You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by bu...@apache.org on 2013/04/14 21:20:20 UTC
svn commit: r858456 - in /websites/staging/directory/trunk/content: ./ apacheds/advanced-ug/4.3-password-policy.html

Author: buildbot
Date: Sun Apr 14 19:20:20 2013
New Revision: 858456

Log:
Staging update by buildbot for directory

Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sun Apr 14 19:20:20 2013
@@ -1 +1 @@
-1467709
+1467815

Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html (original)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html Sun Apr 14 19:20:20 2013
@@ -310,6 +310,9 @@ ads-pwdSafeModify: FALSE
 </pre></div>
 
 
+<p><DIV class="warning" markdown="1">
+All the configured delays are stored in seconds. As a rule of thumb, a day is 86400 seconds, a week is 604800 seconds and a month can be 2419200 seconds or 2505600 seconds (february normal and leap years), 2592000 seconds (april, june, september, november) and 2678400 (january, march, may, july, august, october and december)
+</DIV></p>
 <h4 id="enablingdisabling-the-passwordpolicy">Enabling/Disabling the PasswordPolicy</h4>
 <p>The <em>PasswordPolicy</em> is enabled by default. It's possible to disable it by setting the <em>ads-enabled</em> value to FALSE, with a server restart.</p>
 <h2 id="password-protection">Password protection</h2>
@@ -415,8 +418,10 @@ Default value : 1
 </DIV></p>
 <p>The system can be enabled or disabled, and when enabled, two different level of checks con be done : relaxed or strict. We use a parameter to specify the kind of check we do on the password : <em>ads-pwdCheckQuality</em>, which can take three values :</p>
 <div class="codehilite"><pre><span class="o">*</span> <span class="mi">0</span> <span class="p">:</span> <span class="n">The</span> <span class="n">password</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">checked</span>
-<span class="o">*</span> <span class="mi">1</span> <span class="p">:</span> <span class="n">We</span> <span class="n">check</span> <span class="n">the</span> <span class="n">password</span> <span class="n">when</span> <span class="n">we</span> <span class="n">can</span><span class="p">,</span> <span class="n">ie</span> <span class="n">when</span> <span class="n">it</span><span class="s">&#39;s not hashed. When the password is hashed, or in a form that does not allow us to apply the checks, then we ignore the errors</span>
-<span class="s">* 2 : The password is checked, and if it&#39;</span><span class="n">s</span> <span class="n">hashed</span> <span class="ow">or</span> <span class="n">in</span> <span class="n">a</span> <span class="n">form</span> <span class="n">that</span> <span class="n">does</span> <span class="ow">not</span> <span class="n">allow</span> <span class="n">the</span> <span class="n">checks</span> <span class="n">to</span> <span class="n">be</span> <span class="n">done</span><span class="p">,</span> <span class="k">then</span> <span class="n">the</span> <span class="n">changes</span> <span class="n">are</span> <span class="n">rejected</span><span class="o">.</span>
+<span class="o">*</span> <span class="mi">1</span> <span class="p">:</span> <span class="n">We</span> <span class="n">check</span> <span class="n">the</span> <span class="n">password</span> <span class="n">when</span> <span class="n">we</span> <span class="n">can</span><span class="p">,</span> <span class="n">ie</span> <span class="n">when</span> <span class="n">it</span><span class="s">&#39;s not hashed. When the password is hashed, or in a form </span>
+<span class="s">that does not allow us to apply the checks, then we ignore the errors</span>
+<span class="s">* 2 : The password is checked, and if it&#39;</span><span class="n">s</span> <span class="n">hashed</span> <span class="ow">or</span> <span class="n">in</span> <span class="n">a</span> <span class="n">form</span> <span class="n">that</span> <span class="n">does</span> <span class="ow">not</span> <span class="n">allow</span> <span class="n">the</span> <span class="n">checks</span> <span class="n">to</span> <span class="n">be</span> <span class="n">done</span><span class="p">,</span> 
+<span class="k">then</span> <span class="n">the</span> <span class="n">changes</span> <span class="n">are</span> <span class="n">rejected</span><span class="o">.</span>
 </pre></div>
 
 
@@ -442,6 +447,23 @@ Setting a password max length is most ce
 </DIV></p>
 <h3 id="password-lifecycle-management">Password lifecycle management</h3>
 <p>We now have to expose the rules that apply to the password during it's life.</p>
+<h4 id="password-max-age">Password max age</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attribute : ads-pwdMaxAge
+</DIV></p>
+<p>A password may have a limited life expectation, and when this age is reached, the password will be invalidated. This is configured through the <em>ads-pwdMaxAge</em> parameter, which contains the number of second a password will last.</p>
+<p>This password invalidation can be overruled by the two next parameters</p>
+<h4 id="password-grace-auth-n-limit">Password grace auth N limit</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attribute : ads-pwdGraceAuthNLimit
+</DIV></p>
+<p>When the password has expired, this parameter (<em>ads-pwdGraceAuthNLimit</em>) tells how many times a user will still be allowed to bind before the password is definitively locked. Each attempt will decrement the associated counter.</p>
+<h4 id="paswword-grace-expire">Paswword grace Expire</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attribute : ads-pwdGraceExpire
+</DIV></p>
+<p>Another option when the password has expired is to give the user the possibility to log in during a certain period of time. This is mainly useful when the <em>ads-pwdGraceAuthNLimit</em> is set : not only there is a limited number of attempts, but those attempts must be done in a limited period of time, ortherwise the password will be locked.</p>
+<p>If the configuration of the <em>ads-pwdGraceAuthNLimit</em> is 0, the <em>ads-pwdGraceExpire</em> value is simply added to the <em>ads-pwdMaxAge</em> value.</p>
 
 
     <div class="nav">