Hello,
Looking for some guidance with password policies.
About a year ago I migrated a very old instance of Red Hat Directory server to 389-ds
version 1.3.5.10. I did this with a db export and import. I did not enable the password
policy which was active on the old Red Hat Directory instance.
It has come time to (re)enable a password policy on the 389-ds instance and I am hoping
for some guidance on how to proceed. The policy would be one of syntax and expiration
requirements. All the applicable users appear to have the require attributes
(passwordexpirationtime, passwordexpwarned, passwordgracetimeuser, passwordhistory,
passwordretrycount, retrycoutresettime)
Questions:
1. All the users on which the password policy should apply are under
ou=People,dc=sub,dc=domain,dc=tld
o It should therefore be safe to apply the password policy here for subtree?
2. What is the best way to set individual users who should be exempt from the
policy?
3. Some of the users who should be exempt are within nsPwPolicyContainer under
ou=People. Does this relate to question #2?
4. Given that there has been a long time passed where the password policy has not
been active, it probably makes sense to set applicable user’s passwordexpirationtime
attribute to sometime in the future so there isn’t a flood of “password lockout”
complaints?
[cid:EL-logo_7ba48a57-966c-4a07-b478-7857c99d9581.png] Kirk MacDonald | System Analyst
II
Eastlink | Internet
Kirk.MacDonald(a)corp.eastlink.ca T: 902.406.4969
Show replies by date