Upgrade And Downgrade Considerations; Setting The Account Lockout Policy - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual
Hp storageworks fabric os 6.1.x administrator guide (5697-0234, november 2009)
Hide thumbs
Also See for A7533A - Brocade 4Gb SAN Switch Base:
- Administrator's manual (576 pages) ,
- Hardware reference manual (256 pages) ,
- User manual (248 pages)
Table of Contents
Advertisement
Upgrade and downgrade considerations
If you are upgrading from a 5.3.x environment to 6.x, the existing password databases do not contain the
state information that implements password expiration. So, when the password expiration policy is first set
after an upgrade to 6.x, any user who has not changed their password will have their password expiration
period set to the maximum password expiration period. You must explicitly define the password expiration
for users who have not performed a password change subsequent to the upgrade.
TIP:
You cannot upgrade your switch from Fabric OS 5.3.0 directly to 6.1.x. You first have to
upgrade to Fabric OS 6.x and then to 6.1.x.
For example:
•
March 1st—Using a 5.3.x Fabric OS release. User A changes their password.
•
April 1—Upgrade to 6.x
•
May 1—User B changes his password.
•
June 1—The password configuration parameter MaxPasswordAge is set to 90 days.
User A's password will expire on September 1. User B's password will expire on August 1.
Setting the account lockout policy
The account lockout policy disables a user account when that user exceeds a specified number of failed
login attempts, and is enforced across all user accounts. You can configure this policy to keep the account
locked until explicit administrative action is taken to unlock it, or the locked account can be automatically
unlocked after a specified period. Administrators can unlock a locked account at any time.
A failed login attempt counter is maintained for each user on each switch instance. The counters for all user
accounts are reset to zero when the account lockout policy is enabled. The counter for an individual
account is reset to zero when the account is unlocked after a LockoutDuration period expires.
The admin account can also have the lockout policy enabled on it. The admin account lockout policy is
disabled by default and uses the same lockout threshold as the other roles. It can be automatically
unlocked after the lockout duration passes or when it is manually unlocked by either a user account that
has a securityAdmin or other Admin role.
•
userConfig —change <account name> -u
•
passwdCfg —disableadminlockout
Note that the account-locked state is distinct from the account-disabled state.
Use the following attributes to set the account lockout policy:
•
LockoutThreshold
Specifies the number of times a user can attempt to log in using an incorrect password before the
account is locked. The number of failed login attempts is counted from the last successful login.
LockoutThreshold values range from 0 to 999, and the default value is 0. Setting the value to 0 disables
the lockout mechanism.
•
LockoutDuration
Specifies the time, in minutes, after which a previously locked account is automatically unlocked.
LockoutDuration values range from 0 to 99999, and the default value is 30. Setting the value to 0
disables lockout duration, and would require a user to seek administrative action to unlock the account.
The lockout duration begins with the first login attempt after the LockoutThreshold has been
reached. Subsequent failed login attempts do not extend the lockout period.
To enable the admin lockout policy:
1.
Log in to the switch using an admin or securityAdmin account.
2.
Type passwdCfg
The policy is now enabled.
To unlock an account:
66
Managing user accounts
enableadminlockout.
--
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
