HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
NOTE:
The nsslapd-pwpolicy-local attribute of the cn=config entry controls the type of
password policy the server enforces. By default, this attribute is disabled (off). When the
attribute is disabled, the server only checks for and enforces the global password policy; the
subtree and user level password policies are ignored. When the ns-newpwpolicy.pl script
runs, it first checks for the specified subtree and user entries and, if they exist, modifies them.
After updating the entries successfully, the script sets the nsslapd-pwpolicy-local
configuration parameter to on. If the subtree and user level password policy should not be
enabled, be sure to set nsslapd-pwpolicy-local to off after running the script.
To turn off user and subtree level password policy checks, use ldapmodify to set the
nsslapd-pwpolicy-local attribute to off by modifying the cn=config entry. For example:
ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com
dn: cn=config
changetype: modify
replace: nsslapd-pwpolicy-local: on
nsslapd-pwpolicy-local: off
This attribute can also be disabled by modifying it directly in the configuration file (dse.ldif).
1. Stop the server.
/opt/dirsrv/slapd-instance_name/stop-slapd
For more information about the commands to stop and start the Directory Server on the HP-UX
platform, see“Starting and Stopping Servers” (page 19).
2. Open the dse.ldif file in a text editor.
3. Set the value of nsslapd-pwpolicy-local to off, and save.
nsslapd-pwpolicy-local: off
4. Start the server.
/opt/dirsrv/slapd-instance_name/start-slapd
7.1.2 Setting user passwords
An entry can be used to bind to the directory only if it has a userpassword attribute and if it
has not been inactivated. Because user passwords are stored in the directory, the user passwords
can be set or reset with any LDAP operation, like ldapmodify.
For information on creating and modifying directory entries, see “Creating Directory Entries” (page
96). For information on inactivating user accounts, see “Inactivating users and roles” (page 301).
Passwords can also be set and reset in the Users and Groups area of the Administration Server .
For information on how to use the Users and Groups area, see the online help that is available in
the Administration Server.
7.1.3 Password change extended operation
While most passwords can be changed through the Console and other Directory Server features
or through the ldapmodify operation, there are some passwords that cannot be changed through
regular LDAP operations. These passwords may be stored outside the Directory Server, such as
passwords stored in a SASL application. These passwords can be modified through the password
change extended operation.
Directory Server supports the password change extended operation as defined in RFC 3062, so
users can change their passwords, using a suitable client, in a standards-compliant way. Directory
Server does not include a client application for the password change extended operation. However,
the ldappasswd utility can be used as follows:
7.1 Managing the password policy 297