Table of Contents
Advertisement
•
Cleartext (no encryption).
•
Secure Hash Algorithm (SHA).
•
Salted Secure Hash Algorithm (SSHA). This encryption method is the default.
•
UNIX crypt algorithm.
Although passwords stored in the directory can be protected through the use of
access control information (ACI) instructions, it is still not a good idea to store
cleartext passwords in the directory. The crypt algorithm provides compatibility
with UNIX passwords. SSHA is the most secure of the choices.
Designing a Password Policy in a Replicated
Environment
Password and account lockout policies are enforced in a replicated environment as
follows:
•
Password policies are enforced on the data master.
•
Account lockout is enforced on the replicas.
The password policy information in your directory, such as password age, the
account lockout counter, and the expiration warning counter, are all replicated.
However, the configuration information is kept locally and is not replicated. This
information includes the password syntax and the history of password
modifications.
When configuring a password policy in a replicated environment, consider the
following points:
•
All replicas issue warnings of an impending password expiration. This
information is kept locally on each server, so if a user binds to several replicas
in turn, the user receives the same warning several times. In addition, if the
user changes the password, it may take time for this information to filter to the
replicas. If a user changes a password and then immediately rebinds, the bind
may fail until the replica registers the changes.
•
You want the same bind behavior to occur on all servers, including suppliers
and replicas. Make sure you create the same password policy configuration
information on each server.
•
Account lockout counters may not work as expected in a multi-master
environment.
Designing a Password Policy
Chapter 7
Designing a Secure Directory
153
Advertisement
Table of Contents
