|
Handling Conflicting Policies
Different standard and authentication policies can be in effect for the registry as a whole and for individual organizations (for standard policy) and accounts (for authentication
policy). If the policy that is set for the registry as a whole differs from the policy that is set for an individual organization or account, the stricter policy applies. For example, suppose
registry policy specifies a minimum password length of six characters and policy for the organization named classic specifies eight characters. If you create the account bach
cantata classic, the stricter policy (in this case, the organization policy) applies, and the account password must be at least eight characters long. The following table lists the stricter policy
for each policy type.
Stricter Standard Policies
For This Type of Policy... |
This Is the Stricter Policy... |
Password expiration date |
The shorter expiration period |
Password lifespan |
The shorter lifespan |
Account lifespan |
The shorter lifespan |
Password length |
The greater length |
Password consisting of all spaces |
The password cannot consist of all spaces; it must include some characters |
Password consisting of all alphanumerics |
The password cannot consist of all alphanumerics; it must include some nonalphanumeric characters |
Maximum ticket renewable |
The shorter time (note: this feature is not currently used by DCE, and any use of this option is unsupported at the present time) |
Maximum ticket lifetime |
The shorter time |
When the registry is created, standard policies are by default at their most permissive state; that is, the password expiration date is none, password and account lifespans are
unlimited, the minimum password length is 0, and passwords can consist of all spaces and all alphanumerics. The maximum ticket lifetime is set to 10 hours. (Maximum ticket
renewable is not currently used.) To implement stricter policies, you must use the registry modify command.
|