Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Password policy describes rules for generating and validating passwords. There are two types of password policy, the global password policy used for user's password and the account type password policy used for resource's account. The simple password policy example can be expressed in the XML as:

<passwordPolicy oid="00000000-0000-0000-0000-000000000003" version="0" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-2"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<name>Global Password Policy</name>
	<description>Global password policy</description>
	<lifetime>
		<expiration>999</expiration>
		<warnBeforeExpiration>9</warnBeforeExpiration>
		<lockAfterExpiration>0</lockAfterExpiration>
		<minPasswordAge>0</minPasswordAge>
		<passwordHistoryLength>0</passwordHistoryLength>
	</lifetime>
	<stringPolicy>
		<description>Testing string policy</description>
		<limitations>
			<minLength>5</minLength>
			<maxLength>8</maxLength>
			<minUniqueChars>3</minUniqueChars>
			<limit>
				<description>Alphas</description>
				<minOccurs>1</minOccurs>
				<maxOccurs>5</maxOccurs>
				<mustBeFirst>false</mustBeFirst>
				<characterClass>
					<value>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ</value>
				</characterClass>
			</limit>
			<limit>
				<description>Numbers</description>
				<minOccurs>1</minOccurs>
				<maxOccurs>5</maxOccurs>
				<mustBeFirst>false</mustBeFirst>
				<characterClass>
					<value>1234567890</value>
				</characterClass>
			</limit>
		</limitations>
	</stringPolicy>
</passwordPolicy>

The <lifetime> section describes policies for password expiration. Sections <stringPolicy> and <limitations> describe policies that the password must satisfy. The minimal, maximal length of the password and the minimal number of unique characters used in the password are specified as shown in the following example:

<minLength>5</minLength>
<maxLength>8</maxLength>
<minUniqueChars>3</minUniqueChars>

With the above definition, the password p123 would be rejected because it's too short; the password longpassword would be rejected because it's too long and the password bubub would be rejected because of the inssuficient unique characters.

The different limits can be set to make the password policy more complex. For limiting password to contain only digits (1234567890) with at least 1 and at most 5 digits it can be specified as in the following example:

<limit>
	<description>Numbers</description>
	<minOccurs>1</minOccurs>
	<maxOccurs>5</maxOccurs>
	<mustBeFirst>false</mustBeFirst>
	<characterClass>
		<value>1234567890</value>
	</characterClass>
</limit>

To make the password policy even more complex, you can further split the character set, e.g. to uppercase letters, lowercase letters, digits and special characters as in the following example:

<limit>
    <description>Lowercase characters</description>
    <minOccurs>1</minOccurs>
    <mustBeFirst>true</mustBeFirst>
    <characterClass>
        <value>abcdefghijklmnopqrstuvwxyz</value>
    </characterClass>
</limit>
<limit>
    <description>Uppercase characters</description>
    <minOccurs>1</minOccurs>
    <mustBeFirst>false</mustBeFirst>
    <characterClass>
        <value>ABCDEFGHIJKLMNOPQRSTUVWXYZ</value>
     </characterClass>
</limit>
<limit>
    <description>Numeric characters</description>
    <minOccurs>1</minOccurs>
    <mustBeFirst>false</mustBeFirst>
    <characterClass>
        <value>1234567890</value>
    </characterClass>
</limit>
<limit>
    <description>Special characters</description>
    <minOccurs>1</minOccurs>
    <mustBeFirst>false</mustBeFirst>
    <characterClass>
        <value> !"#$%&amp;'()*+,-.:;&lt;&gt;?@[]^_`{|}~</value>
    </characterClass>
</limit>

To disallow the usage of certain characters, you can set both the <minOccurs> and <maxOccurs> attribute values to 0. In the following example, no special characters are allowed:

<limit>
    <description>Special characters</description>
    <minOccurs>0</minOccurs>
    <maxOccurs>0</maxOccurs>
    <mustBeFirst>false</mustBeFirst>
    <characterClass>
        <value> !"#$%&amp;'()*+,-.:;&lt;&gt;?@[]^_`{|}~</value>
    </characterClass>
</limit>

Global password policy is specified in the "System configuration" object as in the following example:

<systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
                     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-2" >
    <name>SystemConfiguration</name>
    
    <!-- other system configuration properties -->

    <globalPasswordPolicyRef oid="00000000-0000-0000-0000-000000000003" type="c:PasswordPolicyType"/>
    
    <!-- other system configuration properties -->
</systemConfiguration>

The account type password policy is specified in the resource in the section schemaHandling as in the following example:

<c:resource oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3fafe">

        <!-- Resource name. It will be displayed in GUI.  -->
        <c:name>Localhost CSVfile</c:name>

	<!-- connector configuration -->

        <!-- schema definition -->
        <schemaHandling>

            <!-- schema handling for different attributes -->
            <credentials>
                 <password>
                     
		     <!-- outbound/inbound for password -->

		     <passwordPolicyRef oid="81818181-76e0-59e2-8888-3d4f02d3ffff" type="c:PasswordPolicyType"/>
                  
		  </password>
            </credentials>

		...

            </accountType>
        </schemaHandling>
    </c:resource>

Different account types in resource can have different password policies. If there is no password policy for the account type, the global password policy is used to validate the account password.

  • No labels