Checking for the Tivoli Directory Server Effective Password Policy

Tivoli Directory Server (TDS) is used to administer LDAP for different systems. Among the TDS attributes that are managed is the user password. For this, Tivoli Directory Server has a global password policy which is called pwdpolicy. It controls the policy of the attribute userPassword.

However, other systems that work with TDS like Tivoli Access Manager (TAM) might also have their own mechanisms for password policies. The Tivoli Directory Server might also have other policies in place for specific groups and individuals. Therefore, when using multiple password policies, administrators/developers must be careful on ensuring the resulting effective password policy is accurate to their requirements as different password policies may overlap and create unexpected results.

Unfortunately, there is no way to view the policies collectively for a TDS group. There is only allowance to check for the effective password policy for a user. Nevertheless, this is still a useful tool in determining the effective password policy for Tivoli Directory Server users.

The following shows how to view the effective password policy on a given user.

1. Login to the Tivoli Directory Server (TDS) server as root
2. Run the following command (Linux):

For non-SSL:
idsldapexop -D <adminDN> -w <adminPW> -op effectpwdpolicy -d “<UserEntryDN>”
For SSL:
./idsldapexop -D <adminDN> -w <adminPW> -h <hostname> -Z -K <keystore database location> -op effectpwdpolicy -d “<UserEntryDN>”

1. View the results and confirm the correct policies are in effect

An example result is the following:

The effective password policy is calculated based on the following entries:

cn=pwdpolicy,cn=ibmpolicies

The effective password policy is:

ibm-pwdPolicyStartTime=20120214180114Z

pwdInHistory=5

pwdCheckSyntax=2

pwdGraceLoginLimit=0

pwdLockoutDuration=0

pwdMaxFailure=10

pwdFailureCountInterval=0

passwordMaxRepeatedChars=0

passwordMaxConsecutiveRepeatedChars=0