1.3 Supported Password Policy Syntax

Identity Manager supports three password policy syntax options for creating and administrating password policies in iManager:

  • Use Microsoft complexity policy

  • Use Microsoft Server 2008 Password Policy

  • Use NetIQ syntax

NOTE:iManager allows you to create a policy using the Microsoft Server 2008 Password Policy type, regardless of the version of NMAS installed on your server. However, you must have NMAS 3.3.4 or later installed to use this option. If you have a previous version of NMAS installed, the new password policy does not function properly.

The following sections describe the default requirements for each password policy option.

For more information about password policy syntax and configuring password policies in iManager, see “Managing Passwords by Using Password Policies” in the NetIQ Password Management 3.3 Administration Guide.

Use Microsoft complexity policy

This setting allows you to use the Microsoft* Complexity Policy requirements. If you select this option for a policy, all users to which the policy is assigned must create passwords that meet the criteria of the Microsoft Complexity Policy as implemented in Universal Password. The criteria include:

  • Minimum password length is 6 characters.

  • Maximum password length is 128 characters.

  • The password must contain at least one character from three of the four types of character, uppercase, lowercase, numeric, and special:

    • Uppercase characters - all uppercase characters in the Basic Latin and the Latin-1 character sets.

    • Lowercase characters - all lowercase characters in the Basic Latin and the Latin-1 character sets.

    • Numeric characters - 0, 1, 2, 3, 4, 5, 6, 7, 8, and 9.

    • Special characters - all other characters.

  • The values of the following user attributes can not be contained in the password: CN, Given Name, Surname, Full Name, and displayName.

Use Microsoft Server 2008 Password Policy

This setting allows you to use the Microsoft Windows Server 2008 password policy complexity requirements. If you select this option for a policy, all users to which the policy is assigned must create passwords that meet the criteria of the Microsoft Windows Server 2008 Complexity Policy as implemented in Universal Password. The criteria include:

  • Minimum password length is 6 characters, by default.

  • Maximum password length is 512 characters.

  • The password must contain at least one character from three of the five types of character, uppercase, lowercase, numeric, non-alphanumeric characters, and other characters:

    • Uppercase characters - all uppercase European-language characters, with diacritical marks, as well as Greek and Cyrillic characters.

    • Lowercase characters - all lowercase European-language characters, with diacritical marks, as well as Greek and Cyrillic characters.

    • Numeric characters - 0, 1, 2, 3, 4, 5, 6, 7, 8, and 9.

    • Non-alphanumeric characters - any of the following special characters: ( ) ` ~ ! @ # $ % ^ & * - + = | \ { } [ ] : ; " ' < > , . ? / _.

    • Other characters - any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

  • The password cannot contain the full value of the CN user attribute for the eDirectory account. NMAS does not perform this check if the length of the attribute is less than three characters.

  • The password cannot contain any word from the list of excluded passwords. NMAS does not perform this check if the length of the excluded password is less than three characters.

  • The password cannot contain the full value or any part of the value of the Full Name attribute for the account, if the attribute contains at least three characters and is a single word. A part of the attribute value is defined as three or more consecutive characters delimited on both ends by the following characters: commas; periods; dashes; hyphens; underscores; spaces; pound signs; or tabs.

  • The maximum number of complexity policy violations allowed in a password is 2 by default. You can configure the number of complexity violations allowed using the Maximum number of complexity policy violations in password (0-5) option.

Use NetIQ syntax

This allows you to use the NetIQ syntax for the password policy. This option is selected by default. Standard settings for policies using NetIQ syntax include:

  • Minimum password length is 4 characters, by default. You can configure the minimum password length in your environment using the Minimum number of characters in password (1-512) option.

  • Maximum password length is 12 characters, by default. You can configure the maximum password length in your environment using the Maximum number of characters in password (1-512) option.