Preventing Authentication by Account InactivationChapter 8 Designing a Secure Directory 163Preventing Authentication by Account InactivationYou can temporarily inactivate a user account or a set of accounts. Onceinactivated, a user cannot bind to the directory, and the authentication operationfails.Account inactivation is implemented through the operational attributensAccountLock. When an entry contains the nsAccountLock attribute with a valueof true, the server rejects the bind.You use the same procedures for inactivating users and roles. However,inactivating a role means that you inactivate all of the members of that role and notthe role entry itself. For more information about roles, refer to “About Roles,” onpage 75.Designing a Password PolicyA password policy is a set of rules that govern how passwords are used in a givensystem. The password policy mechanism provided by Directory Server allows youto dictate such things as how long a password must be and whether users can reusepasswords. The sections that follow explain:• How Password Policy Works• Password Policy Attributes• Designing an Account Lockout Policy• Designing a Password Policy in a Replicated EnvironmentNOTE The proxy mechanism is very powerful and must be used sparingly.Proxy rights are granted within the scope of the ACL, and there is noway to restrict who can be impersonated by an entry that has theproxy right—that is, when you grant a user proxy rights, that userhas the ability to proxy for any user under the target; there is no wayto restrict the proxy rights to only certain users. For example, if anentity has proxy rights to the dc=example,dc=com tree, that entitycan do anything. So make sure you set the proxy ACI at the lowestpossible level of the DIT. For more information on this, see “ProxiedAuthorization ACI Example” in chapter 6, “Managing AccessControl,” in the Red Hat Directory Server Administrator’s Guide.
