Hello,

Looking for some guidance with password policies.

About a year ago I migrated a very old instance of Red Hat Directory server to 
389-ds version 1.3.5.10. I did this with a db export and import. I did not 
enable the password policy which was active on the old Red Hat Directory 
instance.

It has come time to (re)enable a password policy on the 389-ds instance and I 
am hoping for some guidance on how to proceed. The policy would be one of 
syntax and expiration requirements. All the applicable users appear to have the 
require attributes (passwordexpirationtime, passwordexpwarned, 
passwordgracetimeuser, passwordhistory, passwordretrycount, retrycoutresettime)

Questions:


1.       All the users on which the password policy should apply are under 
ou=People,dc=sub,dc=domain,dc=tld

o   It should therefore be safe to apply the password policy here for subtree?

2.       What is the best way to set individual users who should be exempt from 
the policy?

3.       Some of the users who should be exempt are within nsPwPolicyContainer 
under ou=People. Does this relate to question #2?

4.       Given that there has been a long time passed where the password policy 
has not been active, it probably makes sense to set applicable user’s 
passwordexpirationtime attribute to sometime in the future so there isn’t a 
flood of “password lockout” complaints?


[cid:EL-logo_7ba48a57-966c-4a07-b478-7857c99d9581.png]  Kirk MacDonald | System 
Analyst II
Eastlink | Internet
kirk.macdon...@corp.eastlink.ca    T: 902.406.4969


_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Reply via email to