If configured, on each login of a user, his/her current password is checked against the password policy set in the AD. To retrieve the current policy, Airlock IAM binds itself with a service user to the AD and requests the policy with the user's DN. The service user can be configured in Airlock IAM. If the password does not meet the requirements anymore, e.g. it's expired, the user is redirected to a password change page and forced to set a new password. Password changes correspond to the use described below. The new password is only accepted if it meets all requirements of the password policy. After a password has been successfully set, the user is authorized and logged in to the application.
This diagram shows the simplified workflow between a user, Airlock IAM, and the AD:
- The following password policy attributes are checked on login against the current password:
- msDS-MinimumPasswordLength
- msDS-PasswordComplexityEnabled
- msDS-MaximumPasswordAge
Attributes are described in detail in this table.