directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r858456 - in /websites/staging/directory/trunk/content: ./ apacheds/advanced-ug/4.3-password-policy.html
Date Sun, 14 Apr 2013 19:20:20 GMT
Author: buildbot
Date: Sun Apr 14 19:20:20 2013
New Revision: 858456

Log:
Staging update by buildbot for directory

Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sun Apr 14 19:20:20 2013
@@ -1 +1 @@
-1467709
+1467815

Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
(original)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
Sun Apr 14 19:20:20 2013
@@ -310,6 +310,9 @@ ads-pwdSafeModify: FALSE
 </pre></div>
 
 
+<p><DIV class="warning" markdown="1">
+All the configured delays are stored in seconds. As a rule of thumb, a day is 86400 seconds,
a week is 604800 seconds and a month can be 2419200 seconds or 2505600 seconds (february normal
and leap years), 2592000 seconds (april, june, september, november) and 2678400 (january,
march, may, july, august, october and december)
+</DIV></p>
 <h4 id="enablingdisabling-the-passwordpolicy">Enabling/Disabling the PasswordPolicy</h4>
 <p>The <em>PasswordPolicy</em> is enabled by default. It's possible to
disable it by setting the <em>ads-enabled</em> value to FALSE, with a server restart.</p>
 <h2 id="password-protection">Password protection</h2>
@@ -415,8 +418,10 @@ Default value : 1
 </DIV></p>
 <p>The system can be enabled or disabled, and when enabled, two different level of
checks con be done : relaxed or strict. We use a parameter to specify the kind of check we
do on the password : <em>ads-pwdCheckQuality</em>, which can take three values
:</p>
 <div class="codehilite"><pre><span class="o">*</span> <span class="mi">0</span>
<span class="p">:</span> <span class="n">The</span> <span class="n">password</span>
<span class="n">is</span> <span class="ow">not</span> <span class="n">checked</span>
-<span class="o">*</span> <span class="mi">1</span> <span class="p">:</span>
<span class="n">We</span> <span class="n">check</span> <span class="n">the</span>
<span class="n">password</span> <span class="n">when</span> <span
class="n">we</span> <span class="n">can</span><span class="p">,</span>
<span class="n">ie</span> <span class="n">when</span> <span class="n">it</span><span
class="s">&#39;s not hashed. When the password is hashed, or in a form that does not
allow us to apply the checks, then we ignore the errors</span>
-<span class="s">* 2 : The password is checked, and if it&#39;</span><span
class="n">s</span> <span class="n">hashed</span> <span class="ow">or</span>
<span class="n">in</span> <span class="n">a</span> <span class="n">form</span>
<span class="n">that</span> <span class="n">does</span> <span class="ow">not</span>
<span class="n">allow</span> <span class="n">the</span> <span class="n">checks</span>
<span class="n">to</span> <span class="n">be</span> <span class="n">done</span><span
class="p">,</span> <span class="k">then</span> <span class="n">the</span>
<span class="n">changes</span> <span class="n">are</span> <span
class="n">rejected</span><span class="o">.</span>
+<span class="o">*</span> <span class="mi">1</span> <span class="p">:</span>
<span class="n">We</span> <span class="n">check</span> <span class="n">the</span>
<span class="n">password</span> <span class="n">when</span> <span
class="n">we</span> <span class="n">can</span><span class="p">,</span>
<span class="n">ie</span> <span class="n">when</span> <span class="n">it</span><span
class="s">&#39;s not hashed. When the password is hashed, or in a form </span>
+<span class="s">that does not allow us to apply the checks, then we ignore the errors</span>
+<span class="s">* 2 : The password is checked, and if it&#39;</span><span
class="n">s</span> <span class="n">hashed</span> <span class="ow">or</span>
<span class="n">in</span> <span class="n">a</span> <span class="n">form</span>
<span class="n">that</span> <span class="n">does</span> <span class="ow">not</span>
<span class="n">allow</span> <span class="n">the</span> <span class="n">checks</span>
<span class="n">to</span> <span class="n">be</span> <span class="n">done</span><span
class="p">,</span> 
+<span class="k">then</span> <span class="n">the</span> <span class="n">changes</span>
<span class="n">are</span> <span class="n">rejected</span><span
class="o">.</span>
 </pre></div>
 
 
@@ -442,6 +447,23 @@ Setting a password max length is most ce
 </DIV></p>
 <h3 id="password-lifecycle-management">Password lifecycle management</h3>
 <p>We now have to expose the rules that apply to the password during it's life.</p>
+<h4 id="password-max-age">Password max age</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attribute : ads-pwdMaxAge
+</DIV></p>
+<p>A password may have a limited life expectation, and when this age is reached, the
password will be invalidated. This is configured through the <em>ads-pwdMaxAge</em>
parameter, which contains the number of second a password will last.</p>
+<p>This password invalidation can be overruled by the two next parameters</p>
+<h4 id="password-grace-auth-n-limit">Password grace auth N limit</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attribute : ads-pwdGraceAuthNLimit
+</DIV></p>
+<p>When the password has expired, this parameter (<em>ads-pwdGraceAuthNLimit</em>)
tells how many times a user will still be allowed to bind before the password is definitively
locked. Each attempt will decrement the associated counter.</p>
+<h4 id="paswword-grace-expire">Paswword grace Expire</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attribute : ads-pwdGraceExpire
+</DIV></p>
+<p>Another option when the password has expired is to give the user the possibility
to log in during a certain period of time. This is mainly useful when the <em>ads-pwdGraceAuthNLimit</em>
is set : not only there is a limited number of attempts, but those attempts must be done in
a limited period of time, ortherwise the password will be locked.</p>
+<p>If the configuration of the <em>ads-pwdGraceAuthNLimit</em> is 0, the
<em>ads-pwdGraceExpire</em> value is simply added to the <em>ads-pwdMaxAge</em>
value.</p>
 
 
     <div class="nav">



Mime
View raw message