Table of Contents
Advertisement
Managing the Password Policy
Password Policy Attributes (Continued)
Table 7-1
Attribute Name
passwordMustChange
passwordChange
passwordExp
passwordMaxAge
284
Red Hat Directory Server Administrator's Guide • May 2005
Definition
When on, this attribute requires users to change their passwords when
they first login to the directory or after the password is reset by the
Directory Manager. When on, the user is required to change their
password even if user-defined passwords are disabled.
If you choose to set this attribute to off, passwords assigned by the
Directory Manager should not follow any obvious convention and should
be difficult to discover.
This attribute is off by default.
When on, this attribute indicates that users may change their own
password. Allowing for users to set their own passwords runs the risk of
users choosing passwords that are easy to remember.
However, setting good passwords for the user requires a significant
administrative effort. In addition, providing passwords to users that are
not meaningful to them runs the risk that users will write the password
down somewhere that can be discovered.
This attribute is on by default.
When on, this attribute indicates that the user's password will expire after
an interval given by the passwordMaxAge attribute. Making passwords
expire helps protect your directory data because the longer a password is in
use, the more likely it is to be discovered.
This attribute is off by default.
This attribute indicates the number of seconds after which user passwords
expire. To use this attribute, you must enable password expiration using
the passwordExp attribute.
This attribute is a dynamic parameter in that its maximum value is derived
by subtracting January 18, 2038, from today's date. The attribute value
must not be set to the maximum value or too close to the maximum value.
If you set the value to the maximum value, Directory Server may fail to
start because the number of seconds will go past the epoch date. In such an
event, the error log will indicate that the password maximum age is
invalid. To resolve this problem, you must correct the passwordMaxAge
attribute value in the dse.ldif file.
A common policy is to have passwords expire every 30 to 90 days. By
default, the password maximum age is set to 8640000 seconds (100 days).
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR
Related Products for Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR
- Red Hat DIRECTORY SERVER 8.1 - 11-01-2010
- Red Hat DIRECTORY SERVER 8.1 - USING RED HAT CONSOLE 4-28-2008
- Red Hat DIRECTORY SERVER 8.1 - USING THE ADMIN SERVER
- Red Hat Linux Virtual Server
- Red Hat LINUX VIRTUAL SERVER - FOR ENTERPRISE LINUX 5.2 REV 05-2008
- Red Hat LINUX VIRTUAL SERVER 4.5 - ADMINISTRATION
- Red Hat LINUX VIRTUAL SERVER 4.6 - ADMINISTRATION
- Red Hat LINUX VIRTUAL SERVER 4.7 - ADMINISTRATION