Define CA Directory password policy for a specific organizational unit

book

Article ID: 194513

calendar_today

Updated On:

Products

CA Directory DIRECTORY

Issue/Introduction

In CA Directory customers can define comprehensive password policies, as described in:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/directory/14-1/administrating/manage-user-accounts-and-passwords/how-to-set-up-a-password-policy.html

There is a possibility to assign a password policy to a particular user by setting password policy name in dxPwdPolicy operational attribute on that user object (of a person object class or other class derived from person)

Some customers ask if it is possible to define a password policy for a specific organizational unit, so that password policy would apply to all the users in the corresponding sub-tree.

Environment

Release : 12.x, 14.x

Component : CA Directory

Resolution

It is not possible to define a password policy for a particular organizational unit.

However, there is a workaround.

It is possible to have a separate DSA that would contain particular organizational unit.
If a default password policy is enabled in that DSA configuration, it would apply only to users that are stored in the DSA.
Of course all the DSAs need to share their knowledge for this to work.

Example:

DSA ONE serves o=CA,c=AU tree
DSA TWO is created to serve ou=Administrators,ou=Support,o=CA,c=AU and default password policy is enabled in its configuration.
DSAs ONE and TWO share their knowledge settings.

Now the user cn=admin,ou=Administrators,ou=Support,o=CA,c=AU must have a password that complies with the default password policy for DSA TWO
However that policy does not apply to the cn=user01,ou=Users,ou=Support,o=CA,c=AU user