User manual REDHAT NETSCAPE DIRECTORY SERVER 6.02 ADMINISTRATOR

[. . . ] Administrator's Guide Netscape Directory Server Version 6. 02 May 2002 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law. Making unauthorized copies, adaptations or compilation works is prohibited and constitutes a punishable violation of the law. [. . . ] You can also use the Users and Groups area of the Netscape Administration Server or the Directory Server Gateway to set or reset user passwords. For information on how to use the Users and Groups area, see the online help that is available in the Netscape Administration Server. For information on how to use the Gateway to create or modify directory entries, see the online help that is available in the Gateway. Configuring the Account Lockout Policy The lockout policy works in conjunction with the password policy to provide further security. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. You can set up your password policy so that a specific user is locked out of the directory after a given number of failed attempts to bind. Configuring the account lockout policy is described in the following sections: · · Configuring the Account Lockout Policy Using the Console Configuring the Account Lockout Policy Using the Command Line Configuring the Account Lockout Policy Using the Console To set up or modify the account lockout policy for your Directory Server: 1. On the Directory Server Console, select the Configuration tab and then the Data node. Select the Account Lockout tab in the right pane. To enable account lockout, select the "Accounts may be locked out" checkbox. Enter the maximum number of allowed bind failures in the "Lockout account after X login failures" text box. The server locks out users who exceed the limit you specify here. Enter the number of minutes you want the server to wait before resetting the bind failure counter to 0 in the "Reset failure counter after X minutes" text box. 2. 4. 5. Chapter 7 User Account Management 265 Managing the Password Policy 6. Set the interval you want users to be locked out of the directory. Select the Lockout Forever radio button to lock users out until their passwords have been reset by the administrator. Set a specific lockout period by selecting the Lockout duration radio button and entering the time (in minutes) in the text box. 7. When you have finished making changes to the account lockout policy, click Save. Configuring the Account Lockout Policy Using the Command Line This section describes the attributes you set to create an account lockout policy to protect the passwords stored in your server. Use ldapmodify to change these attributes in the cn=config entry. Table 7-2 describes the attributes you can use to configure your account lockout policy. Table 7-2 Account Lockout Policy Attributes Definition Attribute Name passwordLockout This attribute indicates whether users are locked out of the directory after a given number of failed bind attempts. You set the number of failed bind attempts after which the user will be locked out using the passwordMaxFailure attribute. You can lock users out for a specific time or until an administrator resets the password. This attribute is set to off by default, meaning that users will not be locked out of the directory. passwordMaxFailure This attribute indicates the number of failed bind attempts after which a user will be locked out of the directory. This attribute takes affect only if the passwordLockout attribute is set to on. This attribute is set to 3 bind failures by default. passwordLockoutDuration This attribute indicates the time, in seconds, that users will be locked out of the directory. You can also specify that a user is lock out until their password is reset by an administrator using the passwordUnlock attribute. [. . . ] DES is an example of a symmetric encryption algorithm. Cannot be deleted or modified as it is essential to Directory Server target In the context of access control, the target identifies the directory information to which a particular ACI applies. target entry The entries within the scope of a CoS. TCP/IP Transmission Control Protocol/Internet Protocol. The main network protocol for the Internet and for enterprise (company) networks. [. . . ]