3.5 Assigning Password Policies to Users

You can assign a password policy to users in eDirectory by assigning the policy to the whole tree (by using the Login Policy object), specific partitions or containers, or specific users. We encourage you to set password policies as high up in the tree as you can, to simplify administration.

IMPORTANT:Assigning a password policy to an entire eDirectory tree or to a container in a tree that contains a very large number of users (tens of thousands) in subcontainers can cause the iManager plug-in (and iManager) to hang.

In this case, you might want to consider individually assigning password policies to lower-level containers in order to control the number of users for each password policy assignment.

A policy is not in effect until you assign it to one or more objects. You can assign a password policy to the following objects:

Only one policy is effective for a user at a time. Novell Modular Authentication Services (NMAS) determines which policy is effective for a user by looking for policies in the following order and applying the first one it finds.

  1. Specific user assignment: If a password policy has been assigned specifically to the user, that policy is applied.

  2. Container: If the user has no specific assignment, NMAS applies the policy that is assigned to the container that holds the user.

  3. Partition root container: If no policy is assigned to the user or to the container directly above the user, the policy assigned to the partition root container is applied.

  4. Login Policy object: If no policy is assigned to the user or other containers, the policy assigned to the Login Policy object is applied. It is the default policy for all users in the tree.

The following figure shows an example of the property page where you specify which object password policy is assigned to:

Figure 3-6 Assigning Password Policy to Objects