User manual REDHAT NETSCAPE DIRECTORY SERVER 6.01 ADMINISTRATOR

[. . . ] Administrator's Guide Netscape Directory Server Version 6. 01 January 2002 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law. Making unauthorized copies, adaptations or compilation works is prohibited and constitutes a punishable violation of the law. [. . . ] The following table describes the attributes you can use to configure your account lockout policy: Table 7-2 Account Lockout Policy Attributes Definition Attribute Name passwordLockout This attribute indicates whether users are locked out of the directory after a given number of failed bind attempts. You set the number of failed bind attempts after which the user will be locked out using the passwordMaxFailure attribute. You can lock users out for a specific time or until an administrator resets the password. This attribute is set to off by default, meaning that users will not be locked out of the directory. passwordMaxFailure This attribute indicates the number of failed bind attempts after which a user will be locked out of the directory. This attribute takes affect only if the passwordLockout attribute is set to on. This attribute is set to 3 bind failures by default. passwordLockoutDuration This attribute indicates the time, in seconds, that users will be locked out of the directory. You can also specify that a user is lock out until their password is reset by an administrator using the passwordUnlock attribute. By default, the user is locked out for 3600 second. 264 Netscape Directory Server Administrator's Guide · January 2002 Managing the Password Policy Table 7-2 Account Lockout Policy Attributes (Continued) Definition Attribute Name passwordResetFailureCount This attribute specifies the time in seconds after which the password failure counter will be reset. Each time an invalid password is sent from the user's account, the password failure counter is incremented. If the passwordLockout attribute is set to on, users will be locked out of the directory when the counter reaches the number of failures specified by the passwordMaxFailure attribute. The account is locked out for the interval specified in the passwordLockoutDuration attribute, after which time the failure counter is reset to zero (0). Because the counter's purpose is to gauge when a hacker is trying to gain access to the system, the counter must continue for a period long enough to detect a hacker. However, if the counter was to increment indefinitely over days and weeks, valid users might be locked out inadvertently. The reset password failure count attribute is set 600 seconds by default. Managing the Password Policy in a Replicated Environment Password and account lockout policies are enforced in a replicated environment as follows: · · Password policies are enforced on the data master. Account lockout is enforced on all servers participating in replication. Some of the password policy information in your directory is replicated. The replicated attributes are: · · · passwordMinAge and passwordMaxAge passwordExp passwordWarning However, the configuration information is kept locally and is not replicated. This information includes the password syntax and the history of password modifications. Account lockout counters and tiers are not replicated either. When configuration a password policy in a replicated environment, consider the following points: Chapter 7 User Account Management 265 Inactivating Users and Roles · Warnings from the server of an impending password expiration will be issued by all replicas. This information is kept locally on each server, so if a user binds to several replicas in turn, they will be issued the same warning several times. In addition, if the user changes the password, it may take time for this information to filter to the replicas. If a user changes a password and then immediately rebind, they may find that the bind fails until the replica registers the changes. [. . . ] DES is an example of a symmetric encryption algorithm. Cannot be deleted or modified as it is essential to Directory Server target In the context of access control, the target identifies the directory information to which a particular ACI applies. target entry The entries within the scope of a CoS. TCP/IP Transmission Control Protocol/Internet Protocol. The main network protocol for the Internet and for enterprise (company) networks. [. . . ]