|
|
|---|
account-status-notification-handler |
The account
status notification handler is used to send messages when events occur during the
course of password policy processing. This property specifies the DNs of the account
status notification handlers that should be used for this password policy. |
allow-expired-password-changes |
Not Recommended.
Indicates whether users are allowed to change their passwords after the passwords have
expired. The user needs to issue the request anonymously and include the current
password in the request. If this property is enabled, this feature uses the
Password Modify Extended Operation, which is enabled by default at initial configuration. |
allow-user-password-changes |
Indicates
whether users are allowed to change their own passwords if they have access
control rights to do so. |
default-password-storage-scheme |
Specifies the DNs for the password storage
schemes that are used to encode clear-text passwords for this password policy. |
deprecated-password-storage-scheme |
Specifies
the DNs for password storage schemes that are considered deprecated for this password
policy. If a user with this password policy authenticates to the server and
his password is encoded with any deprecated schemes, those values are removed and
replaced with values encoded using the default password storage scheme. |
expire-password-without-warning |
Indicates whether user passwords
are allowed to expire even if the user has not yet seen a
password expiration warning. If this is set to false, the user is always
guaranteed to see at least one warning message even if the password expiration
time has passed. The expiration time will be reset to the current time
plus the warning interval (ds-cfg-password-expiration-warning-interval). |
force-change-on-add |
Indicates whether users are required to change
their passwords the first time they use their accounts and before they are
allowed to perform any other operation. |
force-change-on-reset |
Indicates whether users are required to change
their passwords after an administrative password reset and before they are allowed to
perform any other operation. |
grace-login-count |
Specifies the maximum number of grace logins that a
user should be given. A grace login makes it possible for a user
to authenticate to the server even after the password has expired, but the
user is not allowed to do anything else until he has changed his
password. |
idle-lockout-interval |
Specifies the maximum length of time that a user account can
remain idle (that is, that the user may go without authenticating to the
directory) before the server locks the account. This action is enforced if last login time
tracking is enabled and if the idle lockout interval is set to a nonzero
value. |
last-login-time-attribute |
Specifies the name of the attribute in the user's entry that
is used to hold the last login time for the user. If this
is provided, the specified attribute must either be defined as an operational attribute
in the server schema, or it must be allowed by at least one
of the object classes in the user's entry. The ds-pwp-last-login operational attribute has been
defined for this purpose. Last login time tracking is only enabled if the
ds-cfg-last-login-time-attribute and ds-cfg-last-login-time-format attributes have been configured for the password policy. |
last-login-time-format |
Specifies
the format string that should be used to generate the last login time
values. This can be any valid format string that can be used
in conjunction with the java.text.SimpleDateFormat class. Note that for performance reasons, it might be
desirable to configure this attribute so that it only stores the date (format:
yyyyMMdd) and not the time of the last login. Then, it only needs
to be updated once per day, rather than each time the user may
authenticate. Last login time tracking is only enabled if the ds-cfg-last-login-time-attribute and ds-cfg-last-login-time-format
attributes have been configured for the password policy. |
lockout-duration |
Specifies the length of
time that a user account should remain locked due to failed authentication attempts
before it is automatically unlocked. A value of "0 seconds" indicates that any locked
accounts are not automatically unlocked and must be reset by an administrator. |
lockout-failure-count |
Specifies
the number of authentication failures required to lock a user account, either temporarily
or permanently. A value of zero indicates that automatic lockout is not enabled.
|
lockout-failure-expiration-interval |
Specifies the maximum length of time that a previously failed authentication attempt should
be counted toward a lockout failure. Note that the record of all previous
failed attempts is always cleared upon a successful authentication. A value of "0 seconds"
indicates that failed attempts are never automatically expired. |
max-password-age |
Specifies the maximum length of
time that a user is allowed to keep the same password before choosing
a new one. This is often known as the password expiration interval. A value
of "0 seconds" indicates that passwords never expire. If the ds-cfg-expire-passwords-without-warning attribute is set
to false, the effective password expiration time is recalculated to be the time
at which the first warning is received, plus the warning interval (ds-cfg-password-expiration-warning-interval). This
behavior ensures that a user always has the full configured warning interval to
change his password. |
max-password-reset-age |
Specifies the maximum length of time that users are
allowed to change their passwords after they have been administratively reset and before
they are locked out. This is only applicable if the ds-cfg-force-change-on-reset attribute is
set to true. A value of "0 seconds" indicates that there are no
limits on the length of time that users have to change their passwords
after administrative resets. |
min-password-age |
Specifies the minimum length of time that a user
is required to have a password value before it can be changed again.
Providing a nonzero value ensures that users are not allowed to repeatedly
change their passwords in order to flush their previous password from the history
so it can be reused. |
password-attribute |
Specifies the attribute in the user's entry
that holds the encoded passwords for the user. The specified attribute must
be defined in the server schema, and it must have either the user
password syntax or the authentication password syntax. Typically, you enter "userPassword" for the
User Password syntax (OID: 1.3.6.1.4.1.26027.1.3.1), which has been in use for Netscape,
iPlanet, Sun ONE, or Sun Java Directory server. You can also specify, if
your server supports it, the value authPassword for the authenticated password syntax (OID: 1.3.6.1.4.1.4203.1.1.2).
|
password-change-requires-current-password |
Indicates whether users are required to provide their current password when setting a
new password. If this is set to true, then users are required
to provide their current password when changing their existing password. This may be
done using the password modify extended operation, or using a standard LDAP modify
operation by deleting the existing password value and adding the new password value
in the same modify operation. |
password-expiration-warning-interval |
Specifies the length of time before the
password expires that the users should start to receive notification that it is
about to expire. This must be given a nonzero value if the ds-cfg-expire-passwords-without-warning
attribute is set to false. |
password-generator |
Specifies the DN for the password generator that
should be used in conjunction with this password policy. The password generator
is used in conjunction with the password modify extended operation to provide a
new password for cases in which the client did not include one in
the request. If no password generator DN is specified, then the password modify
extended operation does not automatically generate passwords for users. |
password-history-count |
Specifies the maximum number
of password values that should be maintained in the password history. Whenever
a user's password is changed, the server checks the proposed new password against
the current password and all passwords stored in the history. If a
match is found, then the user is not allowed to use that new
password. A value of zero indicates either that the server should not maintain
a password history (that is, the password history duration has a value of
"0 seconds") or that the password history list should be based entirely on duration
and no maximum count should be enforced (that is, the password history duration
has a value other than "0 seconds"). Note that if an administrator reduces
the configured password history count to a smaller (but still nonzero) value, each
user entry containing password history state information is not impacted until a password change
is processed for that user. At that time, any excess history
state values is purged from the entry. If the history count is
reduced to zero and the password history duration is also set to "0
seconds," any state information in the user's entry is retained in case the
feature is re-enabled. |
password-history-duration |
Specifies the maximum length of time that a formerly
used password should remain in effect in the user's password history. Whenever
a user's password is changed, the server checks the proposed new password against
the current password and all passwords stored in the history. If a
match is found, the user is not allowed to use that new password.
A value of "0 seconds" indicates either that the server should not maintain a
password history (that is, the password history count has a value of "0")
or that the password history list should be based entirely on count and
no maximum duration should be enforced (that is, the password history count has
a value other than "0"). |
password-validator |
Specifies the DNs for password validators that should
be used in conjunction with this password policy. The password validators are
invoked whenever a user attempts to provide a new password in order to
determine whether that new password is acceptable. |
previous-last-login-time-format |
Specifies the format string that was
used in the past for older last login time values. This value
is not necessary unless the last login time feature is enabled and the
format in which the values are stored has been changed. |
require-change-by-time |
Specifies a time
by which all users with this password policy are required to change their
passwords. This option works independently of password expiration (that is, force all users
to change their passwords at some point even if password expiration is disabled).
|
require-secure-authentication |
Indicates whether users with this password policy are required to authenticate in a
secure manner using a secure communication mechanism like SSL, or a secure SASL
mechanism like DIGEST-MD5, EXTERNAL, or GSSAPI that does not expose the password in
the clear. |
require-secure-password-changes |
Indicates whether users with this password policy are required to
make password changes in a secure manner, such as over a secure communication
channel like SSL. |
