HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
7.6.1 Configuring the account inactivity policy
The account policy plug-in and its policies must be configured using the command line. Configuring
the plug-in for the first time requires the following steps:
1. Using ldapmodify command line utility, enable the plug-in by setting the
nsslapd-pluginEnabled attribute to on. The plug-in performs inactivity enforcement and
last login time tracking only when it is enabled.
dn: cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
2. Restart the Directory Server instance.
/opt/dirsrv/slapd-instance_name/restart-slapd
3. Optionally, customize the plug-in configuration. For more information about the customizations
available, refer to the configuration, command, and file reference. In most cases, the default
plug-in configuration suffices.
4. Create an account policy entry that specifies an inactivity limit. This entry can reside anywhere
in the DIT. The following sample policy entry configures a 30-day inactivity limit.
dn: cn=Account Policy,ou=people,dc=example,dc=com
objectClass: top
objectClass: ldapsubentry
objectClass: accountpolicy
cn: Account Policy
accountInactivityLimit: 2592000
NOTE:
The inactivity limit value is in seconds. So, a 30-day limit is specified as 2592000 seconds
(30 days * 24 hours * 60 minutes * 60 seconds).
5. Insert the specifier attribute acctPolicySubentry into entries that should be covered by
the policy. The value of the attribute should be the DN of the account policy entry created in
the preceding step. Specify this attribute as a real attribute, inserted into each entry using a
modify operation or as part of the initial addition of the entry, or as a virtual attribute, supplied
by the Class of Service plug-in. (For more information about advanced Class of Service
configurations, see “Assigning class of service” (page 187).) The following is an example of
how an account policy can be applied to all users in the ou=people,dc=example,dc=com
subtree.
dn: cn=AP CoS Tmpl,ou=people,dc=example,dc=com
objectClass: top
objectClass: costemplate
cn: AP CoS Tmpl
cosPriority: 0
acctPolicySubentry: cn=Account Policy,ou=people,example,dc=com
dn: cn=AP CoS Def,ou=people,dc=example,dc=com
objectClass: top
objectClass: ldapsubentry
objectClass: cossuperdefinition
objectClass: cosPointerDefinition
cn: AP CoS Def
cosAttribute: acctpolicysubentry operational
costemplatedn: cn=AP CoS Tmpl,ou=people,dc=example,dc=com
314 Managing User Authentication