HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
Essentially, the password policy is comprised of the following information:
• The type or level of password policy checks
This information indicates whether the server should check for and enforce a global password
policy or local (subtree/user level) password policies.
• Password add and modify information
The password information includes password syntax and password history details.
• Bind information
The bind information includes the number of grace logins permitted, password aging attributes,
and tracking bind failures.
The sections that follow describe the procedures for configuring the password policy:
• “Configuring a global password policy using the console” (page 291)
• “Configuring a subtree/user password policy using the console” (page 292)
• “Configuring a global password policy using the command line” (page 293)
• “Configuring subtree/user password policy using the command line” (page 295)
NOTE:
After configuring the password policy, HP recommends configuring an account lockout policy. For
details, see “Configuring the account lockout policy” (page 298).
7.1.1.1 Configuring a global password policy using the console
To set up or modify the password policy for an entire directory:
1. In the Directory Server Console, select the Configuration tab, then the Data node.
2. In the right pane, select the Passwords tab.
This tab contains the password policy for the entire Directory Server.
3. Check the Enable fine-grained password policy checkbox. Enabling the password policy
makes the other sections on the screen active.
4. To require users to change their password the first time they log on, select the User must change
password after reset checkbox. If this checkbox is selected, only the Directory Manager is
authorized to reset the user's password. A regular administrative user cannot force the users
to update their password.
5. To allow users to change their own passwords, select the User may change password checkbox.
6. To prevent users from changing their password for a specific duration, enter the number of
days in the Allow changes in X day(s) text box.
7. For the server to maintain a history list of passwords used by each user, select the Keep
password history checkbox. Enter the number of passwords for the server to keep for each
user in the Remember X passwords text box.
8. If user passwords should not expire, select the Password never expires radio button.
9. To require users to change their passwords periodically, select the Password expires after X
days radio button, then enter the number of days that a user password is valid.
The maximum value for the password age is derived by subtracting January 18, 2038, from
today's date. The entered value must not be set to the maximum value or too close to the
maximum value. Setting the value to the maximum value can cause the Directory Server to fail
to start because the number of seconds will go past the epoch date. In such an event, the
errors log will indicate that the password maximum age is invalid. To resolve this problem,
correct the passwordMaxAge attribute value in the dse.ldif file.
A common policy is to have passwords expire every 30 to 90 days. By default, the password
maximum age is set to 8640000 seconds (100 days).
7.1 Managing the password policy 291