Password Storage Scheme; Designing An Account Lockout Policy; Designing A Password Policy In A Replicated Environment - Red Hat DIRECTORY SERVER 7.1 - DEPLOYMENT Deployment Manual

The passwords remain in history even if you turn the history feature off. This
means that if you turn the password history option back on, users cannot reuse the
passwords that were in the history before you disabled password history.
The server does not maintain a password history by default.

Password Storage Scheme

The password storage scheme specifies the type of encryption used to store
Directory Server passwords within the directory. You can specify:
• Cleartext (no encryption).
• Secure Hash Algorithm (SHA).
• Salted Secure Hash Algorithm (SSHA). This encryption method is the default.
• UNIX crypt algorithm.
Although passwords stored in the directory can be protected through the use of
access control information (ACI) instructions, it is still not a good idea to store
cleartext passwords in the directory. The crypt algorithm provides compatibility
with UNIX passwords. SSHA is the most secure of the choices.

Designing an Account Lockout Policy

Once you have established a password policy for your directory, you can protect
your user passwords from potential threats by configuring an account lockout
policy.
The lockout policy works in conjunction with the password policy to provide
further security. The account lockout feature protects against hackers who try to
break into the directory by repeatedly trying to guess a user's password. You can
set up your password policy so that a specific user is locked out of the directory
after a given number of failed attempts to bind.
Designing a Password Policy in a Replicated
Environment
Password and account lockout policies are enforced in a replicated environment as
follows:
• Password policies are enforced on the data master.
Designing a Password Policy
Chapter 8 Designing a Secure Directory 173