Define CA Directory password policy for a specific organizational unit
search cancel

Define CA Directory password policy for a specific organizational unit

book

Article ID: 194513

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

In CA Directory customers can define comprehensive password policies, as described in:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/directory/14-1/administrating/manage-user-accounts-and-passwords/how-to-set-up-a-password-policy.html

As of 14.1/sp4, enhancements have been added to the product as in:

Create Multiple Password Policies for Each DSA

to address customers' need to have different password policies applied to different organizational units within a given DSA.

This feature can only be achieved by splitting a DSA into multiple DSAs with 14.1/sp3 or older release.

Environment

Release : 12.x, 14.x

Component : CA Directory

Resolution

For release specific features, please see the release comparison at the following link:

Release Comparison

as of 14.1/sp4, when there are multiple password policies configured within a DSA, the first thing to keep mind is that the following order of preference is observed:

  • dxPWDPolicy attribute
  • Static groups (in the configured order of precedence, if any)
  • Subtrees (organization unit)
  • Default policy

In terms of how a password policy can be created, please see the following link:

Example Password Policies

To find out the particular settings of the defined password policies and how to are applied the subtrees, you can telnet to the console port and list them using

get user; 

Please also note that as of 14.1/sp5, the password storage type is global, it can not be set at password policy level. You can find the current type from the console port using the following command:

get oper;