LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
Table 19 Global security attributes supported for an HP directory server (continued)
DescriptionAttribute
This boolean attribute indicates whether users must change their passwords when
they first bind to the directory server or when the password has been reset by the
Directory Manager.
passwordMustChange
Turns fine-grained (subtree and user level) password policy on or off. With
fine-grained password policy turned on, all entries (except for cn=Directory
Manager) in the directory are subjected to the global password policy, the server
ignores any defined subtree and user level password policy. With fine-grained
password policy turned off, the server detects password policies at the subtree
and user level and enforces those policies.
nsslapd-pwpolicy-local
In the Windows Active Directory Server, PAM_AUTHZ is enhanced to support the global
administrative security attributes listed in Table 20. These attributes are used to define the policy
rules and are all defined under the default domain Group Policy Object. Only authorized users
can access them. If you use the PAM_AUTHZ enhancement to support the account and password
policy enforcement, you must configure LDAP-UX with a proxy user and grant this proxy user read
and search rights to retrieve the required attributes in the base DN for the Windows domain.
Because the Group Policy Object is part of the security framework of Windows ADS, access is
restricted to privileged users. If you plan to use the PAM_AUTHZ enhancement to provide account
and password policy enforcement, you must configure LDAP-UX with a proxy user. Grant this proxy
user sufficient read and search privileges to retrieve the required attributes in the base DN for the
Windows domain.
For Windows ADS, administrators can configure account and password policies using the Microsoft
Management Console snap-in Active Directory Users and Computers.
Advanced administrators with intimate knowledge of Windows ADS and security policy can also
view and modify the attributes by using ADSI Edit.
Table 20 Global security attributes supported for a Windows Active Directory Server
DescriptionAttribute
This integer attribute defines the amount of time that an account is locked when
the Lockout-Threshold is exceeded. This value is stored as a large integer
1
that
represents the negative of the number of 100-nanosecond intervals that must
elapse from the time the Lockout-Threshold is exceeded before the account is
unlocked.
lockoutDuration
This integer attribute specifies the maximum amount of time a password is valid.
This value is stored as a large integer
1
that represents the number of
100-nanosecond intervals from the time the password was set before the password
expires.
maxPwdAge
1 Large enough to contain the number of 100–nano-second periods between now and the year 9999.
Security policy status attributes
PAM_AUTHZ supports a list of attributes that store general security policy status information for a
particular user in the directory server. The attributes supported for HP directory servers are listed
in Table 21. If you plan to use the PAM_AUTHZ enhancement to provide account and password
policy enforcement, you must configure LDAP-UX with a proxy user. For HP-UX Directory Server,
grant this proxy user sufficient read and search privileges to retrieve the required attributes in
cn=config.
7.4 Configuring PAM_AUTHZ login authorization 215