Hello,

 

Looking for some guidance with password policies.

 

About a year ago I migrated a very old instance of Red Hat Directory server to 389-ds version 1.3.5.10. I did this with a db export and import. I did not enable the password policy which was active on the old Red Hat Directory instance.

 

It has come time to (re)enable a password policy on the 389-ds instance and I am hoping for some guidance on how to proceed. The policy would be one of syntax and expiration requirements. All the applicable users appear to have the require attributes (passwordexpirationtime, passwordexpwarned, passwordgracetimeuser, passwordhistory, passwordretrycount, retrycoutresettime)

 

Questions:

 

1.       All the users on which the password policy should apply are under ou=People,dc=sub,dc=domain,dc=tld

o   It should therefore be safe to apply the password policy here for subtree?

2.       What is the best way to set individual users who should be exempt from the policy?

3.       Some of the users who should be exempt are within nsPwPolicyContainer under ou=People. Does this relate to question #2?

4.       Given that there has been a long time passed where the password policy has not been active, it probably makes sense to set applicable user’s passwordexpirationtime attribute to sometime in the future so there isn’t a flood of “password lockout” complaints?