Directory Server provides the following password policies.
The default password policy is defined in the configuration entry cn=PasswordPolicy,cn=config. The default password policy applies to all accounts in the directory except for the directory manager.
The parameters of the default policy can be modified to override the default settings. However, because the default password policy is part of the configuration for the instance, modifications to the default password policy cannot be replicated.
A password policy can be configured for an individual user or for set of users by using the CoS and roles features. However, specialized password policies can not be applied to static groups.
A specialized password policy is defined in a subentry in the directory tree. Like the default password policy, the specialized password policy uses the pwdPolicy object class. For example, the following entry defines a specialized password policy:
dn: cn=TempPolicy,dc=example,dc=com objectClass: top objectClass: pwdPolicy objectClass: LDAPsubentry cn: TempPolicy pwdCheckQuality: 2 pwdLockout: on pwdLockoutDuration: 300 pwdMaxFailure: 3 pwdMustChange: on |
A specialized password policy can be assigned to a single user account or can be assigned to a set of users by using roles. For example, in the following entry the password policy defined in cn=TempPolicy,dc=example,dc=com is assigned to the pwdPolicySubentry attribute of the user entry:
dn: uid=dmiller,ou=people,dc=example,dc=com objectClasaccess controls: person objectClass: top sn: miller cn: david userPassword: secret12 pwdPolicySubentry: cn=TempPolicy,dc=example,dc=com |
When referenced by a user entry, a specialized password policy overrides the default password policy.
Because specialized password policies are defined the directory data, they can be replicated.