Setting Windchill Directory Server Password Policies
Your site password policy is defined in and enforced by your LDAP directory service. Windchill does not place any restrictions on passwords.
By default, the Windchill Directory Server defines no password policy; however, the directory server supports password policies. For example, you can set the following:
• A list of excluded passwords that are defined in a dictionary that is maintained in <WindchillDS>/server/config/wordlist.txt.
• Password expiration.
• Password history rules.
• Password syntax, including any of the following:
◦ Whether characters can be repeated
◦ How many unique characters there must be
◦ How long the password must be
◦ Whether the password must contain capital letters, integers, or special characters
◦ Whether the password can be the same as another user attribute, such as the user's name
Use the dsconfig command utility in either command-line or interactive mode to set password policies. This utility allows you to set multiple password policies and then associate specific policies with groups of users. To set up a password policy, you must decide on the policy properties and validators that you want enabled. The following sections provide descriptions of the password policy properties and other password policy details.
Password Policy Properties
The following is the list of configurable properties provided by the Windchill Directory Server. This list includes all properties that are available in theWindchill Directory Server, even though some properties are not supported because of the Windchill environment. Included is a description of each property, its default value, and information about how setting the property impacts your Windchill environment. When a property is not supported, that fact is listed in the Windchill environment impact information.
|
|
In a Windchill environment, the web server is responsible for validating that a user can log on. Several password policy properties described in the following list cause the Windchill Directory Server to use extended LDAP controls that then return extra information to the web server. The web servers that are supported in your Windchill environment do not include support for these extended controls; therefore, unless you customize your web server, the web server ignores the extra information that is sent. When this happens, a user can get into a state of not being able to log on. Therefore, the properties that cause extra information to be sent are listed as not supported.
|
The values set by many of the following properties are stored in attributes that are viewable from your > window. To view attributes, navigate to the password policy entry from the tree in the left pane. For example, first select the All Base DN’s option from the Base DN field. Then open the following entries to locate the default password policy:
cn=cofig
Password Policies
Under Password Policies, select Default Password Policy and the attributes display in the right pane. The names of many of the attributes are the corresponding property names prefixed by the ds-cfg- characters. For example, the attribute where the max-password-age value is stored is named ds-cfg-max-password-age. Although many of these attributes can be set from the Control Panel, PTC recommends using the dsconfig command to set values.
When specifying time in any of the following property settings, use the following format:
value time-unit
where value is an integer value and time-unit is one of the following:
• milliseconds
• seconds
• minutes
• hours
• days
• weeks
The short forms for time-unit are: ms, s, m, h, d and w.
account-status-notification-handler
The account status notification handler is used to send messages when events occur during the course of password policy processing. This property specifies the DNs of the account status notification handlers that should be used for this password policy.
Default: There is no account status notification handler set up in the Windchill Directory Server and this property is not set.
Windchill Environment Impact: After setting up an account status notification handler and setting this property, users receive email notifications relating to the password policy for which this property is set. For example, after you have set up user email notifications, users receive email notifications when their accounts are locked. The notification includes the reason for locking the account.
For the list of steps that are required to set up user email notifications, see the section Setting Up Email Notifications for Password Policy Events.
allow-expired-password-changes
Indicates whether users are allowed to change their passwords after the passwords have expired.
Default: Property is not set.
Windchill Environment Impact: Not supported; without modifications to your web server, this feature cannot be used.
allow-user-password-changes
Indicates whether users are allowed to change their own passwords if they have access control rights to do so.
Default: True.
Windchill Environment Impact: To use this feature, you must enable the Password Change user interface. For the details on how to enable this interface and for the set of tasks to complete to configure password management in Windchill, see the Windchill Directory Server.
default-password-storage-scheme
Specifies the DNs for the password storage schemes that are used to encode clear-text passwords for this password policy.
Default: Salted SHA-1
Windchill Environment Impact: No impact; the schemes used to encode clear text are only used internally by the Windchill Directory Server and have no effect on its interaction with your Windchill solution.
deprecated-password-storage-scheme
Specifies the DNs for password storage schemes that are considered deprecated for this password policy. If a user with this password policy authenticates to the server and his password is encoded with any deprecated schemes, those values are removed and replaced with values encoded using the default password storage scheme.
Default: Property is not set.
Windchill Environment Impact: No impact; the schemes used to encode clear text are only used internally by the Windchill Directory Server and have no effect on its interaction with your Windchill solution.
expire-password-without-warning
Indicates whether user passwords are allowed to expire even if the user has not yet seen a password expiration warning. If this property is set to false, the user is always guaranteed to see at least one warning message even if the password expiration time has passed. The expiration time is then reset to the current time plus the warning interval (ds-cfg-password-expiration-warning-interval).
Default: False
Windchill Environment Impact: If this property is false and the user has not received a notice of upcoming password expiration, the user will be allowed to login to Windchill even if their password would have otherwise expired. This login will generate a notice that the password will expire soon. The password expiration time will be set to the time of the login plus the expiration warning interval. It may be appropriate to set this value to false if setting up email notification for password events. For more information see the section Setting Up Email Notifications for Password Policy Events.
force-change-on-add
Indicates whether users are required to change their passwords the first time they use their accounts and before they are allowed to perform any other operation.
Default: Property is not set.
Windchill Environment Impact: Not supported; without modifications to your web server, this feature cannot be used.
force-change-on-reset
Indicates whether users are required to change their passwords after an administrative password reset and before they are allowed to perform any other operation.
Default: Property is not set.
Windchill Environment Impact: Not supported; without modifications to your web server, this feature cannot be used.
grace-login-count
Specifies the maximum number of grace logins that users should be given. Grace logins makes it possible for users to authenticate to the server after their passwords have expired, but the users are not allowed to do anything else until they have changed their passwords.
Default: Property is not set.
Windchill Environment Impact: Not supported; without modifications to your web server, this feature cannot be used.
idle-lockout-interval
Specifies the maximum length of time that a user account can remain idle (that is, that the user can go without authenticating to the directory) before the server locks the account.
Default: 0
Windchill Environment Impact: Not supported. Windchill supports HTTP Basic Authentication. With HTTP Basic Authentication the credentials are entirely managed by the client (the browser). There is no reliable way to prompt a Windchill user to re-login periodically. This property can be set; but the only effect is that the user account will be locked if the user does not bind to the directory for the time specified.
last-login-time-attribute
Specifies the name of the attribute in the user's entry that is used to hold the last login time for the user.
Default: Property is not set.
Windchill Environment Impact: When set, the property provides the user attribute to query for determining the time the a user last logged into Windchill. The Windchill Directory Server has defined the ds-pwp-last-login-time operational attribute for this purpose.
If you want to track the last time users login, set this property to ds-pwp-last-login-time and complete the additional tasks needed to set up last login time tracking. See the section Setting Up Time Tracking for Last Logins.
last-login-time-format
Specifies the format string that should be used to generate the last login time values. The value can be any valid format string that can be used in conjunction with the java.text.SimpleDateFormat class.
|
|
For performance reasons, consider specifying a format that only stores the date of the last login and not the time (for example, format: yyyyMMdd). When only the date format is specified, the last login only needs to be updated once per day, rather than each time the user authenticates on a given day.
|
Default: Property is not set.
Windchill Environment Impact: When set, the property provides the format for the last login time.
If you want to track the last time users login, set this property to valid format string and complete the additional tasks needed to set up last login time tracking. See Setting Up Time Tracking for Last Logins.
lockout-duration
Specifies the length of time that a user account should remain locked due to failed authentication attempts before it is automatically unlocked. A value of 0 seconds indicates that any locked accounts are not automatically unlocked and must be reset by an administrator.
Default: The default value for this parameter is 0 seconds. However, the release value for WindchillDS for both the Default Password Policy and the Root Password Policy is 15 minutes (900 seconds).
Windchill Environment Impact: The account will be unlocked in 15 minutes. No further administrative action is required.
lockout-failure-count
Specifies the number of authentication failures required to lock a user account, either temporarily or permanently. A value of 0 indicates that automatic lockout is not enabled.
Default: The default value for this parameter is 0 seconds. However, the release value for WindchillDS for both the Default Password Policy and the Root Password Policy is 5.
Windchill Environment Impact: The released value means that a user’s account will be locked after 5 contiguous unsuccessful bind attempts. When the user’s account is locked, the user will be unable to login to Windchill
lockout-failure-expiration-interval
Specifies the maximum length of time that a previously failed authentication attempt should be counted toward a lockout failure.
|
|
The record of all previous failed attempts is always cleared upon a successful authentication.
|
A value of 0 seconds indicates that failed attempts are never automatically expired.
Default: 0 seconds
Windchill Environment Impact: If you set a nonzero value, failed login attempts expire after the specified time interval. Expiring a failed login attempt allows users to attempt to log in again if their number of attempts is now below the number specified in the lockout-failure-count property.
max-password-age
Specifies the maximum length of time that a user is allowed to keep the same password before choosing a new one. This time is often known as the password expiration interval.
A value of 0 seconds indicates that passwords never expire.
If the ds-cfg-expire-passwords-without-warning attribute is set to false, the effective password expiration time is recalculated to be the time at which the first warning is received, plus the warning interval (ds-cfg-password-expiration-warning-interval). This behavior ensures that users always have the fully configured warning interval to change their passwords.
Default: 0 seconds
Windchill Environment Impact: If you set a nonzero value, the value is the maximum amount of time allowed before users must change their passwords. If a password is not changed within the specified time, the account is locked (preventing access to Windchill).
max-password-reset-age
Specifies the maximum length of time that users are allowed to change their passwords after they have been administratively reset and before they are locked out.
This property is only applicable if the ds-cfg-force-change-on-reset attribute is set to true.
A value of 0 seconds indicates that there are no limits on the length of time that users have to change their passwords after administrative resets.
Default: 0 seconds
Windchill Environment Impact: Not supported; without modifications to your web server, this feature cannot be used.
min-password-age
Specifies the minimum length of time that users are required to have a password value before it can be changed again.
Default: 0 seconds
Windchill Environment Impact: Providing a nonzero value ensures that users are not allowed to repeatedly change their passwords in order to flush their previous password from the history so it can be reused.
password-attribute
Specifies the attribute in the user's entry that holds the encoded passwords for the user.
Default: userPassword
Windchill Environment Impact: To function correctly, the Windchill code that processes user passwords requires that ds-cfg-password-attribute be set to userPassword. Do not change the value of this property without customizing the Windchill code.
password-change-requires-current-password
Indicates whether users are required to provide their current password when setting a new password. If this is set to true, then users are required to provide their current password when changing their existing password.
Default: false
Windchill Environment Impact: Not supported; without modifications to your web server and to the Windchill password modification code, this feature cannot be enabled.
password-expiration-warning-interval
Specifies the length of time before a password expires that users should start to receive notifications that their password is about to expire.
|
|
You must set a nonzero value for this property if the ds-cfg-expire-passwords-without-warning attribute is set to false.
|
Default: There is no account status notification handler set up in the Windchill Directory Server and this property is not set.
Windchill Environment Impact: After setting up an account status notification handler and setting this property, users receive email notifications relating to the password policy for which this property is set.
For the list of steps that are required to set up user email notifications, see the section Setting Up Email Notifications for Password Policy Events.
password-generator
Specifies the DN for the password generator that should be used in conjunction with this password policy. The password generator is used in the following cases:
◦ When the administrator resets a user password and does not specify a new password.
◦ To provide a new password for cases in which the client did not include one in the request. This is used in conjunction with a password modify extended operation; however, the password modify extended operation is not supported.
Default: cn=Random Password Generator,cn=Password Generators,cn=config
Windchill Environment Impact: The generator is used when the administrator resets a user’s password. The administrator sees the password generated and must communicate this to the user; the generated password is not sent with the password reset email notification.
password-history-count
Specifies the maximum number of password values that should be maintained in the password history. Whenever a user’s password is changed, the server checks the proposed new password against the current password and all passwords stored in the history. If a match is found, then the user is not allowed to use that new password. A value of 0 indicates either of the following:
◦ The server should not maintain a password history (that is the case when the password history duration has a value of 0 seconds).
◦ The password history list should be based entirely on duration and no maximum count should be enforced (that is the case when the password history duration has a value other than 0 seconds).
|
|
If an administrator reduces the configured password history count to a smaller (but still nonzero) value, each user entry containing password history state information is not impacted until a password change is processed for that user. At that time, any excess history state values are purged from the entry.
|
If the history count is reduced to 0 and the password history duration is also set to 0 seconds, any state information in the user’s entry is retained in case the feature is re-enabled.
Default: 0
Windchill Environment Impact: If you set a nonzero value, the value determines how many unique passwords a user must specify before a previously-used password can be specified.
password-history-duration
Specifies the maximum length of time that a formerly-used password should remain in effect in the user's password history.
Whenever a user's password is changed, the server checks the proposed new password against the current password and all passwords stored in the history. If a match is found, the user is not allowed to use that new password.
A value of 0 seconds indicates one of the following:
◦ The server should not maintain a password history. This is the case when the ds-cfg-password-history-count attribute has a value of 0.
◦ The password history list should be based entirely on count and no maximum duration should be enforced. This is the case when the ds-cfg-password-history-count attribute has a value other than 0.
Default: 0 seconds
Windchill Environment Impact: You can provide a nonzero value to ensure that users are not allowed to repeatedly change their passwords in order to flush their previous password from the history so it can be reused.
password-validator
Specifies the DNs for password validators that should be used in conjunction with this password policy. The password validators are invoked whenever a user attempts to provide a new password in order to determine whether that new password is acceptable.
Default: Property is not set.
Windchill Environment Impact: You can limit the values that users enter for the passwords by setting this property.
To display existing password validators, see the section Displaying Your Password Policy Configuration.
For an example that sets password validators, see the sectionSetting Password Expiration Time and Adding Validators .
previous-last-login-time-format
Specifies the format string that was used in the past for older last login time values. This value is not necessary unless the last login time feature is enabled and the format in which the values are stored has been changed.
Default: This property is not set.
Windchill Environment Impact: No impact.
require-change-by-time
Specifies a time by which all users with this password policy are required to change their passwords. Specify the time using the following format:
yyyyMMddhhmmssZ
For example, 20100101120000Z represents 12 PM on January 01, 2010 in the Zulu time zone.
This option works independently of password expiration; it forces all users to change their passwords before a given time. This password change is required even when password expiration is disabled.
Default: This property is not set.
Windchill Environment Impact: When this property is set, all Windchill users covered by this password policy must change their password by the specified time.
require-secure-authentication
Indicates whether users with this password policy are required to authenticate in a secure manner using a secure communication mechanism like SSL, or a secure SASL mechanism like DIGEST-MD5, EXTERNAL, or GSSAPI that does not expose the password in the clear.
Default: false
Windchill Environment Impact: Not supported; without modifications to your web server, this feature cannot be used.
require-secure-password-changes
Indicates whether users with this password policy are required to make password changes in a secure manner, such as over a secure communication channel like SSL.
Default: false
Windchill Environment Impact: Not supported; without modifications to your web server, this feature cannot be used.
Setting Up Email Notifications for Password Policy Events
To set up email notifications that are sent to users for password policy events, you must complete a set of tasks. The example dsconfg commands provided in the tasks assume the following:
• The commands are entered on the host where Windchill Directory Server resides (localhost is used).
• The Windchill Directory Server administrative port is 4444.
• The Windchill Directory Server bind DN is “cn=Manager” and the bind password is “admin”.
|
|
Important information about notices of upcoming password expiration:
• The Windchill Directory Server only checks for upcoming password expiration when a user binds to the directory. A bind on behalf of the user occurs automatically when the user logs into Windchill. If the user does not login to Windchill, or otherwise bind to the Windchill Directory Server, no notice of upcoming password expiration will be sent. Set expire-password-without-warning to false to allow the user to login if a warning has not been sent.
• Only one warning notice will be sent warning of an upcoming password expiration.
|
The tasks to complete are as follows:
• Configure the SMTP Account Status notification handler.
To configure the notification handler, you must configure Windchill Directory Server to use the SMTP mail handler and enable an SMTP handler for notifications. For example, use commands similar to the following:
dsconfig -D "cn=manager" -w admin -n
set-global-configuration-prop
--set smtp-server:<host name> --trustAll
dsconfig set-account-status-notification-handler-prop
--handler-name "SMTP Handler"
--set "enabled:true" --hostname "localhost" --port "4444"
--trustAll --bindDN "cn=manager" --bindPassword admin --no-prompt
Replace <host name> with the name of the host where your mail server resides.
• Configure the password policy you are setting up to add the SMTP account status notification handler. For example, use a command similar to the following to set the handler for the default password policy:
dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--add "account-status-notification-handler:SMTP Handler"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt
• Configure the sender-address in the SMTP Account Status Notification Handler property. For example, use a command similar to the following:
dsconfig set-account-status-notification-handler-prop
--handler-name "SMTP Handler"
--set "sender-address:<user_address>"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt
Replace <user_address> with the address of the recipient that appears in the From address of the email.
After you complete the tasks, users automatically receive email notifications when password policy events occur.
The following are examples of password notifications:
• Your directory password will expire in 3 minutes, 0 seconds.
• Please change your password before Thu Aug 06 12:56:20 CDT 2009 so that it does not expire.
For further assistance, please contact a directory administrator.
• Your directory password has expired.
Please contact a server administrator to have your password reset.
• Your directory account has been locked because it has remained idle for too long.
For further assistance, please contact a server administrator.
The content of these messages can be customized. Message templates are stored in the <WindchillDS>/server/config/messages directory, where <WindchillDS> is the Windchill Directory Server installation directory. Change the appropriate template file to change the contents of the notifications sent to the user.
Setting Up Time Tracking for Last Logins
By default, a user’s last login time is not tracked.
To set up the tracking of a user’s last login time, you must complete the following tasks:
• Set the following attributes for the password policy:
ds-cfg-last-login-time-attribute
ds-cfg-last-login-time-format
You can set these attributes by setting the last-login-time-attribute and last-login-time-format properties.
• Set the idle-lockout-interval property to a nonzero value.
Displaying Your Password Policy Configuration
When setting up your password policies, you should be aware of what is currently set before making changes. The following examples show how to display the current configuration information for the following:
The default password policy
The existing password validators
The SMTP handler for notifications
The example dsconfg commands provided in the examples assume the following:
• The commands are entered on the host where Windchill Directory Server resides (localhost is used).
• The Windchill Directory Server administrative port is 4444.
• The Windchill Directory Server bind DN is “cn=Manager” and the bind password is “admin”.
To view what is set for the default password policy, enter a command similar to the following:
dsconfig get-password-policy-prop --policy-name "Default Password Policy"
--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll
To view the existing password validators, enter a command similar to the following:
dsconfig list-password-validators
--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll
The output from the list-password-validators subcommand is similar to the following:
Password Validator : Type : enabled
------------------------------------:---------------------:--------
Attribute Value : attribute-value : true
Character Set : character-set : true
Dictionary : dictionary : false
Length-Based Password Validator : length-based : true
Repeated Characters : repeated-characters : true
Similarity-Based Password Validator : similarity-based : true
Unique Characters : unique-characters : true
You can use the information in the validator list to display the properties that are set for each validator. For example, use a command similar to the following to display the properties for the dictionary validator:
dsconfig get-password-validator-prop --validator-name Dictionary
--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll
To display the configuration of the SMTP handler for notifications, enter a command similar to the following:
dsconfig list-properties -c account-status-notification-handler
Configuring Password Policies
You can configure multiple password policies in Windchill Directory Server. Each policy can be associated with a group of users. Out of the box, Windchill Directory Server provides the default password policy that can be used for all users.
By default, the Windchill Directory Server is set up to allow users to modify their own password; however, the Windchill interface for modifying passwords is not enabled by default. For the details on how to enable this interface and on the set of tasks to complete to configure password management in Windchill, see
User Password Management Options.
The following sections provide example commands that you can study to determine how to configure your password policies. The example dsconfg commands assume the following:
• The commands are entered on the host where Windchill Directory Server resides (localhost is used).
• The Windchill Directory Server administrative port is 4444.
• The Windchill Directory Server bind DN is “cn=Manager” and the bind password is “admin”.
Configuring Password Policy Lockout Failure Count
To set the password lockout count to 3, use a command similar to the following:
dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--set "lockout-failure-count:3"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt
Configuring Password Lockout Duration
To set the password lockout duration to 120 seconds, use a command similar to the following:
dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--set "lockout-duration:120 s"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt
Configuring Minimum Password Age
To set the minimum password age to 180 seconds, use a command similar to the following:
dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--set "min-password-age:180 s"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt
Configuring Password Expiration Policy
To set the password expiration policy expire without warning, with a maximum password age of 360 seconds, and an expiration warning interval of 180 seconds, use a command similar to the following:
dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--set "expire-passwords-without-warning:true"
--set "max-password-age:360 s"
--set "password-expiration-warning-interval:180 s"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt
Setting Password Expiration Time and Adding Validators
Some policies require that you set validators as well as properties. For example, assume that you want to set up the default password policy as follows:
• User passwords expire every 120 days
Use the max-password-age property to set this.
• The password must be at least six characters long and with at least three unique characters
Use the Length-Based Password Validator property to set the minimum length and the Unique Characters property to set the number of unique characters.
To set the password expiration time and add the length-based password validator and the unique character validator to the default password policy, enter the following commands:
dsconfig set-password-validator-prop
--validator-name "Length-Based Password Validator"
--set enabled:true --set min-password-length:6
--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll
dsconfig set-password-validator-prop
--validator-name "Unique Characters"
--set enabled:true --set min-unique-characters:3
--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll
dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--add "password-validator:Length-Based Password Validator"
--add "password-validator:Unique Characters"
--set "max-password-age:120 d"
--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll
