For migration purposes, the new password policy maintains compatibility with previous Directory Server versions by identifying a compatibility mode. The compatibility mode determines whether password policy attributes are handled as old attributes or new attributes, where old refers to Directory Server 5 password policy attributes.
The compatibility mode can be read using dsconf command as follows:
$ dsconf get-server-prop pwd-compat-mode
The pwd-compat-mode property can have one of the following values:
If you install a Directory Server instance as part of a replicated topology that includes a version 5 server, the compatibility state should be set to DS5-compatible-mode. In this state both old and new password policy attributes are recognized. Only version 5 password policy attributes are replicated, but both sets of attributes are stored in the database.
If you upgrade an existing standalone server to Directory Server 6.0, the compatibility state is set to DS5-compatible-mode. The server generates the new equivalent password policy attributes.
If you upgrade an existing server as part of a replicated topology that includes Directory Server 5 servers, the compatibility state should also set to DS5-compatible-mode. The server accepts both old and new password policy attributes. Both sets of attributes are stored in the database. Only version 5 attributes can be replicated (using fractional replication).
As part of your migration, you can set the compatibility state to DS6-migration-mode. In this mode, all servers in the topology are version 6 servers, but there may be some existing Directory Server 5 password policy attributes in the database.
If you install a standalone Directory Server instance, set compatibility mode to DS6-mode. In this case, only new password policy attributes are recognized.
A server in DS6-mode can never be a supplier to or consumer of a Directory Server 5 server. When all servers have been migrated to version 6.0, DS6-mode should be the only compatibility mode.
The compatibility mode is set using the dsconf command as follows:
$ dsconf pwd-compat new-mode
The new-mode action takes one of the following values:
Change to DS6-migration-mode from DS5-compatible-mode.
Once the change is made, only DS6-migration-mode and DS6-mode are available.
Change to DS6-mode from DS6-migration-mode.
Once the change is made, only DS6-mode is available.
The server state can move only towards stricter compliance with the new password policy specifications. Compatibility with the old password policy will not be supported indefinitely. You should therefore migrate to the new password policy as soon as is feasible for your deployment.
When you consider migrating to the new password policy, note that the pwdChangedTime attribute did not exist in Directory Server 5.2. This attribute is required by the new password policy. When the attribute is not present in the user entry, its value is calculated from the entry's passwordExpirationTime attribute. However, writing the calculated pwdChangedTime attribute to the user entry would have a large performance impact directly after migration, because the first bind for every entry would require a write to the directory.
The calculated pwdChangedTime is therefore not written to the user entry during the DS5-compatible mode. You should leave your topology in DS5-compatible-mode until you have been through an entire password expiration cycle (90 days, for example, depending on the value of passwordMaxAge). In this way, the pwdChangedTime is added gradually across the directory (at the password change of each user entry).