Table of Contents
Advertisement
NOTE
Preventing Authentication by Account Inactivation
You can temporarily inactivate a user account or a set of accounts. Once
inactivated, a user cannot bind to the directory, and the authentication operation
fails.
Account inactivation is implemented through the operational attribute
nsAccountLock
of
true
You use the same procedures for inactivating users and roles. However,
inactivating a role means that you inactivate all of the members of that role and not
the role entry itself. For more information about roles, refer to "About Roles," on
page 71.
Designing a Password Policy
A password policy is a set of rules that govern how passwords are used in a given
system. The password policy mechanism provided by Directory Server allows you
to dictate such things as how long a password must be and whether users can reuse
passwords. The sections that follow explain:
•
How Password Policy Works
•
Password Policy Attributes
•
Designing a Password Policy in a Replicated Environment
•
Designing an Account Lockout Policy
The proxy mechanism is very powerful and must be used sparingly.
Proxy rights are granted within the scope of the ACL, and there is no
way to restrict who can be impersonated by an entry that has the
proxy right—that is, when you grant a user proxy rights, that user
has the ability to proxy for any user under the target; there is no way
to restrict the proxy rights to only certain users. For example, if an
entity has proxy rights to the
can do anything. So make sure you set the proxy ACI at the lowest
possible level of the DIT. For more information on this, see "Proxied
Authorization ACI Example" in "Managing Access Control," in the
Netscape Directory Server Administrator's Guide.
. When an entry contains the
, the server rejects the bind.
Preventing Authentication by Account Inactivation
dc=example,dc=com
attribute with a value
nsAccountLock
Chapter 7
Designing a Secure Directory
tree, that entity
143
Advertisement
Table of Contents
