LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

151

152

153

154

155

156

157

158

159

160

5.3.10.6 Directory server security policies

Global security attributes

In the HP-UX Directory Server or Redhat Directory Server, numerous attributes are used to

define the security policies. To support account and password security policy enforcement,

PAM_AUTHZ is enhanced to support the global administrative security attributes listed in

Table 5-2.

These attributes are used to define the policy rules and are all defined under cn=config. Only

authorized users can access them. If you use the PAM_AUTHZ enhancement to support the

account and password policy enforcement, you must configure LDAP-UX with a proxy user and

grant this proxy user read and search rights to search cn=config.

Table 5-2 Global security attributes

DescriptionAttribute

This boolean attribute indicates whether users will be locked out of the directory

after a given number of failed bind attempts. By default, users will not be locked

out of the directory after a series of failed bind attempts.

passwordLockout

This boolean attribute indicates whether users will be locked out of the directory

for a specified amount of time or until the password is reset after an account

lockout. If the passwordUnlock attribute is disabled and the

accountUnlockTime attribute has a value of 0, then the account will be locked

indefinitely.

passwordUnlock

This integer attribute indicates the maximum number of password failures after

which a user will be locked out of the directory. By default, account lockout is

disabled.

passwordMaxFailure

This boolean attribute indicates whether user passwords will expire after a given

number of seconds. By default, user passwords do not expire. If this attribute

is enabled, you can use the passwordMaxAge variable to set the number of

seconds after which the password will expire.

passwordExp

This boolean attribute indicates whether users must change their passwords

when they first bind to the Directory Server or when the password has been

reset by the Directory Manager.

passwordMustChange

Turns fine-grained (subtree and user level) password policy on and off. If this

attribute has a value off, all entries (except for cn=Directory Manager) in the

directory will be subjected to the global password policy, the server will ignore

any defined subtree and user level password policy. If this attribute has a value

on, the server will check for password policies at the subtree and user level and

enforce those policies.

nsslapd-pwpolicy-local

Security policy status attributes

PAM_AUTHZ supports a list of attributes that hold general security policy status information

for a particular user in the directory server. These attributes are listed in Table 5-3.

Table 5-3 Security policy status attributes

DescriptionAttribute

This boolean attribute indicates whether an account is

locked or not. If this attributes does not exist, the account

is considered unlocked.

nsAccountLock

This integer attribute specifies the number of consecutive

failed attempts at entering the correct user password.

passwordRetryCount

156 Administering LDAP-UX Client Services