Managing the Password Policy282 Red Hat Directory Server Administrator’s Guide • May 20058. If you want users to change their passwords periodically, select the“Password expires after X days” radio button, and then enter the number ofdays that a user password is valid.The maximum value for the password age is derived by subtracting January18, 2038, from today’s date. The value you enter must not be set to themaximum value or too close to the maximum value. If you set the value to themaximum value, Directory Server may fail to start because the number ofseconds will go past the epoch date. In such an event, the error log willindicate that the password maximum age is invalid. To resolve this problem,you must correct the passwordMaxAge attribute value in the dse.ldif file.A common policy is to have passwords expire every 30 to 90 days. By default,the password maximum age is set to 8640000 seconds (100 days).9. If you have selected the “Password expire after X days” radio button, youneed to specify how long before the password expires to send a warning tothe user. In the “Send Warning X Days Before Password Expires” text enterthe number of days before password expiration to send a warning.10. If you want the server to check the syntax of a user password to make sure itmeets the minimum requirements set by the password policy, select the“Check Password Syntax” checkbox. Then, specify the minimum acceptablepassword length in the “Password Minimum Length” text box.11. From the “Password Encryption” pull-down menu, select the encryptionmethod you want the server to use when storing passwords.For detailed information about the encryption methods, refer to thepasswordStorageScheme attribute in Table 7-1, on page 283.The Password Encryption menu might contain other encryption methods, asthe directory dynamically creates the menu depending upon the existingencryption methods it finds in your directory.12. When you have finished making changes to the password policy, click Save.Configuring a Subtree/User Password Policy Using the ConsoleTo set up the password policy for a subtree or user, you need to add the requiredentries and attributes at the subtree or user level, set the appropriate values to thepassword policy attributes, and enable fine-grained password policy checking.1. Enable fine-grained password policy.a. In the Directory Server Console, select the Configuration tab.b. In the navigation tree, select the Data node.
