Managing the Password Policy266 Netscape Directory Server Administrator’s Guide • August 200212. When you have finished making changes to the password policy, click Save.Configuring the Password Policy Using the Command-LineThis section describes the attributes you set to create a password policy for yourserver. Use ldapmodify to change these attributes in the cn=config entry.Table 7-1 describes the attributes you can use to configure your password policy:Table 7-1 Password Policy AttributesAttribute Name DefinitionpasswordMustChange When on, this attribute requires users to change their passwords whenthey first login to the directory or after the password is reset by theDirectory Manager. When on, the user is required to change theirpassword even if user-defined passwords are disabled.If you choose to set this attribute to off, passwords assigned by theDirectory Manager should not follow any obvious convention and shouldbe difficult to discover.This attribute is off by default.passwordChange When on, this attribute indicates that users may change their ownpassword. Choosing for users to set their own passwords runs the risk ofusers choosing passwords that are easy to remember.However, setting good passwords for the user requires a significantadministrative effort. In addition, providing passwords to users that arenot meaningful to them runs the risk that users will write the passworddown somewhere that can be discovered.This attribute is on by default.passwordExp When on, this attribute indicates that the user’s password will expire afteran interval given by the passwordMaxAge attribute. Making passwordsexpire helps protect your directory data because the longer a password is inuse, the more likely it is to be discovered.This attribute is off by default.passwordMaxAge This attribute indicates the number of seconds after which user passwordsexpire. To use this attribute, you must enable password expiration usingthe passwordExp attribute.A common policy is to have passwords expire every 30 to 90 days. Bydefault, the password maximum age is set to 8640000 seconds (100days).