HP-UX Directory Server 8.1 administrator guide
This section describes the attributes to create a password policy for the entire server (globally)
using ldapmodify to change these attributes in the cn=config entry.
Table 7-1 “Password policy attributes” describes the attributes available to configure the password
policy.
Table 7-1 Password policy attributes
DefinitionAttribute name
This attribute indicates the number of grace logins permitted when a user's password is
expired. When set to a positive number, the user will be allowed to bind with the expired
password for that many times. For the global password policy, the attribute is defined
under cn=config. By default, this attribute is set to 0, which means grace logins are not
permitted.
passwordGraceLimit
When on, this attribute requires users to change their passwords when they first login to
the directory or after the password is reset by the Directory Manager. The user is required
to change their password even if user-defined passwords are disabled. If this attribute is
set to off, passwords assigned by the Directory Manager should not follow any obvious
convention and should be difficult to discover. This attribute is off by default.
passwordMustChange
When on, this attribute indicates that users may change their own password. Allowing
users to set their own passwords runs the risk of users choosing passwords that are easy
to remember. However, setting good passwords for the user requires a significant
administrative effort. In addition, providing passwords to users that are not meaningful
to them runs the risk that users will write the password down somewhere that can be
discovered. This attribute is on by default.
passwordChange
When on, this attribute indicates that the user's password will expire after an interval
given by the passwordMaxAge attribute. Making passwords expire helps protect the
directory data because the longer a password is in use, the more likely it is to be discovered.
This attribute is off by default.
passwordExp
This attribute indicates the number of seconds after which user passwords expire. To use
this attribute, enable password expiration using the passwordExp attribute. This attribute
is a dynamic parameter in that its maximum value is derived by subtracting January 18,
2038, from today's date. The attribute value must not be set to the maximum value or too
close to the maximum value. If the value is set to the maximum value, Directory Server
may fail to start because the number of seconds will go past the epoch date. In such an
event, the errors log will indicate that the password maximum age is invalid. To resolve
this problem, correct the passwordMaxAge attribute value in the dse.ldif file. A common
policy is to have passwords expire every 30 to 90 days. By default, the password maximum
age is set to 8640000 seconds (100 days).
passwordMaxAge
This attribute indicates the number of seconds before a warning message is sent to users
whose password is about to expire. Depending on the LDAP client application, users may
be prompted to change their password when the warning is sent. HP-UX Directory Express
provides this functionality. By default, the directory sends the warning 86400 seconds (1
day) before the password is about to expire. However, a password never expires until the
warning message has been sent. Therefore, if users do not bind to the Directory Server for
longer than the passwordMaxAge, they will still get the warning message in time to
change their password.
passwordWarning
This attribute indicates the number of seconds that must pass before a user can change
their password. Use this attribute in conjunction with the passwordInHistory attribute
to discourage users from reusing old passwords. For example, setting the minimum
password age to 2 days prevents users from repeatedly changing their passwords during
a single session to cycle through the password history and reuse an old password after it
has been removed from the history list. The minimum age can be from 0 to 2147472000
seconds (24,855 days). A value of zero indicates that the user can change the password
immediately. The default value of this attribute is 0.
passwordMinAge
296 Managing user authentication