Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
451452453454455456457458459460
OSF DCE Administration Guide—Core Components
35.1.1 Standard Policy
Standard policy regulates such things as account and password lifetimes and password
format. It can be set for the registry and for specific organizations. The standard
policies you can set are described in the following subsections.
Note: In addition to defining the password policies described in this section, you
can exert additional control in such areas as password formats, password
generation, invalid login handling, and expired password handling by
attaching ERAs to principals. See Chapter 30 for more information.
35.1.1.1 Account Lifespan
The account lifespan that you set determines the period during which the accounts for a
specific organization or the registry as a whole are valid. After the period of time passes,
the accounts become invalid and must be recreated.
You define the account lifespan as the dcecp acctlife attribute in the following form:
acctlife {time | unlimited}
where time is a number that indicates the number of days the account is valid, and
unlimited specifies an unlimited lifespan.
An account’s lifespan is also controlled by the account expiration date (expdate
attribute) that you set when you use the dcecp account create or account modify
command to create or change an account. If you set an account expiration date that is in
conflict with the account lifespan policy, the stricter setting applies. For example, if you
set the standard policy account lifespan to 40 days, and then you set an account
expiration date to the next day, the account expires on the next day because that is the
stricter setting.
Note: You can control the validity of accounts at a more immediate level by
using the dcecp account modify command to mark the accounts as invalid
(acctvalid attribute).
35.1.1.2 Password Lifespan
The password lifespan specifies the period of time before account passwords for a
specific organization or the registry as a whole expire.
Generally, DCE security disables login for users whose passwords have expired. It is
possible, however, to override this policy for a user such as cell_admin, in order to
prevent the cell administrator from being locked out of the system by an expired
password. You do this by attaching an instance of the passwd_override ERA to the
principal. See Chapter 30 for information on how to do this.
35 2 Tandem Computers Incorporated 124243