Designing a Password Policy144 Netscape Directory Server Deployment Guide • October 2004How Password Policy WorksDirectory Server supports fine-grained password policy, which enables you todefine password policies at the subtree and user level. This allows the flexibilityof defining a password policy for:• The entire directory (similar to the previous releases of Directory Server).Such a policy is known as the global password policy. When configured and enabled,the policy will be applied to all users within the directory except for the DirectoryManager entry and those user entries that have local password policies enabled.You can use this feature to define a common, single password policy for all directoryusers.• A particular subtree of the directory.Such a policy is known as the subtree level or local password policy. Whenconfigured and enabled, the policy will be applied to all users under the specifiedsubtree.You can use this feature in a hosting environment to support different passwordpolicies for each hosted company (rather than enforcing a single policy for all thehosted companies).• A particular user of the directory.Such a policy is known as the user level or local password policy. When configuredand enabled, the policy will be applied to the specified user only.You can use this feature to define different password policies for different directoryusers. For example, you can configure some users to change their passwords daily,some users to change it every month, and the rest of the users to change it every sixmonths.By default, Directory Server includes entries and attributes that are relevant to theglobal password policy. To set up a password policy for a subtree or user, you willneed to add a few additional entries at the subtree or user level and enable thensslapd-pwpolicy-local attribute of the cn=config entry. This attribute acts asa switch, giving you the flexibility to turn fine-grained password policy on andoff. For details about the attribute, check Netscape Directory Server Configuration,Command, and File Reference.
