Red Hat Directory Server 8.0 Configuration, Command, and File Reference
time an invalid password is sent from the user's account, the password failure counter is
incremented. If the passwordLockout attribute is set to on, users are locked out of the directory
when the counter reaches the number of failures specified by the passwordMaxFailure
attribute (within 600 seconds by default). After the amount of time specified by the
passwordLockoutDuration attribute, the failure counter is reset to zero (0).
For more information on password policies, see the "Managing Users and Passwords" chapter
in the Directory Server Administrator's Guide.
Parameter Description
Entry DN cn=config
Valid Range 1 to the maximum 32 bit integer value
(2147483647) in seconds
Default Value 600
Syntax Integer
Example passwordResetFailureCount: 600
3.1.123. passwordStorageScheme (Password Storage Scheme)
This attribute sets the type of encryption used to store Directory Server passwords.
The following encryption types are supported by the Directory Server:
• CLEAR means the password is stored in cleartext, with no hashing or encryption. This
scheme must be used in order to use SASL DIGEST-MD5.
• SSHA (Salted Secure Hash Algorithm), the default, is the recommended method because it is
the most secure. There are several bit sizes available: 140 bits (the default), 256, 384, and
512.
• SHA (Secure Hash Algorithm) is included only for backward compatibility with 4.x Directory
Servers; do not use this algorithm.
• MD5 (Message Digest algorithm 5) is a commonly used standard hashing algorithm.
• CRYPT, the UNIX crypt algorithm, is provided for compatibility with UNIX passwords.
NOTE
Passwords cannot be encrypted using the NS-MTA-MD5 password storage
scheme. The storage scheme is still present but only for reasons of backward
compatibility.
cn=config
71