HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
7.6.2 Provisioning account inactivity policies
The account policy plug-in records the last login time in the lastLoginTime attribute. However,
by default, an account that has never been logged into does not have a lastLoginTime attribute.
For newly created accounts, you have two options for providing this attribute:
• Provision a lastLoginTime attribute when you add the account entry.
• Rely on the plug-in's alternate timestamp mechanism, using the createTimestamp attribute,
which is present in all entries. The plug-in uses this attribute automatically if the entry lacks the
lastLoginTime attribute.
7.6.3 Managing users covered by an account inactivity policy
To determine which accounts are in violation of their account policy, perform a subtree search
with an equal-or-lesser-than filter. For example, if the current time is noon on August 20, 2009,
and you want to list accounts that have not logged in for 10 days, use the following filter:
"(&(createtimestamp<=200908101200000Z)(acctPolicySubentry=cn=Account Policy,ou=people,dc=example,dc=com))"
NOTE:
The timestamp is in generalized time format: year, month, day, hour, minute, second, and a “Z”
that indicates the time zone is Greenwich Mean Time (GMT) in UTC format.
To enable an account that is disabled due to inactivity, manually update the lastLoginTime
attribute value. The following example updates the attribute to August 20, 2009r.
changetype: modify
replace: lastLoginTime
lastLoginTime: 200908201200000Z
7.7 Enabling Different Types of Binds
7.7.1 Secure Binds
A new configuration attribute nsslapd-require-secure-binds is added to control simple
binds over insecure transports.
• When enabled, a simple bind is allowed over a secure transport (SSL/TLS or a SASL privacy
layer). An attempt to do a simple bind over an insecure transport returns
LDAP_CONFIDENTIALITY_REQUIRED. This new setting will not affect anonymous or
unauthenticated binds.
• The default setting is to have this option disabled.
To enable secure binds:
1. Using ldapmodify add the nsslapd-require-secure-binds attribute to the cn=config
entry:
ldapmodify -D "cn=directory manager" -w secret -h server.example.com -p 389
dn: cn=config
changetype: modify
replace: nsslapd-require-secure-binds
nsslapd-require-secure-binds: on
2. Restart the server.
7.7.2 Ability to shut off anonymous access
By default, anonymous binds are allowed for search and read operations. Allowing anonymous
binds has security risks like users gaining unauthorized access to the server or denial of service
attacks.
7.7 Enabling Different Types of Binds 315