HP-UX Directory Server 8.1 administrator guide
7.1.5 Managing the password policy in a replicated environment
Password and account lockout policies are enforced in a replicated environment as follows:
• Password policies are enforced on the data master.
• Account lockout is enforced on all servers participating in replication.
Some of the password policy information in the directory is replicated:
• passwordMinAge and passwordMaxAge
• passwordExp
• passwordWarning
However, the configuration information is kept locally and is not replicated. This information
includes the password syntax and the history of password modifications. Account lockout
counters and tiers are not replicated, either.
When configuring a password policy in a replicated environment, consider the following points:
• Warnings from the server of an impending password expiration will be issued by all replicas.
This information is kept locally on each server, so if a user binds to several replicas in turn,
they will be issued the same warning several times. In addition, if the user changes the
password, it may take time for this information to filter to the replicas. If a user changes a
password, then immediately rebinds, he may find that the bind fails until the replica registers
the changes.
• The same bind behavior should occur on all servers, including suppliers and replicas. Make
sure to create the same password policy configuration information on each server.
• Account lockout counters may not work as expected in a multi-mastered environment.
• Entries that are created for replication (for example, the server identities) need to have
passwords that never expire. To make sure that these special users have passwords that do
not expire, add the passwordExpirationTime attribute to the entry, and give it a value
of 20380119031407Z (the top of the valid range).
7.1.6 Synchronizing passwords
Password changes in a Directory Server entry can be synchronized to password attributes in
Active Directory entries by using the Password Sync utility.
When passwords are synchronized, password policies are enforced on each synchronized peer
locally. The syntax or minimum length requirements on the Directory Server apply when the
password is changed in the Directory Server. When the changed password is synchronized over
to the Windows server, the Windows password policy is enforced. The password policies
themselves are not synchronized.
Configuration information is kept locally and cannot be synchronized, including the password
change history and the account lockout counters.
When configuring a password policy for synchronization, consider the following points:
• The Password Sync utility must be installed locally on the Windows machine that will be
synchronized with a Directory Server.
• Password Sync can only link the Windows machine to a single Directory Server; to
synchronize changes with multiple Directory Server instances, configure the Directory Server
for multi-master replication.
• Password expiration warnings and times, failed bind attempts, and other password-related
information is enforced locally per server and is not synchronized between synchronized
peer servers.
• The same bind behavior should occur on all servers. Make sure to create the same or similar
password policies on both Directory Server and Active Directory servers.
• Entries that are created for synchronization (for example, the server identities) need to have
passwords that never expire. To make sure that these special users have passwords that do
7.1 Managing the password policy 303