You can configure and store multiple password policies with different configuration options. When you set up a directory server instance, the instance uses the default password policy and applies it to all user entries, except root users (for example, the cn=Directory Manager account).
You can change the default password policy or you can create new password policies for specific groups in your directory. If a specific property is not present in a password policy, the server reads that property from the default password policy, in other words, all password policies inherit their default values from the default password policy.
The following command creates a new password policy and sets the default-password-storage-scheme, lockout-duration, lockout-failure-count, and password-change-requires-current-password properties. The remaining properties are inherited from the default Password Policy.
$ dsconfig -D "cn=directory manager" -w password -n create-password-policy \ --policy-name "Temp Password Policy" --set password-attribute:userPassword \ --set default-password-storage-scheme:"Salted SHA-1" \ --set lockout-duration:300s --set lockout-failure-count:3 \ --set password-change-requires-current-password:true