Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
11121314151617181920
16
Preserving HP-UX password policies
Password policies are the rules that govern valid password syntax, how frequently a user must change that
password, when a user may login and other restrictions. Default HP-UX password polices do not allow an
administrator to specify the time of day a user may login. However, an HP-UX system administrator may
specify rules that define valid password syntax and how frequently the user must change his password. The
following excerpt comes from the HP-UX passwd(1) man page:
A password must have at least six characters. Only the first eight characters are significant in an un-
trusted system.
Characters must be from the 7-bit USASCII character set; letters from the English alphabet.
A password must contain at least two uppercase and/or lowercase letters and at least one numeric or
special character.
A password must differ from the user's login name and any reverse or circular shift of that login
name. For comparison purposes, an uppercase letter and its corresponding lowercase equivalent are
treated as identical.
A new password must differ from the old one by at least three characters (one character in a trusted
system). For comparison purposes, an uppercase letter and its corresponding lowercase equivalent
are treated as identical.
Several additional rules may be specified, such as when the user must change his password. And on a
trusted system, many additional syntax requirements can be imposed (please see the passwd(1) man page for
additional details.)
Once you migrate your users to an LDAP directory, the directory also becomes responsible for the password
policy.
NIS/LDAP Gateway & Password Policy
When using the NIS/LDAP Gateway product, both HP-UX and the LDAP directory could compete to
enforce dual, possibly conflicting, password policy rules. A Directory Administrator should ensure that the
policies enforced by the directory are adequate and do not contradict the HP-UX password policy rules. For
example, a rule on HP-UX could say passwords must be more than 6 characters, but less than 8. A rule on
the LDAP directory server could say passwords must be more than 8 characters, but less than 16. Since the
LDAP server will be the actual system changing the password, the LDAP server's policy will take
precedence.
Password expiration rules on an HP-UX system are enforced on a per user basis. An LDAP directory server
may enforce expiration rules as a directory wide policy. In addition, the LDAP server may not understand
HP-UX password policy syntax. As an example, to force a user to change his password every 90 days,
HP-UX places a special character sequence at the end of the encrypted password. If the LDAP directory
server does not understand this sequence, two side effects may result. First, the LDAP server may not allow
the user to log into the LDAP server directly (this should not affect a user logging into an HP-UX system,
since the userPassword attribute can still be retrieved by the proxy user and passed directly to the HP-UX
applications.) Second, the next time the user changes his password, the HP-UX password expiration syntax