JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (
search filter icon
search icon

Document Information


Part I Directory Server Administration

1.  Directory Server Tools

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

6.  Directory Server Access Control

7.  Directory Server Password Policy

Password Policies and Worksheet

Password Policy Settings

Policy for Account Lockout

Policy for Password Changes

Policy for Password Content

Policy for Password Expiration

Policy for Tracking Last Authentication Time

Worksheet for Defining Password Policy

Managing the Default Password Policy

Correlation Between Password Policy Attributes and dsconf Server Properties

To View Default Password Policy Settings

To Change Default Password Policy Settings

Preventing Binds With No Password

Managing Specialized Password Policies

Which Password Policy Applies

To Create a Password Policy

To Assign a Password Policy to an Individual Account

To Assign a Password Policy Using Roles and CoS

To Set Up a First Login Password Policy

Modifying Passwords From the Command Line When pwdSafeModify Is TRUE

Resetting Expired Passwords

To Reset a Password With the Password Modify Extended Operation

To Allow Grace Authentications When Passwords Expire

Setting Account Properties

To Set the Look-Through Limit for an Account

To Set the Size Limit for an Account

To Set the Time Limit for an Account

To Set the Idle Timeout for an Account

Manually Locking Accounts

To Check Account Status

To Render Accounts Inactive

To Reactivate Accounts

Password Policy Compatibility

Setting the Compatibility Mode

Guidelines for Choosing a Compatibility Mode

New Directory Server 11g Release 1 ( Deployment

Migrating a Deployment to Directory Server 11g Release 1 (

Administrative Password Reset Classification

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration


Chapter 7

Directory Server Password Policy

When a user connects to Directory Server, the user is authenticated. The directory can grant access rights and resource limits to the user depending on the identity established during authentication. An account in this chapter refers loosely to a user entry. The account also reflects the permissions for the user to perform operations on the directory. In this discussion of password policy, every account is associated with a user entry, and a password.

This chapter also addresses account activation, an aspect of password policy. The Directory Administrator can directly lock and unlock accounts, independently of password policy.

This chapter does not cover authentication methods. Some authentication methods, such as SASL GSSAPI and client SSL certificate-based authentication, do not involve the use of passwords. The information about password policy in this chapter does not apply to such authentication methods. See Chapter 5, Directory Server Security for instructions on configuring authentication mechanisms.

This chapter also does not cover the compatibility of password policies between Directory Server 11g Release 1 ( and previous Directory Server versions. When you create a Directory Server 11g Release 1 ( instance, the password policy implementation defaults to a Directory Server 5 compatible mode to facilitate upgrading from earlier versions. To take full advantage of the password policy features described in this chapter, you will need to change the password policy compatibility mode.


Caution - The DS5–compatibility-mode password policy is deprecated. You must switch to DS6–mode password policy in this version.

For more information about setting the password compatibility mode, see Password Policy Compatibility.

This chapter covers the following topics: