|
|
|---|
account-status-notification-handler |
The account status notification handler is used to
send messages when events occur during the course of password policy processing. This
property specifies the DNs of the account status notification handlers that should be used
for this password policy. |
allow-expired-password-changes |
Not Recommended. Indicates whether users are allowed to
change their passwords after the passwords have expired. The user needs to issue
the request anonymously and include the current password in the request. If this
property is enabled, this feature uses the Password Modify Extended Operation, which is enabled
by default at initial configuration. |
allow-user-password-changes |
Indicates whether users are allowed to change
their own passwords if they have access control rights to do so. |
default-password-storage-scheme |
Specifies
the DNs for the password storage schemes that are used to encode clear-text
passwords for this password policy. |
deprecated-password-storage-scheme |
Specifies the DNs for password storage schemes
that are considered deprecated for this password policy. If a user with this
password policy authenticates to the server and his password is encoded with any
deprecated schemes, those values are removed and replaced with values encoded using the
default password storage scheme. |
expire-password-without-warning |
Indicates whether user passwords are allowed to expire even if
the user has not yet seen a password expiration warning. If this is
set to false, the user is always guaranteed to see at least one
warning message even if the password expiration time has passed. The expiration time
will be reset to the current time plus the warning interval (ds-cfg-password-expiration-warning-interval). |
force-change-on-add |
Indicates
whether users are required to change their passwords the first time they use
their accounts and before they are allowed to perform any other operation. |
force-change-on-reset |
Indicates
whether users are required to change their passwords after an administrative password reset
and before they are allowed to perform any other operation. |
grace-login-count |
Specifies the maximum
number of grace logins that a user should be given. A grace login
makes it possible for a user to authenticate to the server even after
the password has expired, but the user is not allowed to do
anything else until he has changed his password. |
idle-lockout-interval |
Specifies the maximum length of
time that a user account can remain idle (that is, that the user
may go without authenticating to the directory) before the server locks the account.
This action is enforced if last login time tracking is enabled and if the
idle lockout interval is set to a nonzero value. |
last-login-time-attribute |
Specifies the name of the
attribute in the user's entry that is used to hold the last login
time for the user. If this is provided, the specified attribute must either
be defined as an operational attribute in the server schema, or it must
be allowed by at least one of the object classes in the user's
entry. The ds-pwp-last-login operational attribute has been defined for this purpose. Last login
time tracking is only enabled if the ds-cfg-last-login-time-attribute and ds-cfg-last-login-time-format attributes have been
configured for the password policy. |
last-login-time-format |
Specifies the format string that should be
used to generate the last login time values. This can be any valid
format string that can be used in conjunction with the java.text.SimpleDateFormat class. Note that
for performance reasons, it might be desirable to configure this attribute so that
it only stores the date (format: yyyyMMdd) and not the time of the
last login. Then, it only needs to be updated once per day,
rather than each time the user may authenticate. Last login time tracking is
only enabled if the ds-cfg-last-login-time-attribute and ds-cfg-last-login-time-format attributes have been configured for the
password policy. |
lockout-duration |
Specifies the length of time that a user account should
remain locked due to failed authentication attempts before it is automatically unlocked. A value
of "0 seconds" indicates that any locked accounts are not automatically unlocked and must
be reset by an administrator. |
lockout-failure-count |
Specifies the number of authentication failures required
to lock a user account, either temporarily or permanently. A value of zero
indicates that automatic lockout is not enabled. |
lockout-failure-expiration-interval |
Specifies the maximum length of time
that a previously failed authentication attempt should be counted toward a lockout failure.
Note that the record of all previous failed attempts is always cleared upon
a successful authentication. A value of "0 seconds" indicates that failed attempts are never automatically
expired. |
max-password-age |
Specifies the maximum length of time that a user is allowed
to keep the same password before choosing a new one. This is often
known as the password expiration interval. A value of "0 seconds" indicates that passwords never expire.
If the ds-cfg-expire-passwords-without-warning attribute is set to false, the effective password expiration time
is recalculated to be the time at which the first warning is received,
plus the warning interval (ds-cfg-password-expiration-warning-interval). This behavior ensures that a user always
has the full configured warning interval to change his password. |
max-password-reset-age |
Specifies the maximum
length of time that users are allowed to change their passwords after they
have been administratively reset and before they are locked out. This is only
applicable if the ds-cfg-force-change-on-reset attribute is set to true. A value of
"0 seconds" indicates that there are no limits on the length of time that
users have to change their passwords after administrative resets. |
min-password-age |
Specifies the minimum
length of time that a user is required to have a password value
before it can be changed again. Providing a nonzero value ensures that
users are not allowed to repeatedly change their passwords in order to flush
their previous password from the history so it can be reused. |
password-attribute |
Specifies
the attribute in the user's entry that holds the encoded passwords for the
user. The specified attribute must be defined in the server schema, and
it must have either the user password syntax or the authentication password syntax.
Typically, you enter "userPassword" for the User Password syntax (OID: 1.3.6.1.4.1.26027.1.3.1). You
can also specify, if your server supports it, the value authPassword for the
authenticated password syntax (OID: 1.3.6.1.4.1.4203.1.1.2). |
password-change-requires-current-password |
Indicates whether users are required to provide their
current password when setting a new password. If this is set to
true, then users are required to provide their current password when changing their
existing password. This may be done using the password modify extended operation, or using
a standard LDAP modify operation by deleting the existing password value and adding
the new password value in the same modify operation. |
password-expiration-warning-interval |
Specifies the length
of time before the password expires that the users should start to receive
notification that it is about to expire. This must be given a nonzero
value if the ds-cfg-expire-passwords-without-warning attribute is set to false. |
password-generator |
Specifies the DN for
the password generator that should be used in conjunction with this password policy.
The password generator is used in conjunction with the password modify extended
operation to provide a new password for cases in which the client did
not include one in the request. If no password generator DN is specified,
then the password modify extended operation does not automatically generate passwords for users.
|
password-history-count |
Specifies the maximum number of password values that should be maintained in the
password history. Whenever a user's password is changed, the server checks the
proposed new password against the current password and all passwords stored in the
history. If a match is found, then the user is not
allowed to use that new password. A value of zero indicates either that
the server should not maintain a password history (that is, the password history
duration has a value of "0 seconds") or that the password history list should be
based entirely on duration and no maximum count should be enforced (that is,
the password history duration has a value other than "0 seconds"). Note that
if an administrator reduces the configured password history count to a smaller (but
still nonzero) value, each user entry containing password history state information is not
impacted until a password change is processed for that user. At that
time, any excess history state values is purged from the entry. If
the history count is reduced to zero and the password history duration is
also set to "0 seconds," any state information in the user's entry is
retained in case the feature is re-enabled. |
password-history-duration |
Specifies the maximum length of
time that a formerly used password should remain in effect in the user's
password history. Whenever a user's password is changed, the server checks the
proposed new password against the current password and all passwords stored in the
history. If a match is found, the user is not allowed to
use that new password. A value of "0 seconds" indicates either that the server
should not maintain a password history (that is, the password history count has
a value of "0") or that the password history list should be based
entirely on count and no maximum duration should be enforced (that is, the
password history count has a value other than "0"). |
password-validator |
Specifies the DNs for
password validators that should be used in conjunction with this password policy.
The password validators are invoked whenever a user attempts to provide a new
password in order to determine whether that new password is acceptable. |
previous-last-login-time-format |
Specifies the
format string that was used in the past for older last login time
values. This value is not necessary unless the last login time feature
is enabled and the format in which the values are stored has
been changed. |
require-change-by-time |
Specifies a time by which all users with this password policy
are required to change their passwords. This option works independently of password expiration (that
is, force all users to change their passwords at some point even
if password expiration is disabled). |
require-secure-authentication |
Indicates whether users with this password policy are
required to authenticate in a secure manner using a secure communication mechanism like
SSL, or a secure SASL mechanism like DIGEST-MD5, EXTERNAL, or GSSAPI that does
not expose the password in the clear. |
require-secure-password-changes |
Indicates whether users with this password
policy are required to make password changes in a secure manner, such as
over a secure communication channel like SSL. |
