Table of Contents
Advertisement
Designing a Password Policy
Password Expiration
You can set your password policy so that users can use the same passwords
indefinitely. Or you can set your policy so that passwords expire after a given time.
In general, the longer a password is in use, the more likely it is to be discovered. On
the other hand, if passwords expire too often, users may have trouble remembering
them and resort to writing their passwords down. A common policy is to have
passwords expire every 30 to 90 days.
The server remembers the password expiration even if you turn the password
expiration feature off. This means that if you turn the password expiration option
back on, passwords are valid only for the duration you set before you last disabled
the feature. For example, suppose you set up passwords to expire every 90 days
and then decided to disable password expiration. When you decide to re-enable
password expiration, the default password expiration duration is 90 days because
that is what you had it set to before you disabled the feature.
By default, user passwords never expire.
Expiration Warning
If you choose to set your password policy so that user passwords expire after a
given number of days, it is a good idea to send users a warning before their
passwords expire. You can set your policy so that users are sent a warning 1 to
24,855 days before their passwords expire. The Directory Server displays the
warning when the user binds to the server. If password expiration is turned on, by
default, a warning is sent (via an LDAP message) to the user one day before the
user's password expires, provided the user's client application supports this
feature.
Grace Login Limit
If you want to allow some users to login using their expired passwords, you should
specify the number of grace login attempts that are allowed to a user after the
password has expired.
By default, grace logins are not permitted.
Chapter 8
Designing a Secure Directory
171
Advertisement
Table of Contents
