Configuring the Password Policy
211
Attribute Name
Definition
Manager should not follow any obvious
convention and should be difficult to discover.
This attribute is
off
by default.
passwordChange
When
on
, this attribute indicates that users may
change their own password. Allowing users to
set their own passwords runs the risk of users
choosing passwords that are easy to remember.
However, setting good passwords for the user
requires a significant administrative effort. In
addition, providing passwords to users that are
not meaningful to them runs the risk that users
will write the password down somewhere that
can be discovered. This attribute is
on
by default.
passwordExp
When
on
, this attribute indicates that the user's
password will expire after an interval given by the
passwordMaxAge
attribute. Making passwords
expire helps protect the directory data because
the longer a password is in use, the more likely
it is to be discovered. This attribute is
off
by
default.
passwordMaxAge
This attribute indicates the number of seconds
after which user passwords expire. To use this
attribute, enable password expiration using
the
passwordExp
attribute. This attribute is a
dynamic parameter in that its maximum value
is derived by subtracting January 18, 2038,
from today's date. The attribute value must not
be set to the maximum value or too close to
the maximum value. If the value is set to the
maximum value, Directory Server may fail to
start because the number of seconds will go
past the epoch date. In such an event, the error
log will indicate that the password maximum
age is invalid. To resolve this problem, correct
the
passwordMaxAge
attribute value in the
dse.ldif
file. A common policy is to have
passwords expire every 30 to 90 days. By
default, the password maximum age is set to
8640000
seconds (100 days).
passwordWarning
This attribute indicates the number of seconds
before a warning message is sent to users
whose password is about to expire. Depending
on the LDAP client application, users may be
prompted to change their password when the
warning is sent. By default, the directory sends
the warning
86400
seconds (1 day) before
the password is about to expire. However,
a password never expires until the warning
message has been sent. Therefore, if users don't
Содержание DIRECTORY SERVER 8.0
Страница 18: ...xviii ...
Страница 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Страница 30: ...12 ...
Страница 112: ...94 ...
Страница 128: ...110 ...
Страница 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Страница 224: ...206 ...
Страница 324: ...306 ...
Страница 334: ...316 ...
Страница 358: ...340 ...
Страница 410: ...392 ...
Страница 420: ...402 ...
Страница 444: ...426 ...
Страница 454: ...436 ...
Страница 464: ...446 ...
Страница 484: ...466 ...
Страница 512: ...494 ...
Страница 522: ...504 ...