These settings, along with the password dictionary (see Dictionary keyword), control what sequences are not allowed in a password.
Range: 0-32 characters
Default: 0
Recommended: 4
Complexity Level: Intermediate
Probably the worst passwords are those that are based in whole or in part on personal information about the user, such as their phone number or zip code. This setting controls the minimum sequence length checked by APS against attributes in the user's Directory entry.
If this value were set to four, the user could not include, for example, the last four digits of their phone number in a password.
You can turn this checking off by setting it to zero or commenting it out.
Any value less than 4 can be troublesome to your users.
For LDAP directories, organizational Units and other containers above the user are not checked. However, the user's DN *is* checked. For LDAP users, the objectClass attribute is automatically ignored.
This setting is used for both LDAP and ODBC directories. It is not supported for Windows NT User Directories.
Prior to Version 4.0, this setting was called "LDAP Attribute Match Maximum". At Version 4.0, it was changed to reflect support for ODBC directories. If the older name is found by APS, its value will be used, but a warning will be issued to the APS log.
Attribute Match Maximum=4
Range: n/a
Default: none
Recommended: cn (for LDAP), FullName (or equivalent for ODBC)
Complexity Level: Intermediate
When APS checks passwords against user attributes, this keyword specifies that certain attributes should be parsed. When parsing, each "word" in the attribute value greater than two characters in length will be matched against the requested password (it is not subject to the Match Maximum above).
No attributes will be checked at all if the match maximum is zero.
Parsing is the process of breaking up the value into words (or tokens). Words are considered any sequence of consecutive letters or numbers.
All attributes for a given setting must be placed on the same line, separated by commas.
Prior to Version 4.0, this setting was called "Parse LDAP Attributes". At Version 4.0, it was changed to reflect support for ODBC directories. If the older name is found by APS, its value will be used, but a warning will be issued to the APS log.
Parse Attributes=cn,title
Parse Attributes={IsLDAP()} cn
Parse Attributes={IsODBC()} FullName
Range: n/a
Default: none
Recommended: none
Complexity Level: Intermediate
This keyword specifies the names of attributes that are to be excluded from all matching (parsed or matched). Regardless of this setting, the LDAP attribute objectclass will always be excluded.
All attributes for a given setting must be placed on the same line, separated by commas.
If an attribute is specified as both excluded and parsed, it will be excluded.
Prior to Version 4.0, this setting was called "Exclude LDAP Attributes". At Version 4.0, it was changed to reflect support for ODBC directories. If the older name is found by APS, its value will be used, but a warning will be issued to the APS log.
Exclude Attributes=uid,description
Exclude Attributes={IsLDAP()} uid
|
Copyright © 2014 CA.
All rights reserved.
|
|