Administration
Manual Administration Using kadmin
Normally, you would select the Set As Password Change Service attribute for only the service principal defined as a change password service. You can add other Change Password service principals to the principal database if you have created custom applications that require different password service principals.
To modify the parameter type attr of the principal admin, to set the Set As Password Change Service Attribute, you need to do the following:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno or quit) :attr
Attribute (or quit): {cpwsrvnocpwsrv}
Principal modified.
Password Expiration Attribute
A principal password can have either a finite or an infinite lifetime. Expiration time is controlled by several factors, including the principal type:
•Service Principals - The secret key stored in the service key table file on the service’s host does not expire. However, we recommend extracting new random keys periodically for best security practices. Refer to “Maintaining Secret Keys In The Key Table File” on
page 210, for more information.
•User principals - The expiration time for a user’s password depends on the settings designated for the principal account.
Activating the Password Expiration attribute holds a principal in accordance with the password expiration policy. The user is prompted to change their password before the expiration date. If the Password Expiration attribute is not enabled, the current principal’s password never expires.
NOTE | The password expiration date is stored in the security server with |
| each principal. It is changed to the current date plus the Expiration |
| value in the password policy file when a user changes the password. |
| Before the password expires, the user is given advance notice that |
| |
| their password is about to expire. The advanced notice timing is |
| controlled by the NotifyTime parameter in the password policy file. |
186 | Chapter 6 |