Password Minimum Age; Password History; Password Storage Schemes; Designing An Account Lockout Policy - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for DIRECTORY SERVER 8.1 - DEPLOYMENT:

Command reference manual (372 pages)

Configuration and command reference (292 pages)

Reference (228 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

page of 164

/ 164
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 8. Designing a Secure Directory

8.6.2.8. Password Minimum Age

The password policy can prevent users from changing their passwords for a specified time. When

used in conjunction with the passwordHistory attribute, users are discouraged from reusing old

passwords.

For example, if the password minimum age (passwordMinAge) attribute is two days, users cannot

repeatedly change their passwords during a single session. This prevents them from cycling through

the password history so that they can reuse an old password.

The valid range of values for this attribute is from zero to 24,855 days. A value of zero (0) indicates

that the user can change the password immediately.

8.6.2.9. Password History

The Directory Server can store from two to 24 passwords in the password history; if a password is in

the history, a user cannot reset his password to that old password. This prevents users from reusing a

couple of passwords that are easy to remember. Alternatively, the password history can be disabled,

thus allowing users to reuse passwords.

The passwords remain in history even if the password history is off so that if the password history is

turned back on, users cannot reuse the passwords that were in the history before the password history

was disabled.

The server does not maintain a password history by default.

8.6.2.10. Password Storage Schemes

The password storage scheme specifies the type of encryption used to store Directory Server

passwords within the directory. The Directory Server supports several different password storage

schemes:

• Salted Secure Hash Algorithm (SSHA, SSHA-256, SSHA-384, and SSHA-512). This is the

most secure password storage scheme and is the default. The recommended SSHA scheme is

SSHA-256 or stronger.

• CLEAR, meaning no encryption. This is the only option which can be used with SASL Digest-MD5,

so using SASL requires the CLEAR password storage scheme.

Although passwords stored in the directory can be protected through the use of access control

information (ACI) instructions, it is still not a good idea to store plain text passwords in the directory.

• Secure Hash Algorithm (SHA, SHA-256, SHA-384, and SHA-512). This is less secure than SSHA.

• UNIX CRYPT algorithm. This algorithm provides compatibility with UNIX passwords.

• MD5. This storage scheme is less secure than SSHA, but it is included for legacy applications which

require MD5.

8.6.3. Designing an Account Lockout Policy

After establishing a password policy for the directory service, protect user passwords from potential

threats by configuring an account lockout policy.

124

Table of Contents

Password Minimum Age; Password History; Password Storage Schemes; Designing An Account Lockout Policy - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

8.6.2.8. Password Minimum Age

8.6.2.9. Password History

8.6.2.10. Password Storage Schemes

8.6.3. Designing an Account Lockout Policy

Related Manuals for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Related Content for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Table of Contents