Page tree
Skip to end of metadata
Go to start of metadata
The Password policies item lists the policies for changing user's perimeter passwords and also handles the password complexity.

General tab

  • Name: choose a name in natural language.
  • Password change Enabled: enables or disables changing passwords.
  • Minimum length: minimum length of the password when changed by the user. Inclusive.
  • Maximum length: maximum length of the password when it is changed by the user. Inclusive.
  • Complexity:
    • <None>: no constraint as to complexity.
    • Numeric Only: the password must contain only numerals.
    • Alpha + Numeric + Special: the password must contain at least one numeral, one alphabetic character and one special character.
    • Alpha + Numeric + Case: the password must contain at least one numeral, one alphabetic character, one upper-case letter and one lower case.

LDAP tab

A method of changing user passwords on the AD can be implemented that does not require intervention by the Account Manager.

Click the Password change enabled radio button, then User account for password change.

Forcing the user to changer his/her password

It’s possible to allow the user to change his/her password on an external LDAP server. To do that, a Password Policy needs to be added to the Perimeter Gate with the Password change enabled option.

For Active directory with SSL

When the external LDAP server is an AD using SSL, no additional configuration is needed. The new password will be sent in the "unicodePwd" LDAP attribute.

Handling of password expiration/reset is enabled automatically.

If the AD returns "data 701" (password expired) or "data 773" (password reset) during authentication, the user is prompted to change his/her password.

The Password expiration, Force expiration for new users and Password expiration delay options are not used in this case.

Other LDAP cases

To enable the password change, the Password attribute field (Password tab) must be filled in for the Authentication Server attached to the gate.

Handling password expiration/reset is enabled via the Password expiration option (Password Policy > LDAP tab).

You must also fill in the Password Expiration attribute and Password Last Set attribute fields (Password tab) for the Authentication server attached to the gate.

Password expiration/reset (non-Active directory LDAP + SSL)

  • If the Force expiration for new users option is enabled and Password Last Set attribute is different from a timestamp, the user has never changed his/her password (and therefore has never logged in). The user is prompted to change his/her password (cause = reset).
  • If the Force expiration for new users option is enabled and Password Last Set attribute = timestamp, the user has already changed his/her password.
  • Or, if Password Last Set attribute = 0, the user is prompted to change his/her password (cause = reset).
  • Or, if Password expiration attribute > 0 and Now > Password expiration attribute, the user is prompted to change the password (cause = expired).
  • Or, if Password expiration delay is enabled (value > 0) and Password Last Set attribute > 0 and Now > (Password Last Set attribute + Password expiration delay), the user is prompted to change his/her password (cause = expired).
  • If Password Last Set attribute is not found in the result set for the user, its internal value will be -1.
  • If Password expiration attribute is not found in the user’s result set, its internal value will be 0.