HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
Some of the password policy information in the directory is replicated:
• passwordMinAge and passwordMaxAge
• passwordExp
• passwordWarning
However, the configuration information is kept locally and is not replicated. This information
includes the password syntax and the history of password modifications. Account lockout counters
and tiers are not replicated, either.
When configuring a password policy in a replicated environment, consider the following points:
• Warnings from the server of an impending password expiration will be issued by all replicas.
This information is kept locally on each server, so if a user binds to several replicas in turn,
they will be issued the same warning several times. In addition, if the user changes the
password, it may take time for this information to filter to the replicas. If a user changes a
password, then immediately rebinds, he may find that the bind fails until the replica registers
the changes.
• The same bind behavior should occur on all servers, including suppliers and replicas. Make
sure to create the same password policy configuration information on each server.
• Account lockout counters may not work as expected in a multi-mastered environment.
• Entries that are created for replication (for example, the server identities) need to have
passwords that never expire. To make sure that these special users have passwords that do
not expire, add the passwordExpirationTime attribute to the entry, and give it a value
of 20380119031407Z (the top of the valid range).
7.1.6 Synchronizing passwords
Password changes in a Directory Server entry can be synchronized to password attributes in Active
Directory entries by using the Password Sync utility.
When passwords are synchronized, password policies are enforced on each synchronized peer
locally. The syntax or minimum length requirements on the Directory Server apply when the password
is changed in the Directory Server. When the changed password is synchronized over to the
Windows server, the Windows password policy is enforced. The password policies themselves
are not synchronized.
Configuration information is kept locally and cannot be synchronized, including the password
change history and the account lockout counters.
When configuring a password policy for synchronization, consider the following points:
• The Password Sync utility must be installed locally on the Windows machine that will be
synchronized with a Directory Server.
• Password Sync can only link the Windows machine to a single Directory Server; to synchronize
changes with multiple Directory Server instances, configure the Directory Server for multi-master
replication.
• Password expiration warnings and times, failed bind attempts, and other password-related
information is enforced locally per server and is not synchronized between synchronized peer
servers.
• The same bind behavior should occur on all servers. Make sure to create the same or similar
password policies on both Directory Server and Active Directory servers.
• Entries that are created for synchronization (for example, the server identities) need to have
passwords that never expire. To make sure that these special users have passwords that do
not expire, add the passwordExpirationTime attribute to the Directory Server entry, and
give it a value of 20380119031407Z (the top of the valid range).
300 Managing User Authentication