Start of changeStart of change

Set password properties

The Directory Server provides many password options to ensure that only authorized users are allowed to access the directory. These options are grouped under password policy, password lockout, and password validation.

Password policy

To set the password policy, take these steps:

  1. Expand the Manage security properties category in the navigation area of the Web Administration Tool, and select the Password policy tab. This panel displays a noneditable Password attribute field that contains the name of the attribute that password policy is using.
  2. Select the type of password encryption from the drop-down list:
    None
    No encryption. Passwords are stored in the clear text format.
    crypt
    Passwords are encoded by the UNIX crypt encoding algorithm before they are stored in the directory.
    SHA-1
    Passwords are encoded by the SHA-1 encoding algorithm before they are stored in the directory.
  3. Select the Password policy enabled check box to enable password policy.
    Note:
    If Password policy is not enabled, none of the other functions on this or the other password panels are available until the check box is enabled. By default, password policy is disabled.
  4. Select the User can change password check box to specify whether the user can change the password.
  5. Select the User must change password after reset check box to specify whether the user must change the password after logging on with a reset password.
  6. Select the User must send password when changing check box to specify whether the user, after the initial logon, needs to specify the password again before being able to change the password.
  7. Set the password expiration limit. Click the Password Never Expires radio button to specify that the password does not have to be changed at a specific time interval, or click the Days radio button and specify the time interval, in days, when the password needs to be reset.
  8. Specify whether the system issues a password expiration warning before the password expires.

    If you click the Never warn radio button, the user is not warned before the previous password expires. The user cannot access the directory until the administrator has created a new password.

    If you click the Days before expiration radio button and specify a number of days (n), the user receives a warning prompt to change the password each time the user logs on, starting n days before the password expires. The user can still access the directory until the password expires.

  9. Specify the number of times, if any, that the user can log in after the password has expired. This selection enables the user to access the directory with an expired password.
  10. Click OK.
Note:
You can also use the ldapmodify utility (see ldapmodify and ldapadd) to set password policy.

For more information about password policy, see Password policy.

Password Lockout

  1. Expand the Manage security properties category in the navigation area of the Web administration tool, then select the Password lockout tab.
    Note:
    If password policy is not enabled on the server, the functions on this panel do not take effect.
  2. Specify the number of seconds, minutes, hours or days that must expire before a password can be changed.
  3. Specify whether incorrect logins lockout the password.
  4. Specify the duration of the lockout. Select the Lockouts never expire radio button to specify that the system administrator must reset the password, or select the Seconds radio button and specify the number of seconds before the lockout expires and log in attempts can resume.
  5. Specify the expiration time for an incorrect login. Click the Incorrect logins only cleared with correct password radio button to specify that incorrect logins are cleared only by a successful login, or click the Seconds radio button and specify the number of seconds before an unsuccessful login attempt is cleared from memory.
    Note:
    This option works only if the password is not locked out.
  6. When you are finished, click Apply to save your changes without exiting, or click OK to apply your changes and exit, or click Cancel to exit this panel without making any changes.

Password validation

  1. Expand the Manage security properties category in the navigation area of the Web administration tool, then select the Password validation tab.
    Note:
    If password policy is not enabled on the server, the functions on this panel do not take effect.
  2. Set the number of passwords that must be used before a password can be reused. Enter a number from 0 to 30. If you enter zero, a password can be reused without restriction.
  3. From the drop-down menu, select whether the password is checked for the syntax defined in the following entry fields. You can select:
    Do not check syntax
    No syntax checking is performed.
    Check syntax (except encrypted)
    The syntax checking is performed on all unencrypted passwords.
    Check syntax
    The syntax checking is performed on all passwords.
  4. Specify a number value to set the minimum length of the password. If the value is set to zero, no syntax checking is performed.
  5. Specify the maximum number of characters that can be repeated in the password. This option limits the number of times a specific character can appear in the password. If the value is set to zero, the number of repeated characters is not checked.
  6. Specify the minimum number of characters that must be different from the previous password and the number of previous passwords specified in the Minimum number of passwords before reuse field. If the value is set to zero, the number of different characters is not checked.
  7. When you are finished, click Apply to save your changes without exiting, or click OK to apply your changes and exit, or click Cancel to exit this panel without making any changes.
End of changeEnd of change