HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
7.1.1.3 Configuring a global password policy using the command line
To set up the password policy for a subtree or user, add the required entries and attributes at the
subtree or user level, set the appropriate values to the password policy attributes, and enable
fine-grained password policy checking.
This section describes the attributes to create a password policy for the entire server (globally)
using ldapmodify to change these attributes in the cn=config entry.
Table 32 (page 293) describes the attributes available to configure the password policy.
Table 32 Password policy attributes
DefinitionAttribute name
This attribute indicates the number of grace logins permitted when a user's password is
expired. When set to a positive number, the user will be allowed to bind with the expired
passwordGraceLimit
password for that many times. For the global password policy, the attribute is defined under
cn=config. By default, this attribute is set to 0, which means grace logins are not permitted.
When on, this attribute requires users to change their passwords when they first login to the
directory or after the password is reset by the Directory Manager. The user is required to
passwordMustChange
change their password even if user-defined passwords are disabled. If this attribute is set to
off, passwords assigned by the Directory Manager should not follow any obvious convention
and should be difficult to discover. This attribute is off by default.
When on, this attribute indicates that users may change their own password. Allowing users
to set their own passwords runs the risk of users choosing passwords that are easy to
passwordChange
remember. However, setting good passwords for the user requires a significant administrative
effort. In addition, providing passwords to users that are not meaningful to them runs the
risk that users will write the password down somewhere that can be discovered. This attribute
is on by default.
When on, this attribute indicates that the user's password will expire after an interval given
by the passwordMaxAge attribute. Making passwords expire helps protect the directory
passwordExp
data because the longer a password is in use, the more likely it is to be discovered. This
attribute is off by default.
This attribute indicates the number of seconds after which user passwords expire. To use
this attribute, enable password expiration using the passwordExp attribute. This attribute
passwordMaxAge
is a dynamic parameter in that its maximum value is derived by subtracting January 18,
2038, from today's date. The attribute value must not be set to the maximum value or too
close to the maximum value. If the value is set to the maximum value, Directory Server may
fail to start because the number of seconds will go past the epoch date. In such an event,
the errors log will indicate that the password maximum age is invalid. To resolve this problem,
correct the passwordMaxAge attribute value in the dse.ldif file. A common policy is to
have passwords expire every 30 to 90 days. By default, the password maximum age is set
to 8640000 seconds (100 days).
This attribute indicates the number of seconds before a warning message is sent to users
whose password is about to expire. Depending on the LDAP client application, users may
passwordWarning
be prompted to change their password when the warning is sent. HP-UX Directory Express
provides this functionality. By default, the directory sends the warning 86400 seconds (1
day) before the password is about to expire. However, a password never expires until the
warning message has been sent. Therefore, if users do not bind to the Directory Server for
longer than the passwordMaxAge, they will still get the warning message in time to change
their password.
This attribute indicates the number of seconds that must pass before a user can change their
password. Use this attribute in conjunction with the passwordInHistory attribute to
passwordMinAge
discourage users from reusing old passwords. For example, setting the minimum password
age to 2 days prevents users from repeatedly changing their passwords during a single
session to cycle through the password history and reuse an old password after it has been
removed from the history list. The minimum age can be from 0 to 2147472000 seconds
(24,855 days). A value of zero indicates that the user can change the password immediately.
The default value of this attribute is 0.
This attribute indicates whether the directory stores a password history. When set to on, the
directory stores the number of passwords specified in the passwordInHistory attribute
passwordHistory
7.1 Managing the password policy 293