HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

291

292

293

294

295

296

297

298

299

300

The sections that follow describe the procedures for configuring the password policy:

• “Configuring a global password policy using the console”

• “Configuring a subtree/user password policy using the console”

• “Configuring a global password policy using the command line”

• “Configuring subtree/user password policy using the command line”

NOTE:

After configuring the password policy, HP recommends configuring an account lockout policy.

For details, see “Configuring the account lockout policy”.

7.1.1.1 Configuring a global password policy using the console

To set up or modify the password policy for an entire directory:

1. In the Directory Server Console, select the Configuration tab, then the Data node.

2. In the right pane, select the Passwords tab.

This tab contains the password policy for the entire Directory Server.

3. Check the Enable fine-grained password policy checkbox. Enabling the password policy

makes the other sections on the screen active.

4. To require users to change their password the first time they log on, select the User must

change password after reset checkbox. If this checkbox is selected, only the Directory

Manager is authorized to reset the user's password. A regular administrative user cannot

force the users to update their password.

5. To allow users to change their own passwords, select the User may change password

checkbox.

6. To prevent users from changing their password for a specific duration, enter the number of

days in the Allow changes in X day(s) text box.

7. For the server to maintain a history list of passwords used by each user, select the Keep

password history checkbox. Enter the number of passwords for the server to keep for each

user in the Remember X passwords text box.

8. If user passwords should not expire, select the Password never expires radio button.

9. To require users to change their passwords periodically, select the Password expires after

X days radio button, then enter the number of days that a user password is valid.

The maximum value for the password age is derived by subtracting January 18, 2038, from

today's date. The entered value must not be set to the maximum value or too close to the

maximum value. Setting the value to the maximum value can cause the Directory Server to

fail to start because the number of seconds will go past the epoch date. In such an event, the

errors log will indicate that the password maximum age is invalid. To resolve this problem,

correct the passwordMaxAge attribute value in the dse.ldif file.

A common policy is to have passwords expire every 30 to 90 days. By default, the password

maximum age is set to 8640000 seconds (100 days).

10. If the Password expire after X days radio button is selected, specify how long before the

password expires to send a warning to the user. In the Send Warning X Days Before

Password Expires text enter the number of days before password expiration to send a

warning.

294 Managing user authentication