The easiest way to configure a password policy is to by using the dsconfig command to set the password policy properties. The following examples configure various properties of the default password policy.
For a complete list of password policy configuration properties and their values, see the Password Policy Configuration.
The following account lockout features can be configured:
Lockout failure count. Specifies the number of authentication failures required to lock a user account.
Lockout duration. Determines the length of time that the account is in a locked state after failed authentication attempts. After the duration time, the account is automatically unlocked. A value of zero indicates that the account is not be automatically unlocked.
Lockout failure expiration interval. Determines the maximum length of time that a previously failed authentication attempt should be counted toward a lockout failure. A value of zero indicates that failed attempts never automatically expire.
Idle lockout interval. Specifies the maximum length of time that a user account can go without authenticating to the directory before the server locks the account. This property is enforced if the last-login-time is enabled and idle-lockout-interval is set to a nonzero value.
The following command sets the account lockout properties for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-password-policy-prop \ --policy-name "Default Password Policy" --set "lockout-failure-count:3" \ --set "lockout-duration:15 minutes" --set "idle-lockout-interval:90 days" \ --set "lockout-failure-expiration-interval:10 minutes"
Last login is a basic security feature that helps the user to keep track of the login history. The directory server provides an operational attribute, ds-pwp-last-login, that holds the user's last login time. If you specify another attribute, the operational attribute must be defined in the server schema, or it must be allowed by at least one of the object classes in the user's entry.
The last-login-time-format property determines the time format. If the time format has changed and last login is enabled, the previous-last-login-time-format property is used.
The following command sets the last login properties for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "last-login-time-attribute:ds-pwp-last-login-time" \ --set "last-login-time-format:yyyyMMdd" \ --set "previous-last-login-time-format:yyyyMMdd"
The password-history-count property specifies the number of past passwords that should be maintained in the history. A value of zero indicates that the server does not maintain a password history.
The password-history-duration property specifies the maximum length of time that a previously used password should remain in the user's password history. A value of 0 seconds indicates that the server should not maintain a password history.
The following command configures password history count and duration for the default password policy.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-password-policy-prop \ --policy-name "Default Password Policy" --set "password-history-count:3" \ --set "password-history-duration:5 seconds"