Red Hat Directory Server 8.0 Administrator's Guide
1.1.3. Configuring a Global Password Policy Using the
Command-Line
To set up the password policy for a subtree or user, add the required entries and attributes at
the subtree or user level, set the appropriate values to the password policy attributes, and
enable fine-grained password policy checking.
This section describes the attributes to create a password policy for the entire server (globally)
using ldapmodify to change these attributes in the cn=config entry.
Table 7.1, “Password Policy Attributes” describes the attributes available to configure the
password policy.
Attribute Name Definition
passwordGraceLimit This attribute indicates the number of grace
logins permitted when a user's password is
expired. When set to a positive number, the
user will be allowed to bind with the expired
password for that many times. For the global
password policy, the attribute is defined under
cn=config. By default, this attribute is set to
0, which means grace logins are not
permitted.
passwordMustChange When on, this attribute requires users to
change their passwords when they first login
to the directory or after the password is reset
by the Directory Manager. The user is
required to change their password even if
user-defined passwords are disabled. If this
attribute is set to off, passwords assigned by
the Directory Manager should not follow any
obvious convention and should be difficult to
discover. This attribute is off by default.
passwordChange When on, this attribute indicates that users
may change their own password. Allowing
users to set their own passwords runs the risk
of users choosing passwords that are easy to
remember. However, setting good passwords
for the user requires a significant
administrative effort. In addition, providing
passwords to users that are not meaningful to
them runs the risk that users will write the
password down somewhere that can be
discovered. This attribute is on by default.
passwordExp When on, this attribute indicates that the
Configuring the Password Policy
247