title: DS5 password compatibility link: https://onemoretech.wordpress.com/2011/11/29/ds5-password-compatibility/ author: lembobro description: post_id: 1776 created: 2011/11/29 16:42:07 created_gmt: 2011/11/29 20:42:07 comment_status: closed post_name: ds5-password-compatibility status: publish post_type: post

DS5 password compatibility

DS5-compatibility-mode is set by default in all DSEE 6+ (releases after DS 5.2) directory servers to insure interoperability with earlier directory server versions. This can, and probably should, be changed in a purely DSEE 6+ environment. First, a bit of background. Like all things, Sun's development of the LDAP password policy system it inherited from Netscape/iPlanet changed over time. At a certain point (with the release of DSEE 6) it was decided to implement new attributes to enable new features (and to refactor the implementation of old features). For example, "passwordMaxAge" became "pwdMaxAge" and string values like "on" got morphed into Boolean "TRUE". A new "pwdGraceLoginLimit" became available, and simple syntax checking ("passwordCheckSyntax") became a more complex password "quality" evaluation (via "pwdCheckQuality"). To make a smooth transition as painless as possible, Sun came up with several compatibility modes for password policies. In the latest DSEE versions these are: * DS5-compatibility-mode (the default) * DS6-migration-mode * DS6-mode The first, as noted, is the default. When this mode is set password policies include both old and new policy attributes. This can be a pain to work with because value changes need to be made in parallel. The second is for situations where you've migrated from a formerly DS5 server to a DS6 (DSEE 6+) server. When this mode is set the old attributes and values are stripped out of policy and user entries. The third is for purely DS6 (DSEE 6+) environment once migration is complete and all the old attributes and values have been removed. There are, as usual, two ways to manipulate these modes. One is by shutting down the directory server instance and changing the corresponding attributes and values in dse.ldif, the other is by using the dsconf utility on a running directory server. I'll illustrate using the latter, because it's easy enough to translate from that to the other method. To find the current mode:

dsconf get-server-prop pwd-compat-mode

To set change from DS5-compatibility to DS6-migration:

dsconf pwd-compat to-DS6-migration-mode

To change from DS6-migration to DS6-mode:

dsconf pwd-compat to-DS6-mode

And to change back to DS5 mode: Don't even go there. "Never retreat, never surrender!" References: Password Policy Compatibility, DSEE 11g Administration Guide.

Copyright 2004-2019 Phil Lembo