Passwordstoragescheme (password storage scheme), Note, Passwordunlock (unlock account) – Red Hat 8.1 User Manual

This is an operational attribute, meaning its value is managed by the server and the attribute is not
returned in default searches.

Parameter

Description

Entry DN

cn=config

Valid Range

0 to the maximum 32 bit integer value
(2147483647)

Default Value

0

Syntax

Integer

Example

passwordRetryCount: 3

2.3.1.14 2. passwordStorageScheme (Password Storage Scheme)

This attribute sets the type of encryption used to store Directory Server passwords.

The following encryption types are supported by the Directory Server:

CLEAR means the password is stored in cleartext, with no hashing or encryption. This scheme must
be used in order to use SASL DIGEST-MD5.
SSHA (Salted Secure Hash Algorithm), the default, is the recommended method because it is the
most secure. There are several bit sizes available: 140 bits (the default), 256, 384, and 512.
SHA (Secure Hash Algorithm) is included only for backward compatibility with 4.x Directory Servers;
do not use this algorithm.
MD5 (Message Digest algorithm 5) is a commonly used standard hashing algorithm.
CRYPT, the UNIX crypt algorithm, is provided for compatibility with UNIX passwords.

NOTE

Passwords cannot be encrypted using the NS-MTA-MD5 password storage scheme. The
storage scheme is still present but only for reasons of backward compatibility.

For more information on password policies, see the "Managing Users and Passwords" chapter in the
Directory Server Administrator's Guide.

2.3.1.14 3. passwordUnlock (Unlock Account)

Indicates whether users are locked out of the directory for a specified amount of time or until the
administrator resets the password after an account lockout. The account lockout feature protects
against hackers who try to break into the directory by repeatedly trying to guess a user's password. If
this passwordUnlock attribute is set to off and the operational attribute accountUnlockTime has a
value of 0, then the account is locked indefinitely.

For more information on password policies, see the "Managing Users and Passwords" chapter in the
Directory Server Administrator's Guide.

Parameter

Description

Entry DN

cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

passwordUnlock: off

2.3.1.14 4 . passwordWarning (Send Warning)

Indicates the number of seconds before a user's password is due to expire that the user receives a
password expiration warning control on their next LDAP operation. Depending on the LDAP client, the
user may also be prompted to change their password at the time the warning is sent.

This can be abbreviated to pwdExpireWarning.

For more information on password policies, see the "Managing Users and Passwords" chapter in the
Directory Server Administrator's Guide.

Parameter

Description

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value
(2147483647) in seconds

Default Value

86400 (1 day)

Syntax

Integer

56

Chapter 2. Core Server Configuration Reference