Preventing Authentication By Account Deactivation; Designing A Password Policy - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for DIRECTORY SERVER 8.1 - DEPLOYMENT:
- Command reference manual (372 pages) ,
- Configuration and command reference (292 pages) ,
- Reference (228 pages)
Table of Contents
Advertisement
Chapter 8. Designing a Secure Directory
For more information on this topic, check out the "Proxied Authorization ACI Example"
section in the "Managing Access Control" chapter of the Administrator's Guide.
8.5. Preventing Authentication by Account Deactivation
A user account or a set of accounts can be temporarily deactivated. After an account has been
deactivated, that user cannot bind to the directory, and the authentication operation fails.
Account deactivation is implemented through the operational attribute nsAccountLock. When an
entry contains the nsAccountLock attribute with a value of true, the server rejects the bind.
The procedures for deactivating users and roles are the same. However, deactivating a role deactivate
all of the members of that role and not the role entry itself. For more information about roles, see
Section 4.3.1, "About
Roles".
8.6. Designing a Password Policy
A password policy is a set of rules that govern how passwords are used in a given system. The
Directory Server's password policy specifies the criteria that a password must satisfy to be considered
valid, like the age, length, and whether users can reuse passwords.
The following sections provide more information on designing a sound password policy:
Section 8.6.1, "How Password Policy Works"
•
Section 8.6.2, "Password Policy Attributes"
•
Section 8.6.3, "Designing an Account Lockout Policy"
•
Section 8.6.4, "Designing a Password Policy in a Replicated Environment"
•
8.6.1. How Password Policy Works
Directory Server supports fine-grained password policy, which means password policies can be
defined at the subtree and user level. This allows the flexibility of defining a password policy at any
point in the directory tree:
• The entire directory.
Such a policy is known as the global password policy. When configured and enabled, the policy
is applied to all users within the directory except for the Directory Manager entry and those user
entries that have local password policies enabled.
This can define a common, single password policy for all directory users.
• A particular subtree of the directory.
Such a policy is known as the subtree level or local password policy. When configured and enabled,
the policy is applied to all users under the specified subtree.
This is good in a hosting environment to support different password policies for each hosted
company rather than enforcing a single policy for all the hosted companies.
118
Advertisement
Table of Contents
Related Manuals for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT
Related Products for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT
- Red Hat DIRECTORY SERVER 8.1 - 11-01-2010
- Red Hat DIRECTORY SERVER 8.1 - USING THE ADMIN SERVER
- Red Hat SYSTEM 8 - 25-03-2010
- Red Hat SYSTEM 8.0 - MANAGING SMART CARDS WITH THE ENTERPRISE SECURITY CLIENT
- Red Hat DIRECTORY SERVER 2.0 - GATEWAY
- Red Hat DIRECTORY SERVER 7.1
- Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR
- Red Hat DIRECTORY SERVER 7.1 - DEPLOYMENT
- Red Hat DIRECTORY SERVER 7.1 - GATEWAY CUSTOMIZATION
- Red Hat DIRECTORY SERVER 7.1 - PLUG-IN PROGRAMMERS
- Red Hat DIRECTORY SERVER 7.1 SP7 - S
- Red Hat DIRECTORY SERVER 8.0
- Red Hat DIRECTORY SERVER 8.1 - USING RED HAT CONSOLE 4-28-2008
- Red Hat Linux Virtual Server
- Red Hat LINUX VIRTUAL SERVER - FOR ENTERPRISE LINUX 5.2 REV 05-2008
- Red Hat LINUX VIRTUAL SERVER 4.5 - ADMINISTRATION
Need help?
Do you have a question about the DIRECTORY SERVER 8.1 - DEPLOYMENT and is the answer not in the manual?
Questions and answers