HP-UX Directory Server 8.1 administrator guide

7 Managing user authentication
When a user connects to the HP-UX Directory Server, first the user is authenticated. Then, the
directory grants access rights and resource limits to the user depending upon the identity
established during authentication.
This chapter describes tasks for managing users, including configuring the password and account
lockout policy for the directory, denying groups of users access to the directory, and limiting
system resources available to users depending upon their bind DNs.
Topics include:
“Managing the password policy” (page 293)
“Inactivating users and roles” (page 304)
“Setting resource limits based on the bind DN” (page 306)
“Using the account policy plug-in for inactivity limits” (page 315)
7.1 Managing the password policy
A password policy minimizes the risks of using passwords by enforcing the following:
Users must change their passwords according to a schedule.
Users must provide nontrivial passwords.
The password syntax must meet certain complexity requirements.
After establishing a password policy, which can be for the entire directory or for specific subtrees
or users, user passwords can be protected from potential threats by configuring an account
lockout policy. Account lockout protects against hackers who try to break into the directory by
repeatedly guessing a user's password.
For an overview on password policy, see "Designing a Password Policy" in the HP-UX Directory
Server deployment guide.
This section provides information about configuring password and account lockout policies:
“Configuring the password policy”
“Setting user passwords”
“Password change extended operation”
“Configuring the account lockout policy”
“Managing the password policy in a replicated environment”
“Synchronizing passwords”
7.1.1 Configuring the password policy
Directory Server supports fine-grained password policy, so password policies can be applied to
the entire directory (global password policy), a particular subtree (subtree level or local password
policy), or a particular user (user level or local password policy).
Essentially, the password policy is comprised of the following information:
The type or level of password policy checks
This information indicates whether the server should check for and enforce a global password
policy or local (subtree/user level) password policies.
Password add and modify information
The password information includes password syntax and password history details.
Bind information
The bind information includes the number of grace logins permitted, password aging
attributes, and tracking bind failures.
7.1 Managing the password policy 293