Print

Administering the PAM Password Manager

About this task

The PAM Password Manager allows you to define:

Procedure

  1. From the AE Services Management Console main menu, select Security > PAM > PAM Password Manager.
  2. In the New global password configuration (etc/login.defs) section, perform the following steps:
    1. In the Maximum number of days a password may be used (PASS_MAX_DAYS) field, accept or change the default (60).
    2. In the Minimum number of days allowed between password changes (PASS_MIN_DAYS) field, accept or change the default (1).
    3. In the Number of days warning given before a password expires (PASS_WARN_AGE) field, accept or change the default (10).
  3. In the Optional Additional Authentication Protocols section, perform one of the following steps:
    • If you authenticate users to an external LDAP server, select the External LDAP check box.

    • If you do not authenticate users to an external LDAP server, accept the default. By default, this option is disabled (that is, a check mark does not appear in the External LDAP check box). When this option is disabled, AE Services authenticates OAM administrative users to the local Linux password store on the AE Services server.

    • If you want to allow the Avaya Logins access to the server (Recommended), select the Enable EASG user access checkbox. This option also allow the ability to specify which of the Avaya Logins may or may not be granted access.

      noteNote

      By enabling Avaya Logins you are granting Avaya access to your system. This is necessary to maximize the performance and value of your Avaya support entitlements, allowing Avaya to resolve product issues in a timely manner. In addition to enabling the Avaya Logins, this product should be registered with Avaya and technically onboarded for remote connectivity and alarming. Please see the Avaya support site (support.avaya.com/registration) for additional information for registering products and establishing remote access and alarming.

    • If you want to block the Avaya Logins access to the server, select the Enable EASG user access checkbox.

      noteNote

      By disabling Avaya Logins you are preventing Avaya access to your system. This is not recommended, as it impacts Avaya’s ability to provide support for the product. Unless the customer is well versed in managing the product themselves, Avaya Logins should not be disabled.

  4. In the Password Limits section, accept or change the default settings. These settings are described as follows:
    • Enforce Password Limits check box indicates whether password limits are in effect for the user. This setting is enabled by default (the check box is selected), which, in turn, enables the following settings.

    • Number of times user is prompted for a new password (retry). The default is 3.

    • Number of characters in new password that must be different from old password (difok). The default is 2.

    • Minimum length of a new password (minlen). The default is 8.

    • Minimum credit in meeting required password length for digits in a password (dcredit). The default is 1.

    • Minimum credit in meeting required password length for upper case characters in a password (ucredit). The default is 1.

    • Minimum credit in meeting required password length for lower case characters in a password (lcredit). The default is 1.

    • Minimum credit in a meeting required password length for other characters in a password (ocredit). The default is 1.

    • Number of previous passwords that cannot be reused. The default is 5.

    • Maximum number of same consecutive characters in a password. The default is 3.

    • The algorithm used to encrypt the Linux password. The choices are sha256 and sha512.

  5. In the Failed Login Response section, accept or change the default settings. These settings are described as follows:
    • Enable account lockout with the following parameters check box. This check box is enabled by default, which, in turn, enables the following settings.

    • Lock out login after unsuccessful attempts to login (deny). The default is 3 attempts.

    • Lock account for seconds (lock_time). The default is 60 seconds.

  6. Click Apply Changes.