Description

Sometimes you may want to query the dxPwdLoginTime (Last login time for a particular user) operational attribute. At the same time you may not want to enforce any default password-policy rules e.g. (number of retries, password minimum length, etc). The following procedure explains how you can achieve this.

Solution

Scenario:

• You do not have password-policy enabled on your DSA.
• You want to query the last login time (dxPwdLoginTime) of a particular user.
• But not enforce any password-policy rules.

Scenario Solution:

You can add the following settings in your DSA's settings file.

set password-policy = true;
set password-last-use = 1000000;
set password-min-length = 0;
set password-retries = 0;

Following is the explanation of the above settings:

1. set password-policy = true;
• Enables password policy on the DSA
2. set password-last-use = 1000000; 
• An account requires a successful bind/password compare in 'password-last-use' number of days. If this does not occur the account will become suspended.
• To avoid the account to become suspended we set this value to a very high number. (Approximately 2739 years before account is suspended).
• This is needed for the DSA to store the value for the "dxPwdLoginTime" operational attribute.
3. set password-min-length = 0;
• A new password must be at least 'password-min-length' characters long.
• The default value is "6" therefore we need to set it to "0" so that this check is disabled.
4. set password-retries = 0;
• If the number of user binds and password compares with an invalid password equals the 'password-retries', then the account will become suspended.
• The default value is "3" therefore we need to set it to "0" so that this check is disabled.