access control instruction (ACI)
authentication password syntax
authorization identity control
Common Development and Distribution License
deprecated password storage scheme
Directory Services Markup Language
entry change notification control
extensible match search filter
greater than or equal to search filter
less than or equal to search filter
Lightweight Directory Access Protocol
notice of disconnection unsolicited notification
Password Modify extended operation
Simple Authentication and Security Layer
virtual attributes only control
The Directory Server password policy provides a mechanism for controlling how passwords will be stored and maintained in the server, and how users will be allowed to authenticate.
Elements of the password policy include:
The attribute used to store user passwords. By default, this is the userPassword attribute.
The default set of password storage schemes that will be used to encode passwords stored in the server.
A set of deprecated password storage schemes that can be used to authenticate users but cause the password to be re-encoded using the default schemes upon a successful bind.
A flag that indicates whether users will be allowed to change their own passwords.
A number of settings related topassword expiration, including the maximum age for passwords, warnings before expiration, and whether users will be allowed to change their passwords after they expire.
A number of settings related to account lockout, which can be used to prevent users from authenticating after too many failed attempts.
Flags that indicate whether users will be required to change their passwords the first time they authenticate and/or whether they will be required to change their passwords after they have been reset by an administrator.
A set of password validators that can be used to determine whether proposed new password values are acceptable for use.
A flag that indicates whether users will be required to provide their current passwords to be allowed to change their passwords.
A flag that indicates whether clients will be allowed to specify new passwords that have already been encoded using one of the password storage schemes defined in the server. Allowing pre-encoded passwords may be necessary for some applications, but may allow the user to bypass certain restrictions, like password validators, that might otherwise be enforced.
Settings related to maintaining the last login time, including the attribute to use to store its value, the format to use for the time stamp, and whether to lock an account after too much time has elapsed without authenticating.
Flags that control whether the user will be required to authenticate in a secure manner and/or whether they will be required to change their passwords in a secure manner.