IBM Security Verify

Expand all | Collapse all

Enhanced password management in ISAM

  • 1.  Enhanced password management in ISAM

    Posted Wed July 28, 2021 10:12 AM
    I have done everything I am aware of that is required for enabling this feature, which is:

    1. Updating ivmgrd.conf, specifically these options in the LDAP stanza:
    enhanced-pwd-policy = yes
    auth-using-compare = no

    2. Updated ldap,conf specifically these options in the ldap-generic-general stanza
    auth-using-compare-supported = no

    This did not seem necessary, but I did it anyway

    3. Updated the ACL under the DIT where my users are stored ou=users, dc=<company> as instructed in a guide I came across


    It looked like this was everything, however I noticed a few things:
    1. Parameters updated in the global password policy in ISDS, which had their equivalent in ISAM, did not have the values updated in ISAM to match ISDS. Things like max failed logins or min alpha characters or max repeated characters

    2. If I locked an account in ISDS directly there was no sign of the account being locked in ISAM, although ISAM did throw an error message saying too many failed logins and when I unlocked the account in ISDS then login via ISAM worked again. So, the LDAP state is being read, it is just not indicating when I do a user show <username> whether or not an account is locked in ISDS because it shows account and password as being valid

    So, my questions

    1. Are the experiences described above correct and expected?

    2. Does ISAM even pay attention to max alpha characters, max repeated characters when updating passwords?

    3. Why does ISAM need the permissions update? Are there modifications to an account in LDAP that are performed via ISAM besides changing password when this enhanced password management feature is enabled?

    I find it confusing that ISAM will utilize ISDS password policy options but does not show them via it's own user management tools! If I was help desk staff for example I literally couldn't trust account values like account valid and password valid when this "enhanced password management" was enabled. It looks like the info via pdadmin is only partially trustworthy, that I have to look that info and directly in LDAP and decipher the actual state

    I'm struggling to see the point of this feature! My feeling is it should delegate everything password policy state related or nothing, not this mish-mash .. unless of course my configuration is incomplete and I missed something about it :(

    Dennis English

  • 2.  RE: Enhanced password management in ISAM

    Posted Thu July 29, 2021 06:25 AM
    Hi Dennis,

    1. Yes, I think what you are seeing is expected behaviour.

    2. I would expect all of the password policies set in ISAM to be enforced when a password is updated.  If they are not, that sounds like something for a support case.

    3. I think that LDAP permission update (aclEntry:access-id:cn=this:at.userPassword:rwsc) allows a user to update their own password.  This is required because it's a user changing their own password (vs it being "reset" by an admin) that causes the LDAP password policies to be enforced.

    If you are relying on the directory to enforce password policies it would probably be best to unset the equivalent password policy settings in ISAM - otherwise you have 2 policies being enforced for the same thing which can be confusing (as you say).  Might even be best to unset all password policy in ISAM and have everything enforced at the LDAP level.

    I can see how it would be desirable for ISAM to be able to expose LDAP password policy in its management pages - and allow control of it from there - but that isn't how it works today.  The password policy must be managed directly using the LDAP tools. 


    Jon Harry
    Consulting IT Security Specialist

  • 3.  RE: Enhanced password management in ISAM

    Posted Thu July 29, 2021 07:05 AM
    Sorry, when I asked " Does ISAM even pay attention to max alpha characters, max repeated characters when updating passwords?" I was referring to those password policy settings in the LDAP server rather than ISAM. So, for example, if those polices were set in LDAP and not set in ISAM, would they be enforced?

    I'm guessing they would be based on your indication that enhanced password policy involves the user themselves updating their own password directly with LDAP. Does that mean the flow is like this? I'm assuming in the flow that a user has provided a password compliant with both ISAM and LDAP policy

    User chooses new password -> validated against ISAM password policy -> validated against LDAP policy -> Password updated

    Is it a case of looking at LDAP trace logging to determine why LDAP has rejected a password? If so, what is the least verbose level I can get away with using to troubleshoot password policy? I tend to whack it to the highest level and then get grumpy how much detail there is to go through, I don't need to do it often so not familiar with the different levels of verbosity  :-(

    Dennis English