Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
271272273274275276277278279280
Some of the password policy information in the directory is replicated:
passwordMinAge and passwordMaxAge
passwordExp
passwordWarning
However, the configuration information is kept locally and is not replicated. This information
includes the password syntax and the history of password modifications. Account lockout
counters and tiers are not replicated, either.
When configuring a password policy in a replicated environment, consider the following points:
Warnings from the server of an impending password expiration will be issued by all replicas.
This information is kept locally on each server, so if a user binds to several replicas in turn,
they will be issued the same warning several times. In addition, if the user changes the
password, it may take time for this information to filter to the replicas. If a user changes a
password and then immediately rebinds, he may find that the bind fails until the replica
registers the changes.
The same bind behavior should occur on all servers, including suppliers and replicas. Make
sure to create the same password policy configuration information on each server.
Account lockout counters may not work as expected in a multi-mastered environment.
Entries that are created for replication (for example, the server identities) need to have
passwords that never expire. To make sure that these special users have passwords that do
not expire, add the passwordExpirationTime attribute to the entry, and give it a value of
20380119031407Z (the top of the valid range).
1.6. Synchronizing Passwords
Password changes in a Directory Server entry can be synchronized to password attributes in
Active Directory entries by using the Password Sync utility.
When passwords are synchronized, password policies are enforced on each sync peer locally.
The syntax or minimum length requirements on the Directory Server apply when the password
is changed in the Directory Server. When the changed password is synched over to the
Windows server, the Windows password policy is enforced. The password policies themselves
are not synchronized.
Configuration information is kept locally and cannot be synchronized, including the password
change history and the account lockout counters.
When configuring a password policy for synchronization, consider the following points:
Chapter 7. Managing User Accounts and Passwords
260