Password Expiration; Expiration Warning - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for DIRECTORY SERVER 8.1 - DEPLOYMENT:

Command reference manual (372 pages)

Configuration and command reference (292 pages)

Reference (228 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

page of 164

/ 164
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 8. Designing a Secure Directory

8.6.2.2. User-Defined Passwords

The password policy can be set either to allow or not to allow users to change their own passwords.

A good password is the key to a strong password policy. Good passwords do not use trivial words;

any word that can be found in a dictionary, names of pets or children, birthdays, user IDs, or any other

information about the user that can be easily discovered (or stored in the directory itself), is a poor

choice for a password.

A good password should contain a combination of letters, numbers, and special characters. For the

sake of convenience, however, users often use passwords that are easy to remember. Consequently,

some enterprises choose to set passwords for users that meet the criteria of a strong password, and

do not allow users to change their passwords.

There are two disadvantages to having administrators set passwords for users:

• It requires a substantial amount of an administrator's time.

• Because administrator-specified passwords are typically more difficult to remember, users are more

likely to write their password down, increasing the risk of discovery.

By default, user-defined passwords are allowed.

8.6.2.3. Password Expiration

The password policy can allow users can use the same passwords indefinitely or specify that

passwords expire after a given time. In general, the longer a password is in use, the more likely it is

to be discovered. If passwords expire too often, however, users may have trouble remembering them

and resort to writing their passwords down. A common policy is to have passwords expire every 30 to

90 days.

The server remembers the password expiration specification even if password expiration is disabled. If

the password expiration is re-enabled, passwords are valid only for the duration set before it was last

disabled.

For example, if the password policy is set for passwords to expire every 90 days, and then password

expiration is disabled and re-enabled, the default password expiration duration is 90 days.

By default, user passwords never expire.

8.6.2.4. Expiration Warning

If a password expiration period is set, it is a good idea to send users a warning before their passwords

expire.

The Directory Server displays the warning when the user binds to the server. If password expiration is

enabled, by default, a warning is sent (via an LDAP message) to the user one day before the user's

password expires, provided the user's client application supports this feature.

The valid range for a password expiration warning to be sent is from one to 24,855 days.

NOTE

The password never expires until the expiration warning has been sent.

122

Table of Contents

Password Expiration; Expiration Warning - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

8.6.2.3. Password Expiration

8.6.2.4. Expiration Warning

Related Manuals for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Related Content for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Table of Contents