Chapter 8. Designing a Secure Directory118For more information on this topic, check out the "Proxied Authorization ACI Example"section in the "Managing Access Control" chapter of the Administrator's Guide.8.5. Preventing Authentication by Account DeactivationA user account or a set of accounts can be temporarily deactivated. After an account has beendeactivated, that user cannot bind to the directory, and the authentication operation fails.Account deactivation is implemented through the operational attribute nsAccountLock. When anentry contains the nsAccountLock attribute with a value of true, the server rejects the bind.The procedures for deactivating users and roles are the same. However, deactivating a role deactivateall of the members of that role and not the role entry itself. For more information about roles, seeSection 4.3.1, “About Roles”.8.6. Designing a Password PolicyA password policy is a set of rules that govern how passwords are used in a given system. TheDirectory Server's password policy specifies the criteria that a password must satisfy to be consideredvalid, like the age, length, and whether users can reuse passwords.The following sections provide more information on designing a sound password policy:• Section 8.6.1, “How Password Policy Works”• Section 8.6.2, “Password Policy Attributes”• Section 8.6.3, “Designing an Account Lockout Policy”• Section 8.6.4, “Designing a Password Policy in a Replicated Environment”8.6.1. How Password Policy WorksDirectory Server supports fine-grained password policy, which means password policies can bedefined at the subtree and user level. This allows the flexibility of defining a password policy at anypoint in the directory tree:• The entire directory.Such a policy is known as the global password policy. When configured and enabled, the policyis applied to all users within the directory except for the Directory Manager entry and those userentries that have local password policies enabled.This can define a common, single password policy for all directory users.• A particular subtree of the directory.Such a policy is known as the subtree level or local password policy. When configured and enabled,the policy is applied to all users under the specified subtree.This is good in a hosting environment to support different password policies for each hostedcompany rather than enforcing a single policy for all the hosted companies.