_WARNING_RESP_NONE, the warning is -1.

■If t is set to LDAP_PWP_WARNING_RESP_EX, the warning is the number of seconds before expiration.

■If t is set to LDAP_PWP_WARNING_RESP_GRACE, the warning is the number of remaining grace logins.

■The second i indicates error information. If t is set to LDAP_PWP_WARNING_RESP_NONE, the error contains one of the following values:

pwp_resp_no_error (-1)

pwp_resp_expired_error (0) pwp_resp_locked_error (1) pwp_resp_need_change_error (2) pwp_resp_mod_not_allowed_error (3) pwp_resp_give_old_error (4) pwp_resp_bad_qa_error (5) pwp_resp_too_short_error (6) pwp_resp_too_young_error (7) pwp_resp_in_hist_error (8)

The LDAP_CONTROL_ACCOUNT_USABLE control provides account status information on LDAP search operations only.

Password Policy Compatibility

For migration purposes, the new password policy maintains compatibility with previous Directory Server versions by identifying a compatibility mode. The compatibility mode determines whether password policy attributes are handled as old attributes or new attributes, where old refers to Directory Server 5 password policy attributes.

The compatibility mode can be read using dsconf command as follows:

Chapter 5 • Architectural Changes in Directory Server 6.0

75

Sun Confidential: Registered

Image 75

Sun Microsystems 8190994 manual Password Policy Compatibility

Contents

Sun Confidential Registered Enterprise Edition 6.0 Migration GuideSun Java System Directory Server Sun Microsystems, Inc 4150 Network Circle Santa Clara, CA U.S.AThis distribution may include materials developed by third parties Sun Confidential Registered3 Migrating Directory Server Manually Contents2 Automated Migration Using the dsmig Command 1 Overview of the Migration Process for Directory ServerMigrating the Schema Manually New Plug-Ins in Directory Server 7 Migrating Identity Synchronization for Windows Index ContentsSun Confidential Registered Sun Confidential Registered Migrating a Multi-Host Deployment with Windows NT FiguresMigrating a Single-Host Deployment Migrating a Multi-Master Replication DeploymentSun Confidential Registered Location of Certificate and Key Files TablesMapping Between 5 and 6.0 Password Policy Attributes Tools Previously Under ServerRoot/shared/binTables EXAMPLE Sample Export Configuration FileExamples Sun Confidential RegisteredSun Confidential Registered How This Book Is Organized PrefaceWho Should Use This Book Before You Read This BookTABLE P-1 Directory Server Enterprise Edition Documentation Directory Server Enterprise Edition Documentation Sethttp//docs.sun.com/coll/DirEdit05q1 Related ReadingTABLE P-1 Directory Server Enterprise Edition Documentation ContinuedDefault Paths and Command Locations Default PathsRedistributable Files of Directory Server or Directory Proxy TABLE P-2 Default PathsJava Enterprise System installer, the default install-path is Sun Confidential RegisteredTABLE P-3 Command Locations Command LocationsTABLE P-4 Typographic Conventions Typographic ConventionsTABLE P-3 Command Locations ContinuedContinued Shell Prompts in Command ExamplesSymbol Conventions Symbol ConventionsDocumentation, Support, and Training Third-Party Web Site ReferencesSearching Sun Product Documentation Sun Welcomes Your Comments “Deciding on the New Product Distribution” on page Overview of the Migration Process for Directory ServerBefore You Migrate “Before You Migrate” on pagePrerequisites to Migrating a Single Directory Server Instance From Prerequisites to Migrating a Single Directory Server Instance FromBefore You Migrate Outline of Migration Steps Deciding on the New Product DistributionTABLE 1-1 Migration Matrix Showing Support for Automated Migration Deciding on Automatic or Manual Migration“Using dsmig to Migrate Configuration Data” on page Automated Migration Using the dsmig Command“Using dsmig to Migrate the Schema” on page “Using dsmig to Migrate Security Data” on pagePrerequisites for Running dsmig Using dsmig to Migrate the Schema$ dsmig migrate-security old-instance-path new-instance-path Using dsmig to Migrate Security DataUsing dsmig to Migrate Configuration Data $ dsmig migrate-config old-instance-path new-instance-pathChained Suffix Configuration Data Plug-in Configuration DataConfiguration Attributes Not Migrated by dsmig Configuration Data For Suffixes With Multiple BackendsReplication Configuration Data Configuration Data for o=netscapeRootnsabandonedsearchcheckinterval Using dsmig to Migrate User Data Tasks to be Performed After Automatic Migration$ dsmig migrate-data old-instance-path new-instance-path Sun Confidential Registered Migrating Directory Server Manually “Migrating the Schema Manually” on page“Migrating Configuration Data Manually” on page “Migrating Security Settings Manually” on pageMigrating the Schema Manually Migrating Configuration Data ManuallyMigration of Specific Configuration Attributes Global Configuration Attributes Migrating Configuration Data ManuallyChapter 3 Migrating Directory Server Manually Security Configuration Attributes Feature Configuration AttributesMapping Tree Configuration Attributes Change Log Attributes Replication Configuration AttributesFractional Replication Configuration Attributes Replica Configuration AttributesReplication Agreement Configuration Password Policy Configuration AttributesTABLE 3-3 Mapping Between 5 and 6.0 Password Policy Attributes TABLE 3-3 Mapping Between 5 and 6.0 Password Policy Attributes UniqueID Generator Configuration AttributesDatabase Configuration Attributes SNMP AttributesChained Suffix Attributes DSML Frontend Plug-In Plug-In Configuration AttributesClass of Service Plug-In 7-Bit Check Plug-InRetro Change Log Plug-In Pass Through Authentication Plug-InPassword Synchronization Plug-In Referential Integrity Plug-InMigrating Security Settings Manually Migrating User Data Manually Migrating User Plug-Ins Manually Tasks to be Performed After Manual MigrationMigrating User Plug-Ins Manually “Overview of Migrating Replicated Servers” on page “Issues Related to Migrating Replicated Servers” on pageMigrating a Replicated Topology Overview of Migrating Replicated ServersMigration of Referrals Issues Related to Migrating Replicated ServersIssues With the New Password Policy Migration of Replication AgreementsManual Reset of Replication Credentials Problems Related to Tombstone PurgingNew Replication Recommendations Migration Scenarios Migrating a Replicated Topology to an Identical TopologyMigrating the Consumers Chapter 4 Migrating a Replicated Topology FIGURE 4-1 Existing version 5 TopologyFIGURE 4-2 Isolating the Consumer From the Topology Migration ScenariosThe next step involves migrating the version 5 consumer Migrating the Hubs 6.0 Consumer B FIGURE 4-5 Existing version 5 Topology With Migrated ConsumersFIGURE 4-6 Isolating the Hub From the Topology Migration ScenariosChapter 4 Migrating a Replicated Topology The next step involves migrating the version 5 hubFIGURE 4-7 Migrating the version 5 Hub Migration ScenariosMigrating the Masters 9. If you have migrated the data, check that replication is in sync Migration Scenarios The next step involves migrating the version 5 masterFIGURE 4-10 Isolating the Master From the Topology FIGURE 4-11 Migrating the version 5 MasterMigrating a Replicated Topology to a New Topology FIGURE 4-13 Existing version 5 Topology Migrating All the ServersFIGURE 4-14 Existing Topology With Migrated Servers Promoting the HubsFIGURE 4-15 Migrated Topology With Promoted Hub Replicas Promoting the ConsumersMigrating Over Multiple Data Centers Sun Confidential Registered “Changes to the Console” on page “New Password Policy” on page Changes in the Administration Framework“Changes in the Administration Framework” on page “Changes to ACIs” on page “Command Line Changes” on pageChanges in Suffix-Level ACIs Changes to ACIsRemoval of the o=netscapeRoot Suffix Changes in the ACI ScopeCommand Line Changes Sun Confidential Registered TABLE 5-1 Directory Server 5 and 6 commandsVersion 6.0 Command ContinuedContinued Deprecated CommandsTABLE 5-1 Directory Server 5 and 6 commands TABLE 5-3 Version 5 Commands That Have Been DeprecatedChanges to the Console New Password PolicyPassword Policy Compatibility The pwd-compat-mode property can have one of the following values New Plug-Ins in Directory Server Changes to Plug-InsChanges to the Installed Product Layout Plug-Ins Deprecated in Directory ServerChanges to the Plug-In API Libraries and Plug-Ins Previously Under ServerRoot/lib Administration Utilities Previously Under ServerRootBinaries Previously Under ServerRoot/bin Online Help Previously Under ServerRoot/manualUtilities Previously Under ServerRoot/shared/bin Plug-Ins Previously Under ServerRoot/pluginsTABLE 5-6 Location of Certificate and Key Files Certificate and Key FilesTABLE 5-5 Tools Previously Under ServerRoot/shared/bin ContinuedServerRoot/slapd-ServerID Silent Installation and Uninstallation TemplatesServer Instance Scripts Previously Under Server Instance Subdirectories“Mapping the Groups Configuration” on page Mapping the Global Configuration“Mapping the Global Configuration” on page “Mapping the Connection Pool Configuration” on pageMapping the Global Configuration Mapping the Global Security Configuration Access Control on the Proxy Configuration Managing CertificatesTABLE 6-2 Mapping of Security Configuration TABLE 6-3 Mapping of Connection Pool Attributes Mapping the Connection Pool ConfigurationMapping the Group Object Mapping the Groups ConfigurationMapping the Network Group Object CONNECTION-HANDLER-NAME is-ssl-mandatorytrueCONNECTION-HANDLER-NAME is-ssl-mandatoryfalse Directory Proxy Server 5. Set this limit as a property for a Mapping Bind ForwardingSet this as a property for a specific listener port by using This functionality exists but with less granularity than inMapping Operation Forwarding Connection Handler Property Settings$ dpconf help-properties grep request-filtering-policy Mapping Subtree Hiding Mapping Search Request Controls$ dpconf help-properties grep resource-limits-policy Mapping Attributes Modifying Search Requests Mapping Compare Request Controls$ dpconf help-properties grep search-data-hiding-rule Mapping Attributes Restricting Search ResponsesMapping the Referral Configuration Attributes Directory Proxy Server 5 AttributesDirectory Proxy Server 6.0 Properties Mapping the Server Load Configuration Mapping the Properties Configuration Attribute Renaming PropertyForbidden Entry Property $ dpconf help-properties grep ldap-data-source LDAP Server PropertySun Confidential Registered Load Balancing PropertyEnterprise Edition 6.0 Administration Guide Source” in Sun Java System Directory ServerMonitoring Backend Servers Enterprise Edition 6.0 Administration GuideLog Property Search Size Limit PropertyTABLE 6-17 Version 5 and Version 6 Log Functionality $ dpconf set-access-log-prop PROPERTYVALUEMapping the Events Configuration Mapping the Events ConfigurationProperties Mapping the Actions Configuration“Before You Migrate Identity Synchronization for Windows” on page “What to Do if the 1.1 Uninstallation Fails” on pageMigrating Identity Synchronization for Windows “Migration Overview” on pageBefore You Migrate Identity Synchronization for Windows Migration OverviewPreparing for Identity Synchronization for Windows Migration Exporting Version 1.1 ConfigurationInserting Clear-Text Passwords Using the export11cnf UtilitycleartextPassword= Sample Export Configuration Fileindex=0 location=ou=people,dc=example,dc=com filter= ContinuedTopologyHost TopologyHost Continuedname=uniquemember syntax=1.3.6.1.4.1.1466.115.121.1.25 EXAMPLE 7-1 Sample Export Configuration FileContinued AttributeMap AttributeDescription parent.attr=SunAttributeContinued INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVEChecking for Undelivered Messages Using the checktopics Utility1 Open a Terminal window and cd to the migration directory To Clear Messages2 From a command prompt, type the subcommand as follows 2 Wait until the messages are applied to the destination connectorMigrating Your System Forcing Password Changes on Windows NTUse the following procedure to prepare for migration to version Preparing for MigrationPreparing to migrate from version 1.1, and 1.1 SP1, to version 2 Export your version 1.1 configuration settings to an XML file3 Add passwords to the exported XML file i. Open the Registry Editor by executing regedt32.exe b. Save the NT Change Detector Service counters5 Verify that your system is in a stable state 7 On Windows NT only, perform the following stepsOn Windows Type serverRoot\\\slapd- hostname\\\restart-slapd.bat Uninstalling Identity Synchronization for WindowsTo Uninstall Identity Synchronization for Windows Version On Solaris Type serverRoot \/slapd-hostname \/restart-slapdOn Windows Type \\runUninstaller.bat On Solaris or SPARC Type ./runUninstaller.shInstalling or Upgrading the Dependent Products Installing Identity Synchronization for WindowsTo install the Identity Synchronization for Windows 6.0 components idsync prepds arguments\ cd serverRoot\isw-hostname\bin9 Start the service and the synchronization “Manually Uninstalling a 1.1 Instance from Windows NT” on page What to Do if the 1.1 Uninstallation FailsManually Uninstalling 1.1 Core and Instances from Solaris “Manually Uninstalling 1.1 Core and Instances from Solaris” on pageetc/init.d/imq stop To Manually Uninstall Core From a Solaris Machine4 Remove the Directory Server Plugin f. Stop Directory Server h. Restart Directory Server5 Back-up copy and rename the current productregistry file located in 8 Clean up the configuration directory as follows b. Remove all the Console servlet jar files by typing Manually Uninstalling 1.1 Core and Instances from Windows10 Clean up all other Console-related files as follows a. Remove all the Console jar files by typingserverRoot\isw-hostname\ To uninstall Core from a Windows 2000 machinenet stop slapd-myhostname Core and Instances from Windows 2000” on page4 In the Registry Editor, select Edit →Delete from the menu bar b. Select Registry →Export Registry File from the menu bar8 Clean up the configuration directory as follows Manually Uninstalling a 1.1 Instance from Windows NT serverRoot\\\isw-hostname\ a. Open the Services window, right-click on Change Detector Service and select Properties a. Select the registry key entry in the left pane Other Migration Scenarios 9 Remove the Password Filter DLL10 Restart your machine for all changes to take effect Multi-Master Replication Deployment “Multi-Master Replication Deployment” on page“Multi-Host Deployment with Windows NT” on page Three hosts are used in this deployment scenario A Windows NT system Multi-Host Deployment with Windows NTA host for all other components FIGURE 7-3 Migrating a Multi-Host Deployment with Windows NT Password Changes on Both Directory Server Masters are LostChecking the Logs Index instance-path Page XML configuration documents Continued