HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
Table 32 Password policy attributes (continued)
DefinitionAttribute name
This attribute sets the minimum number of 8-bit characters used in the password. The default
number is 0, meaning none are required.
passwordMin8bit
This attribute specifies the type of encryption used to store Directory Server passwords. HP-UX
Directory Server supports the following encryption types:
passwordStorageScheme
• SSHA (Salted Secure Hash Algorithm)
This method is recommended as it is the most secure. The Directory Server supports SSHA,
SSHA-256, SSHA-384, and SSHA-512. SSHA is the default method.
• SHA (Secure Hash Algorithm)
A one-way hash algorithm; it is supported only for backwards compatibility with Directory
Server 4.x and should not be used otherwise. This includes support for SHA, SHA-256,
SHA-384, and SHA-512 algorithms, which protects against some insecurities in the
SHA-1 algorithm.
• MD5
MD5 is not as secure as SSHA but is available for legacy applications that might require
it.
• crypt
The UNIX crypt algorithm, provided for compatibility with UNIX passwords.
• clear
This encryption type indicates that the password will appear in plain text.
The only password storage scheme that can be used with SASL DIGEST-MD5 is CLEAR
Passwords stored using crypt, SHA, or SSHA formats cannot be used for secure login
through SASL Digest MD5.
To provide a customized storage scheme, consult HP professional services.
7.1.1.4 Configuring subtree/user password policy using the command line
To configure a subtree or user level password policy:
1. Add the required attributes to the subtree or user entries by running the ns-newpwpolicy.pl
script.
The command syntax for the script is as follows:
ns-newpwpolicy.pl [-D rootDN] { -w password | -w - | -j filename }[-p port] [-h host]
-U userDN -S suffixDN
For updating a subtree entry, use the -S option. For updating a user entry, use the -U option.
The ns-newpwpolicy.pl script accepts only one user or subtree entry at a time. It can,
however, accept both user and suffix entries at the same time. For details about the script, see
the HP-UX Directory Server configuration, command, and file reference.
2. The script adds the required attributes depending on whether the target entry is a subtree or
user entry.
For a subtree (for example, ou=people, dc=example, dc=com), the following entries
are added:
• A container entry (nsPwPolicyContainer)at the subtree level for holding various
password policy-related entries for the subtree and all its children. For example:
dn: cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: nsPwPolicyContainer
• The actual password policy specification entry (nsPwPolicyEntry) for holding all the
password policy attributes that are specific to the subtree. For example:
7.1 Managing the password policy 295