Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual page 129

• A particular user of the directory.
Such a policy is known as the user level or local password policy. When configured and enabled, the
policy is applied to the specified user only.
This can define different password policies for different directory users. For example, specify that
some users change their passwords daily, some users change it monthly, and all other users change
it every six months.
By default, Directory Server includes entries and attributes that are relevant to the global password
policy, meaning the same policy is applied to all users. To set up a password policy for a subtree or
user, add additional entries at the subtree or user level and enable the nsslapd-pwpolicy-local
attribute of the cn=config entry. This attribute acts as a switch, turning fine-grained password policy
on and off.
The password policy changes can be made in the Directory Server Console or by using the ns-
newpwpolicy.pl script. The Configuration, Command, and File Reference lists the command-line
syntax for the script, and the Administrator's Guide includes procedures for setting password policies.
After password policy entries are added to the directory, they determine the type (global or local) of the
password policy the Directory Server should enforce.
When a user attempts to bind to the directory, Directory Server determines whether a local policy has
been defined and enabled for the user's entry.
• To determine whether the fine-grained password policy is enabled, the server checks the value (on
or off) assigned to the nsslapd-pwpolicy-local attribute of the cn=config entry. If the value
is off, the server ignores the policies defined at the subtree and user levels and enforces the global
password policy.
• To determine whether a local policy is defined for a subtree or user, the server checks for the
pwdPolicysubentry attribute in the corresponding user entry. If the attribute is present, the server
enforces the local password policy configured for the user. If the attribute is absent, the server logs
an error message and enforces the global password policy.
The server then compares the user-supplied password with the value specified in the user's directory
entry to make sure they match. The server also uses the rules defined by the password policy to
ensure that the password is valid before allowing the user to bind to the directory.
NOTE
The global and local password policies are mutually exclusive. That is, if a local password
policy is defined and enabled for a subtree or user, Directory Server applies that policy
during the bind process. In the absence of a local password policy, the server subjects
the user to the global password policy. The password policy design requires sending the
password policy request control with the bind request. The LDAP command-line option -g
suppresses sending this request control with the bind request.
For details about the -g option, check ldapsearch, ldapmodify, or ldapdelete
utilities in the Configuration, Command, and File Reference.
How Password Policy Works
119