HP-UX Directory Server 8.1 administrator guide
The account policy plug-in provides the following functionality:
• Fine-grained, per-user or per-subtree account inactivity policies that mimic fine-grained
password policies
• Tracking the last login time, recorded in an attribute in each account after successful
authentication
• An enforcement mechanism that compares the inactivity time elapsed since the last login
to the maximum allowed inactivity period specified by the policy
7.6.1 Configuring the account inactivity policy
The account policy plug-in and its policies must be configured using the command line.
Configuring the plug-in for the first time requires the following steps:
1. Using ldapmodify command line utility, enable the plug-in by setting the
nsslapd-pluginEnabled attribute to on. The plug-in performs inactivity enforcement
and last login time tracking only when it is enabled.
dn: cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
2. Restart the Directory Server instance.
/opt/dirsrv/slapd-instance_name/restart-slapd
3. Optionally, customize the plug-in configuration. For more information about the
customizations available, refer to the configuration, command, and file reference. In most cases,
the default plug-in configuration suffices.
4. Create an account policy entry that specifies an inactivity limit. This entry can reside
anywhere in the DIT. The following sample policy entry configures a 30-day inactivity limit.
dn: cn=Account Policy,ou=people,dc=example,dc=com
objectClass: top
objectClass: ldapsubentry
objectClass: accountpolicy
cn: Account Policy
accountInactivityLimit: 2592000
316 Managing user authentication