This topic has 3 replies, 2 voices, and was last updated 5 years, 8 months ago by 
-
Posts
-
Hello,
I have gone through the password policy documentation and found this
https://backstage.forgerock.com/docs/opendj/2.6/admin-guide#pwp-replicatedThe Subentry Based Password Policies are inherited by default. My question here is that when we create password policy at organization level (one password policy per organization) the following attributes
idle-lockout-interval
last-login-time-attribute
last-login-time-format
are inherited to the policy we create. I don’t want to modify default password policy but set these attributes in the password policy created for a particular organization. We use rest API to create password policy.Attached is the screenshot of OpenDJ control panel. As seen in the screenshot the Object class for Subentry Based Password Policies is inherited but not overridden. How do I override instead of inheriting
If you are unable to view the image click on https://postimg.org/image/ysyj4ukzh/
Hi,
This is a community forum.
If you are a ForgeRock customer, please raise a ticket in Backstage.forgerock.com.
I think you are confusing the terms inherited and overriden…
To create a Subentry Password Policy, you must create an entry with the appropriate objectClass, i.e. subEntry, pwdPolicy and possibly pwdPolicyValidator if you want to specify alternate password validation.
Any attribute in the subEntry (allowed from the pwdPolicy definition) will override its equivalent in the default password policy. And the remaining aspects of the policy with inherit from the default policy, when applying the policy to a user, not physically in the entry.I hope this clarifies.
Hello Ludo,
Thanks for taking out your time to reply. I have already created a support ticket in Backstage.forgerock.com.
Here is the link:
https://backstage.forgerock.com/support/tickets?id=19786If you can go through the above link, you will know the scenario we are dealing with. As we couldn’t get a feasible solution which fits our case I am trying to find out if there is any possible solution or workaround. We would be glad to hear from you if there’s any way to get this done.
This is a high priority issue and we are unable to move.
For others to summarize:
– Default password policy resides under <cn=config>
– We have a Base DN
– A realm named callidus under Base DN
– All organizations are placed under callidus—–>organizations and password policies for respective organizations under Base DN.
– The Object class within the password policy created for an organization is inherited.
– we need the following attributes defined within organization specific password policy
– idle-lockout-interval : 100 seconds
– last-login-time-format : yyyyMMdd
– previous-last-login-time-format : yyyyMMdd
– last-login-time-attribute : ds-pwp-last-login-time
– If defined under default password policy it applies to all users across all organizations which is undesirable.Thanks,
Sai
You must be logged in to reply to this topic.
