svn commit: r1467815 - /directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext

[el...@apache.org]

Author: elecharny
Date: Sun Apr 14 19:20:12 2013
New Revision: 1467815

URL: http://svn.apache.org/r1467815
Log:
Added more doc on PP

Modified:
    directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext

Modified: directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext?rev=1467815&r1=1467814&r2=1467815&view=diff
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext (original)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext Sun Apr 14 19:20:12 2013
@@ -123,6 +123,9 @@ Here is the entry :
 	ads-pwdMustChange: FALSE
 	ads-pwdSafeModify: FALSE
 
+<DIV class="warning" markdown="1">
+All the configured delays are stored in seconds. As a rule of thumb, a day is 86400 seconds, a week is 604800 seconds and a month can be 2419200 seconds or 2505600 seconds (february normal and leap years), 2592000 seconds (april, june, september, november) and 2678400 (january, march, may, july, august, october and december)
+</DIV>
 
 #### Enabling/Disabling the PasswordPolicy
 
@@ -200,8 +203,10 @@ Default value : 1
 The system can be enabled or disabled, and when enabled, two different level of checks con be done : relaxed or strict. We use a parameter to specify the kind of check we do on the password : _ads-pwdCheckQuality_, which can take three values :
 
 	* 0 : The password is not checked
-	* 1 : We check the password when we can, ie when it's not hashed. When the password is hashed, or in a form that does not allow us to apply the checks, then we ignore the errors
-	* 2 : The password is checked, and if it's hashed or in a form that does not allow the checks to be done, then the changes are rejected.
+	* 1 : We check the password when we can, ie when it's not hashed. When the password is hashed, or in a form 
+	that does not allow us to apply the checks, then we ignore the errors
+	* 2 : The password is checked, and if it's hashed or in a form that does not allow the checks to be done, 
+	then the changes are rejected.
 
 #### Password History
 
@@ -238,4 +243,33 @@ Setting a password max length is most ce
 
 ### Password lifecycle management
 
-We now have to expose the rules that apply to the password during it's life.
\ No newline at end of file
+We now have to expose the rules that apply to the password during it's life.
+
+
+#### Password max age
+
+<DIV class="info" markdown="1">
+Impacted Attribute : ads-pwdMaxAge
+</DIV>
+
+A password may have a limited life expectation, and when this age is reached, the password will be invalidated. This is configured through the _ads-pwdMaxAge_ parameter, which contains the number of second a password will last.
+
+This password invalidation can be overruled by the two next parameters
+
+#### Password grace auth N limit
+
+<DIV class="info" markdown="1">
+Impacted Attribute : ads-pwdGraceAuthNLimit
+</DIV>
+
+When the password has expired, this parameter (_ads-pwdGraceAuthNLimit_) tells how many times a user will still be allowed to bind before the password is definitively locked. Each attempt will decrement the associated counter.
+
+#### Paswword grace Expire
+
+<DIV class="info" markdown="1">
+Impacted Attribute : ads-pwdGraceExpire
+</DIV>
+
+Another option when the password has expired is to give the user the possibility to log in during a certain period of time. This is mainly useful when the _ads-pwdGraceAuthNLimit_ is set : not only there is a limited number of attempts, but those attempts must be done in a limited period of time, ortherwise the password will be locked.
+
+If the configuration of the _ads-pwdGraceAuthNLimit_ is 0, the _ads-pwdGraceExpire_ value is simply added to the _ads-pwdMaxAge_ value.