4 Replies Latest reply: Aug 20, 2012 2:57 AM by NGauthier RSS

    Allow Password Policy Violation with simple user

    NGauthier
      Hi,

      I try to allow a service account (simple user) to bypass default users password policy.
      Is there any similar option than passwordRootdnMayBypassModsChecks existing for Directory Manager account ?

      In my case, i try to reset a user password when the 'passwordMinAge' attribute is not outdated with this service account.
      I'm using DS 5.2

      Thanks in advance,

      ... and sorry for my bad english :)

      Edited by: user1657029 on 16 août 2012 14:16
        • 1. Re: Allow Password Policy Violation with simple user
          802907
          The simple way to do this is to make a non-default password policy and assign it to your service account.

          http://docs.oracle.com/cd/E19850-01/816-6698-10/useracct.html#15780
          • 2. Re: Allow Password Policy Violation with simple user
            NGauthier
            Oh sorry but my message wasn't enough specific.

            The service account (which has is own pwd policy, no expiration, no lock, ...) is used for resetting all users' password of my directory (not its own password). So it must bypass the policy (specific or not) of all those users.

            For exemple, the global password policy set the 'pwdMinAge' value to 2 days.
            When the service account attempts to reset the password of 'Mr. X' (before the pwdMinAge delay) I have the "within password minimum age" error.

            Any idea ?

            Thanks for your answer chris,

            Edited by: user1657029 on 17 août 2012 14:38

            I think it's possible to reset the passwordAllowChangeTime user attribute just before and_ just after reseting a user password
            But it's not very satisfying... :/

            Edited by: user1657029 on 17 août 2012 14:57
            • 3. Re: Allow Password Policy Violation with simple user
              802907
              Ah ok, I understand now.

              If I recall correctly in 5.2 the only user that can do an "administrative reset" on the password is Directory Manager. That changed later, though. I'm pretty sure in 6.x or later, any reset of the password by a user other than self is considered administrative. But I'd test that out to make sure.

              Directly manipulating password policy attributes becomes much more difficult after 5.x, so I wouldn't implement any process that does that now. I'd say do your administrative resets as Directory Manager for now, and test out using the admin account in a later version. Maybe it's one more reason to upgrade.
              • 4. Re: Allow Password Policy Violation with simple user
                NGauthier
                Ok, i'll do that.

                Thanks for your advice Chris