Skip to main content

policies

The policies KVGroup provides values that are used both to interpret and to set user attribute values in order to determine or set expiry and lockout.

Policy items may be defined by mapping a meta-attribute to a real attribute on the LDAP server, or by supplying a literal value.

The contents of the policies KVGroup can include:

  • The base, scope, and filter key-value pairs

    These key-value pairs tell the LDAP connector how to search for policy attributes. They are required if any of the meta-attributes map to actual attributes.

  • Nested KVGroups for meta-attributes that map to actual attributes

  • Nested KVGroups for meta-attributes that map to literal values

Write the policies KVGroup in the format:

  "policies" "" = {
    "base" = "<search base>"
    "scope" = "<search scope>"
    "filter" = "<search filter>"
    "attribute" "<meta-attribute>" = {
      "attribute" = "<attribute>"  # value obtained from the server
      "type" = "<type>"
   }
    ...
    "attribute" "meta-attribute" = {
      "value" = "<literal value>" # literal value
      "type" = "<type>"
   }
    ...
}

Where:

  • base is the DN for the starting point of the search scope is the scope of the search

    The scope is one of:

    • base – search only the entry specified by the base key

    • onelevel – search only the immediate children of the entry specified by the base key

    • subtree – search the base and all of its descendants

  • filter is the search filter to use attribute (key-value pair) is the name of an actual attribute on the LDAP server

    You can only specify one of attribute or value.

  • value is the literal value for the meta-attribute

    You can only specify one of attribute or value.

  • type is a string representing the attributes’ "type". See attribute types.

The policies that you can define are:

  • passwordMaxAge the amount of time before a password automatically expires

  • passwordMaxFailure gives the number of failures before intruder lockout occurs

    For example, If the value is 3, then intruder lockout happens on the 3rd failed attempt.

  • accountUnlockTime when an account is intruder locked, accountUnlockTime specifies the time interval after which the account is automatically unlocked

In this section: