password Command

User Level

System Administrator

Only Business Administrators with Person access are allowed to set system-wide password settings.

Syntax

The command uses this syntax.


[set\|print\|encrypt] password PASSWORD_ITEM {PASSWORD_ITEM};

Set Password

PASSWORD_ITEM is a Set Password clause that provides more information about password settings. You must include at least one clause, and you can include several. The Set Password clauses are:


minsize NUMBER_OF_CHARACTERS
maxsize NUMBER_OF_CHARACTERS
lockout [consecutive \| cumulative \| program NAME [input ARGS]] NUMBER_OF_TRIES
expires NUMBER_OF_DAYS
[!\|not]allowusername
[!\|not] allowreuse
[!\|not] mixedalphanumeric
[!\|not]minsize
[!\|not]maxsize
[!\|not]lockout
[!\|not]expires
cipher CIPHER_NAME

Minsize Clause

This clause requires that all passwords be at least a certain number of characters. To remove a minimum size password setting, use the keywords !minsize or notminsize.

Defining a minimum password size of at least 1 ensures that users actually create a password when changing their password. If there is no minimum password size, a user could leave the new password boxes blank when changing passwords, resulting in the user having no password.

Maxsize Clause

This clause sets an upper limit on the number of characters a password can contain. To remove a maximum size password setting, use the keywords !maxsize or notmaxsize.

For example, to require that users’ passwords are least 6 characters and not more than 15, use:


set password minsize 6 maxsize 15;

By default, passwords are limited to 8 significant characters, in which case a password of 12345678xxxx is the same as password 12345678. The number of significant characters can, however, be controlled using the Cipher Clause.

Lockout Clause

The Lockout clause of the Set Password command prevents a user from logging in after entering an incorrect password n number of times during a session.

After being locked out, the user’s person definition is changed to “inactive.” The only way for the user to log in again is to contact the Business Administrator to have the setting changed.

In the event that all Business Administrators are locked out, it is possible to resort to the use of SQL to access the database.

To remove a lockout setting, use the keywords !lockout or notlockout.

For example, the following command allows the user three tries to provide the correct password:


set password lockout 3;

Expires Clause

This clause requires that users create a new password every n number of days. After the specified number of days has elapsed, the system requires users to create a new password to log in. To remove the setting, use the keywords !expires or notexpires.

For example, use the following command if you want users to provide a new password every month:


set password expires 30;

When you turn on password expiration, passwords that were created prior to version 8 will expire the next time users attempt to log in.

If an implementation has the need for wide-spread expiring passwords but also uses “secret agents” that perform work programmatically, you can remove the necessity for updating these kinds of programs for expiring passwords by making the user agent’s password never expire.

Allowusername Clause

This clause allows users to create a password that is the same as their username. This is the default. To prevent users from having the same username and password, use the following:


set password notallowusername;

Allowreuse Clause

This clause allows users to enter the same password as their old password. This is the default. To prevent users from keeping the same password, use the following:


set password notallowreuse;

Mixedalphanumeric Clause

This clause requires that passwords contain at least one number and at least one letter. To remove the setting, use the keyword !mixedalphanumeric or notmixedalphanumeric.

Cipher Clause

This clause specifies the algorithm used to encrypt passwords.


set password cipher CIPHER_NAME;

CIPHER_NAME is the cipher to be used. It must be one of the LDAP supported ciphers: crypt , md5 , sha , smd5 , ssha . The default is crypt , which uses only the first eight characters for encryption and comparison.

Setting a new cipher for password encryption does not affect existing passwords. That is, only passwords created or changed after the cipher is specified with the above command will be stored using the new encryption algorithm. To make use of the new cipher, existing users must change their password. Business Administrators can include the Expires Clause when setting the cipher to ensure that all users redefine their password. For example:

set password cipher ssha expires 1;

After the above command is issued, existing user passwords will expire in one day, forcing users to enter a new password. Newly defined passwords will be encrypted using the ssha cipher.

Business Administrators can determine which cipher is in use (as well as other system-wide settings) using the print password command.

For more information on ciphers, see http://www.openldap.org/faq/data/cache/346.html.

Print Password

You can use this syntax to print the current global password settings.


print password;

The output of this command lists the current settings of each PASSWORD_ITEM. For example:

no minimum length
no maximum length
no consecutive lockout
no cumulative lockout
no expiration
user name allowed
reuse allowed
mixed alphanumeric not required
cipher crypt

Encrypt Password

For LDAP environments, the following MQL command encrypts a password using the same algorithm used for encrypting the bootstrap file password.

encrypt password PASSWORD_STRING

After executing the command, MQL outputs the encrypted text string. Copy and paste it to the file or location where you want to save it.