Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Password policy describes rules for generating and validating passwords. There are two types of password policy, the global password policy used for user's password and the account type password policy used for resource's account. The simple password policy example can be expressed in the XML as:

<passwordPolicy oid="00000000-0000-0000-0000-000000000003" version="0" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-2"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<name>Global Password Policy</name>
	<description>Global password policy</description>
	<lifetime>
		<expiration>999</expiration>
		<warnBeforeExpiration>9</warnBeforeExpiration>
		<lockAfterExpiration>0</lockAfterExpiration>
		<minPasswordAge>0</minPasswordAge>
		<passwordHistoryLength>0</passwordHistoryLength>
	</lifetime>
	<stringPolicy>
		<description>Testing string policy</description>
		<limitations>
			<minLength>5</minLength>
			<maxLength>8</maxLength>
			<minUniqueChars>3</minUniqueChars>
			<limit>
				<description>Alphas</description>
				<minOccurs>1</minOccurs>
				<maxOccurs>5</maxOccurs>
				<mustBeFirst>false</mustBeFirst>
				<characterClass>
					<value>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ</value>
				</characterClass>
			</limit>
			<limit>
				<description>Numbers</description>
				<minOccurs>1</minOccurs>
				<maxOccurs>5</maxOccurs>
				<mustBeFirst>false</mustBeFirst>
				<characterClass>
					<value>1234567890</value>
				</characterClass>
			</limit>
		</limitations>
	</stringPolicy>
</passwordPolicy>

In the <lifetime> sections are described policies for password expiration. Section <stringPolicy> and <limitations> describes policies that the password must satisfy. Minimal, maximal length of the password and minimal unique characters used in the password are specified as shown following example: 

<minLength>5</minLength>
<maxLength>8</maxLength>
<minUniqueChars>3</minUniqueChars>

The different limits can be set to make the password policy more complex. For limiting password to contain only numbers (1234567890) with occurence from 1 to 5 numbers it can be specified as in the following example:

<limit>
<description>Numbers</description>
<minOccurs>1</minOccurs>
<maxOccurs>5</maxOccurs>
<mustBeFirst>false</mustBeFirst>
<characterClass>
<value>1234567890</value>
</characterClass>
</limit>

Global password policy is specified in system configuration type as shows following example: 

<systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
                     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-2" >
    <name>SystemConfiguration</name>
    
    <!-- other system configuration properties -->


    <globalPasswordPolicyRef oid="00000000-0000-0000-0000-000000000003" type="c:PasswordPolicyType"/>
    
    <!-- other system configuration properties -->
</systemConfiguration>

Account type password policy is specified in resource in the section schema handling as shows following example.

<c:resource oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3fafe">

        <!-- Resource name. It will be displayed in GUI.  -->
        <c:name>Localhost CSVfile</c:name>

	<!-- connector configuration -->

        <!-- schema definition -->
        <schemaHandling>

            <!-- schema handling for different attributes -->
            <credentials>
                 <password>
                     
		     <!-- outbound/inbound for password -->

		     <passwordPolicyRef oid="81818181-76e0-59e2-8888-3d4f02d3ffff" type="c:PasswordPolicyType"/>
                  
		  </password>
            </credentials>

		...

            </accountType>
        </schemaHandling>
    </c:resource>

Different account types in resource can have different password policies. If there is not specified account policy for account type, the global password policy is used to validate password.

  • No labels