HP-UX Directory Server 8.1 deployment guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

101

102

103

104

105

106

107

108

109

110

NOTE:

The proxy mechanism is very powerful and must be used sparingly. Proxy rights are granted

within the scope of the ACL, and there is no way to restrict who can be impersonated by an entry

that has the proxy right. That is, when a user is granted proxy rights, that user has the ability to

proxy for any user under the target; there is no way to restrict the proxy rights to only certain

users.

For example, if an entity has proxy rights to the dc=example, dc=com tree, that entity can do

anything. Therefore, ensure that the proxy ACI is set at the lowest possible level of the DIT.

For more information on this topic, check out the "Proxied Authorization ACI Example" section

in the "Managing Access Control" chapter of the Administrator's Guide.

8.5 Preventing authentication by account deactivation

A user account or a set of accounts can be temporarily deactivated. After an account has been

deactivated, that user cannot bind to the directory, and the authentication operation fails.

Account deactivation is implemented through the operational attribute nsAccountLock. When

an entry contains the nsAccountLock attribute with a value of true, the server rejects the bind.

The procedures for deactivating users and roles are the same. However, deactivating a role

deactivate all the members of that role and not the role entry itself. For more information about

roles, see “About roles”.

8.6 Designing a password policy

A password policy is a set of rules that govern how passwords are used in a given system. The

Directory Server's password policy specifies the criteria that a password must satisfy to be

considered valid, like the age, length, and whether users can reuse passwords.

The following sections provide more information on designing a sound password policy:

• “How password policy works”

• “Password policy attributes”

• “Designing an account lockout policy”

• “Designing a password policy in a replicated environment”

8.6.1 How password policy works

Directory Server supports fine-grained password policy, which means password policies can be

defined at the subtree and user level. This allows the flexibility of defining a password policy at

any point in the directory tree:

• The entire directory.

Such a policy is known as the global password policy. When configured and enabled, the

policy is applied to all users within the directory except for the Directory Manager entry

and those user entries that have local password policies enabled.

This can define a common, single password policy for all directory users.

• A particular subtree of the directory.

Such a policy is known as the subtree level or local password policy. When configured and

enabled, the policy is applied to all users under the specified subtree.

This is good in a hosting environment to support different password policies for each hosted

company rather than enforcing a single policy for all the hosted companies.

• A particular user of the directory.

8.5 Preventing authentication by account deactivation 109