Lightwave Directory Password Policy - vmware-archive/lightwave GitHub Wiki
Lightwave Directory Password Policy
Default Password Policy
- Every tenant (domain) in the Lightwave Directory includes a password policy object.
- The password policy object is located at distinguished name "CN=password and lockout policy" relative to the tenant domain object.
- The password policy object comprises of the following attributes.
| Password Strength Attribute |
Default Value |
Applicable to |
Notes |
| vmwPasswordMinLength |
5 |
Users, Administrators |
Miminum length of password |
| vmwPasswordMaxLength |
20 |
Users, Administrators |
Maximum length of password |
| vmwPasswordMinAlphabeticCount |
2 |
Users, Administrators |
Minimum number of alphabetic characters |
| vmwPasswordMinUpperCaseCount |
1 |
Users, Administrators |
Minimum number of upper case characters |
| vmwPasswordMinLowerCaseCount |
1 |
Users, Administrators |
Minimum number of lower case characters |
| vmwPasswordMinNumericCount |
1 |
Users, Administrators |
Minimum number of numeric characters |
| vmwPasswordMinSpecialCharCount |
1 |
Users, Administrators |
Minimum number of special characters |
| vmwPasswordMaxIdenticalAdjacentChars |
3 |
Users, Administrators |
Maximum number of identitically adjacent characters |
| vmwPasswordProhibitedPreviousCount |
5 |
Users, Administrators |
Number of entries in password history |
Password special character set
| # |
Character |
| 1 |
'~' |
| 2 |
'!' |
| 3 |
'@' |
| 4 |
'#' |
| 5 |
'$' |
| 7 |
'%' |
| 8 |
'^' |
| 9 |
'&' |
| 10 |
'*' |
| 11 |
'_' |
| 12 |
'-' |
| 13 |
'+' |
| 14 |
'=' |
| 15 |
'`' |
| 16 |
'|' |
| 17 |
'\' |
| 18 |
'(' |
| 19 |
')' |
| 20 |
'{' |
| 21 |
'}' |
| 22 |
'[' |
| 23 |
']' |
| 24 |
':' |
| 25 |
';' |
| 26 |
'"' |
| 27 |
'' |
| 28 |
'<' |
| 29 |
'>' |
| 30 |
',' |
| 31 |
'.' |
| 32 |
'?' |
| 33 |
'/' |
Default Account lockout policy
| Lockout policy attribute |
Default value |
Applicable to |
Notes |
| vmwPasswordLifetimeDays |
90 |
User |
Value of 0 implies password never expires |
| vmwPasswordChangeMaxFailedAttempts |
5 |
User |
Number of failed login attempts within vmwPasswordChangeFailedAttemptIntervalSec that will cause an account lockout |
| vmwPasswordChangeFailedAttemptIntervalSec |
180 |
User |
Interval in seconds between consecutive failed login attempts |
| vmwPasswordChangeAutoUnlockIntervalSec |
300 |
User |
Time in seconds to wait for account to unlock itself after getting locked out |
How to query password policy stored in the Lightwave Directory?
Password policy objects can be searched in Lightwave Directory (on a Lightwave Domain Controller) as follows:
$> ldapsearch -h localhost -p 389 -x -D "cn=Administrator,cn=Users,dc=photon,dc=local" -W -b "" -s subtree "objectclass=vmwPasswordPolicy"
dn: cn=password and lockout policy,dc=photon,dc=local
vmwPasswordProhibitedPreviousCount: 5
vmwPasswordLifetimeDays: 90
vmwPasswordMaxLength: 20
vmwPasswordMinLength: 5
vmwPasswordMinAlphabeticCount: 2
vmwPasswordMinUpperCaseCount: 1
vmwPasswordMinLowerCaseCount: 1
vmwPasswordMinNumericCount: 1
vmwPasswordMinSpecialCharCount: 1
vmwPasswordMaxIdenticalAdjacentChars: 3
vmwPasswordChangeMaxFailedAttempts: 5
vmwPasswordChangeFailedAttemptIntervalSec: 180
vmwPasswordChangeAutoUnlockIntervalSec: 300