Netscape DIRECTORY SERVER 7.0 - DEPLOYMENT Deployment Manual page 147

• To determine whether a local policy is defined for a subtree or user, the server
checks for the
pwdPolicysubentry
the attribute is present, the server enforces the local password policy
configured for the user. If the attribute is absent, the server logs an error
message and enforces the global password policy.
The server then compares the user-supplied password with the value specified in
the user's directory entry to make sure they match. The server also uses the rules
defined by the password policy to ensure that the password is valid before
allowing the user to bind to the directory.
NOTE The global and local password policies are mutually exclusive. That
is, if you define and enable a local password policy for a subtree or
user, Directory Server applies that policy during the bind process. In
the absence of a local password policy (for example, if you don't
define or if you disable a local password policy), the server subjects
the user to the global password policy.
The password policy design requires sending the password policy
request control with the bind request. The LDAP command-line
utility
-g
request. For details about the
ldapmodify
Configuration, Command, and File Reference.
Figure 7-1 illustrates how password-policy checks are enforced when a BIND
request is processed.
attribute in the corresponding user entry. If
supresses sending this request control with the bind
-g
, or utilities in Netscape Directory Server
ldapdelete
Designing a Password Policy
option, check
ldapsearch
Chapter 7 Designing a Secure Directory
,
147