[Fedora-directory-users] Some password policy enforcement information questions

Thu Jan 19 18:34:47 UTC 2006

Please forgive me if I'm asking silly newbie questions, however I'm
trying to understand exactly what I'm seeing thru fds; first the policy
I've configured on the directory using the fds console:
I've enabled fine-grain password policy for the data unit, including
password history enforcement, password expiration after 90 days,
password warning 14 days before password expires, check password syntax,
account lockout policy enabled after 3 login failures for 120 minutes
and reset failure count after 15 minutes.

Everything seems to be working except for send password warning; in the
client's ldap.conf file, I've enabled pam_lookup_policy yes.   

Looking at account information attributes for a user, passwordexpwarnd
value is 0; I've reset users password to try to initialize the password
policy, however this value never seems to change.  According to this
documentation
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10770
81 I believe that this attribute is stored in seconds.  Is this true?
If so, what can I do to ensure this attribute is getting updated
(assuming that this is the attribute responsible for triggering password
expiration warning).

Second issue/question:
I've looked at this wiki
http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very
bottom it mentions adding the following

 dn: cn=config
 changetype: modify
 add: passwordExp
 passwordExp: on
 -
 add: passwordMaxAge
 passwordMaxAge: 8640000 (this I believe would give a password max age
of 100 days)

Do I need to add these attributes even though I've configured the
password policy using fds console has done this for me.  Is this the
case, I see don't these attributes in the gui, however I do see
passwordexpirationtime as an attribute and is set to 90 days from now
(I'm want to ensure that accounts are indeed locked after passwords have
expired).  

Also, Jim Summers posted to this group that he saw an issue with
shadowpasswd / shadowexpire fields not being updated
https://www.redhat.com/archives/fedora-directory-users/2005-December/msg
00367.html

Can anyone tell me what these fields are used for, as I don't see any
mention of them in this documentation
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10770
81

Thanks again very much.

Aaron

www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates

Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information.  If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited.  If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.