Manualshelf

HP-UX Directory Server 8.1 deployment guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
101102103104105106107108109110
Such a policy is known as the user level or local password policy. When configured and
enabled, the policy is applied to the specified user only.
This can define different password policies for different directory users. For example, specify
that some users change their passwords daily, some users change it monthly, and all other
users change it every six months.
By default, Directory Server includes entries and attributes that are relevant to the global password
policy, meaning the same policy is applied to all users. To set up a password policy for a subtree
or user, add additional entries at the subtree or user level and enable the
nsslapd-pwpolicy-local attribute of the cn=config entry. This attribute acts as a switch,
turning fine-grained password policy on and off.
The password policy changes can be made in the Directory Server Console or by using the
ns-newpwpolicy.pl script. The Configuration, Command, and File Reference lists the command-line
syntax for the script, and the Administrator's Guide includes procedures for setting password
policies.
After password policy entries are added to the directory, they determine the type (global or local)
of the password policy the Directory Server should enforce.
When a user attempts to bind to the directory, Directory Server determines whether a local policy
has been defined and enabled for the user's entry.
To determine whether the fine-grained password policy is enabled, the server checks the
value (on or off) assigned to the nsslapd-pwpolicy-local attribute of the cn=config
entry. If the value is off, the server ignores the policies defined at the subtree and user
levels and enforces the global password policy.
To determine whether a local policy is defined for a subtree or user, the server checks for
the pwdPolicysubentry attribute in the corresponding user entry. If the attribute is
present, the server enforces the local password policy configured for the user. If the attribute
is absent, the server logs an error message and enforces the global password policy.
The server then compares the user-supplied password with the value specified in the user's
directory entry to make sure they match. The server also uses the rules defined by the password
policy to ensure that the password is valid before allowing the user to bind to the directory.
110 Designing a secure directory