Password Storage Scheme; Designing A Password Policy In A Replicated Environment - Netscape DIRECTORY SERVER 6.2 - DEPLOYMENT Deployment Manual

The passwords remain in history even if you turn the history feature off. This
means that if you turn the password history option back on, users cannot reuse the
passwords that were in the history before you disabled password history.
The server does not maintain a password history by default.

Password Storage Scheme

The password storage scheme specifies the type of encryption used to store
Directory Server passwords within the directory. You can specify:
• Clear text (no encryption)
• Secure Hash Algorithm (SHA)
• Salted Secure Hash Algorithm (SSHA). This encryption method is the default.
• UNIX crypt algorithm
Although passwords stored in the directory can be protected through the use of
access control information (ACI) instructions, it is still not a good idea to store
cleartext passwords in the directory. The crypt algorithm provides compatibility
with UNIX passwords. SSHA is the most secure of the choices.
Designing a Password Policy in a Replicated
Environment
Password and account lockout policies are enforced in a replicated environment as
follows:
• Password policies are enforced on the data master.
• Account lockout is enforced on the replicas.
The password policy information in your directory, such as password age, the
account lockout counter, and the expiration warning counter, are all replicated.
However, the configuration information is kept locally and is not replicated. This
information includes the password syntax and the history of password
modifications.
Designing a Password Policy
Chapter 7 Designing a Secure Directory 153