LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

211

212

213

214

215

216

217

218

219

220

Table 21 Security policy status attributes supported for an HP directory server

DescriptionAttribute

This boolean attribute indicates whether an account is

locked. If this attribute does not exist, the account is

considered unlocked.

nsAccountLock

This integer attribute specifies the number of consecutive

failed attempts at entering the correct user password.

passwordRetryCount

This string attribute defines a date and time when a

password is considered expired. The date and time are

specified using the “Generalize Time” syntax as referenced

in RFC 2252 and specified by the ISO x.208 standard. It

uses the format YYYYMMDDHHMMSSTZ, where:

YYYY signifies the 4-digit year

MM signifies the 2-digit month

DD signifies the 2-digit day of the month

, HH signifies the 2-digit hour

MM signifies the 2-digit minute

SS signifies the 2-digit second

TZ signifies the time zone

HP directory servers use the GMT time zone, which is

represented with the letter Z for Zone time. For example,

20060215165535Z represents February 15, 2006 at

16:55 and 35 seconds GMT.

passwordExpirationTime

This string attribute defines a date and time when an

account will be unlocked. The value is represented in the

Generalized Time syntax described in the

passwordExpirationTime attribute. If the attribute

does not exist, the account is considered unlocked (this

assumes nsAccountLock does not also exist).

accountUnlockTime

This variable defines the location of the new password

policy. The location is expressed in the DN format.

pwdpolicysubentry

For the Windows Active Directory Server, PAM_AUTHZ supports the list of attributes listed in

Table 22. If you plan to use the PAM_AUTHZ enhancement to provide account and password

policy enforcement, you must configure LDAP-UX with a proxy user. Grant this proxy user sufficient

read and search privileges to retrieve the required attributes in the base DN for the Windows

domain.

For Windows ADS, administrators can configure account and password policies using the Microsoft

Management Console snap-in Active Directory Users and Computers.

Advanced administrators with intimate knowledge of Windows ADS and security policy can also

view and modify the attributes by using ADSI Edit.

Table 22 Security policy status attributes supported for a Windows Active Directory Server

DescriptionAttribute

This attribute controls the behavior of the user account.userAccountControl

This single-valued string attribute contains the NetBIOS

names of the workstations from which the user can log on.

Each NetBIOS name is separated by a comma.

userWorkStations

This integer attribute defines the date and time that the

password for this account was last changed. This value is

stored as a large integer that represents the number of

100-nanosecond intervals since January 1, 1601 (UTC).

If this value is set to 0 and the userAccountControl

attribute does not contain the UF_DONT_EXPIRE_PASSWD

flag, then the user must set the password at the next logon.

pwdLastSet

216 Administering LDAP-UX Client Services