<?xml version="1.0" encoding="UTF-8"?>
|
<adm:managed-object name="password-policy"
|
plural-name="password-policies" package="org.opends.server.admin.std"
|
xmlns:adm="http://www.opends.org/admin"
|
xmlns:ldap="http://www.opends.org/admin-ldap">
|
<adm:synopsis>
|
Define a number of password management rules, as well as
|
requirements for authentication processing.
|
</adm:synopsis>
|
<adm:profile name="ldap">
|
<ldap:object-class>
|
<ldap:oid>1.3.6.1.4.1.26027.1.2.62</ldap:oid>
|
<ldap:name>ds-cfg-password-policy</ldap:name>
|
<ldap:superior>top</ldap:superior>
|
</ldap:object-class>
|
</adm:profile>
|
|
<adm:property name="password-attribute" mandatory="true"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the attribute type used to hold user passwords.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the attribute type used to hold user passwords. This
|
attribute type must be defined in the server schema. Changes to
|
this configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:syntax>
|
<adm:oid />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.192</ldap:oid>
|
<ldap:name>ds-cfg-password-attribute</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="default-password-storage-scheme" mandatory="true"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the password storage scheme (or set of schemes) that
|
will be used to encode clear-text passwords.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the password storage scheme (or set of schemes) that
|
will be used to encode clear-text passwords. If multiple default
|
storage schemes are defined for a password policy, then the same
|
password will be encoded using all of those schemes. Changes to
|
this configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.178</ldap:oid>
|
<ldap:name>ds-cfg-default-password-storage-scheme</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="deprecated-password-storage-scheme"
|
mandatory="false" multi-valued="true">
|
<adm:synopsis>
|
Specifies the password storage scheme (or set of schemes) that
|
should be considered deprecated.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the password storage scheme (or set of schemes) that
|
should be considered deprecated. If an authenticating user has a
|
password encoded with one of these schemes, those passwords will
|
be removed and replaced with passwords encoded using the default
|
schemes. Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.179</ldap:oid>
|
<ldap:name>ds-cfg-deprecated-password-storage-scheme</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="password-validator-dn" mandatory="false"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the DN(s) of the password validator(s) that should be
|
used with the associated password storage scheme.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the DN(s) of the password validator(s) that should be
|
used with the associated password storage scheme. Changes to this
|
configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:dn />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.195</ldap:oid>
|
<ldap:name>ds-cfg-password-validator-dn</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="account-status-notification-handler-dn"
|
mandatory="false" multi-valued="true">
|
<adm:synopsis>
|
Specifies the DN(s) of the account status notification handler(s)
|
that should be used with the associated password storage scheme.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the DN(s) of the account status notification handler(s)
|
that should be used with the associated password storage scheme.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:dn />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.174</ldap:oid>
|
<ldap:name>
|
ds-cfg-account-status-notification-handler-dn
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="allow-user-password-changes" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether users will be allowed to change their own
|
passwords.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users will be allowed to change their own
|
passwords. This check is made in addition to access control
|
evaluation, and therefore both must allow the password change for
|
it to occur. Changes to this configuration attribute will take
|
effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.177</ldap:oid>
|
<ldap:name>ds-cfg-allow-user-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="password-change-requires-current-password"
|
mandatory="false" multi-valued="false">
|
<adm:synopsis>
|
Indicates whether user password changes will be required to use
|
the password modify extended operation and include the user's
|
current password before the change will be allowed.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether user password changes will be required to use
|
the password modify extended operation and include the user's
|
current password before the change will be allowed. Changes to
|
this configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.198</ldap:oid>
|
<ldap:name>
|
ds-cfg-password-change-requires-current-password
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
|
</adm:property>
|
<adm:property name="force-change-on-add" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether users will be forced to change their passwords
|
upon first authenticating to the Directory Server after their
|
account has been created.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users will be forced to change their passwords
|
upon first authenticating to the Directory Server after their
|
account has been created. Changes to this configuration attribute
|
will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.208</ldap:oid>
|
<ldap:name>ds-cfg-force-change-on-add</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
|
<adm:property name="force-change-on-reset" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether users will be forced to change their passwords
|
if they are reset by an administrator.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users will be forced to change their passwords
|
if they are reset by an administrator. For this purpose, anyone
|
with permission to change a given user's password other than that
|
user will be considered an administrator. Changes to this
|
configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.181</ldap:oid>
|
<ldap:name>ds-cfg-force-change-on-reset</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
|
|
</adm:property>
|
<adm:property name="skip-validation-for-administrators"
|
mandatory="false" multi-valued="false">
|
<adm:synopsis>
|
Indicates whether passwords set by administrators will be allowed
|
to bypass the password validation process that will be required
|
for user password changes.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether passwords set by administrators (in add, modify,
|
or password modify operations) will be allowed to bypass the
|
password validation process that will be required for user
|
password changes. Changes to this configuration attribute will
|
take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.201</ldap:oid>
|
<ldap:name>ds-cfg-skip-validation-for-administrators</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
<adm:property name="password-generator-dn" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the DN of the configuration entry that references the
|
password generator for use with the associated password policy.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the DN of the configuration entry that references the
|
password generator for use with the associated password policy.
|
This will be used in conjunction with the password modify extended
|
operation to generate a new password for a user when none was
|
provided in the request. Changes to this configuration attribute
|
will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:dn />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.194</ldap:oid>
|
<ldap:name>ds-cfg-password-generator-dn</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
<adm:property name="require-secure-authentication" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether users with the associated password policy will
|
be required to authenticate in a secure manner.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users with the associated password policy will
|
be required to authenticate in a secure manner. This could mean
|
either using a secure communication channel between the client and
|
the server, or using a SASL mechanism that does not expose the
|
credentials. Changes to this configuration attribute will take
|
effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.199</ldap:oid>
|
<ldap:name>ds-cfg-require-secure-authentication</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
<adm:property name="require-secure-password-changes" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether users with the associated password policy will
|
be required to change their password in a secure manner that does
|
not expose the credentials.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users with the associated password policy will
|
be required to change their password in a secure manner that does
|
not expose the credentials. Changes to this configuration
|
attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.200</ldap:oid>
|
<ldap:name>ds-cfg-require-secure-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
<adm:property name="allow-multiple-password-values" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether user entries will be allowed to have multiple
|
distinct values for the password attribute.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether user entries will be allowed to have multiple
|
distinct values for the password attribute. This is potentially
|
dangerous because many mechanisms used to change the password do
|
not work well with such a configuration. If multiple password
|
values are allowed, then any of them may be used to authenticate,
|
and they will all be subject to the same policy constraints.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.209</ldap:oid>
|
<ldap:name>ds-cfg-allow-multiple-password-values</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="allow-pre-encoded-passwords" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
_Indicates whether users will be allowed to change their passwords
|
by providing a pre-encoded value.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users will be allowed to change their passwords
|
by providing a pre-encoded value. This can cause a security risk
|
because the clear-text version of the password is not known and
|
therefore validation checks cannot be applied to it. Changes to
|
this configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.176</ldap:oid>
|
<ldap:name>ds-cfg-allow-pre-encoded-passwords</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="minimum-password-age" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the minimum length of time that must pass after a
|
password change before the user will be allowed to change the
|
password again.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the minimum length of time that must pass after a
|
password change before the user will be allowed to change the
|
password again. The value of this attribute should be an integer
|
followed by a unit of seconds, minutes, hours, days, or weeks.
|
This setting can be used to prevent users from changing their
|
passwords repeatedly over a short period of time to flush and old
|
password from the history so that it may be re-used. Changes to
|
this configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.191</ldap:oid>
|
<ldap:name>ds-cfg-minimum-password-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="maximum-password-age" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum length of time that a user may continue
|
using the same password before it must be changed.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the maximum length of time that a user may continue
|
using the same password before it must be changed (i.e., the
|
password expiration interval). The value of this attribute should
|
be an integer followed by a unit of seconds, minutes, hours, days,
|
or weeks. A value of 0 seconds will disable password expiration.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.189</ldap:oid>
|
<ldap:name>ds-cfg-maximum-password-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
<adm:property name="maximum-password-reset-age" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum length of time that users have to change
|
passwords after they have been reset by an administrator before
|
they become locked.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the maximum length of time that users have to change
|
passwords after they have been reset by an administrator before
|
they become locked. The value of this attribute should be an
|
integer followed by a unit of seconds, minutes, hours, days, or
|
weeks. A value of 0 seconds will disable this feature. Changes to
|
this configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.190</ldap:oid>
|
<ldap:name>ds-cfg-maximum-password-reset-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="password-expiration-warning-interval"
|
mandatory="false" multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum length of time before a user's password
|
actually expires that the server will begin to include warning
|
notifications in bind responses for that user.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the maximum length of time before a user's password
|
actually expires that the server will begin to include warning
|
notifications in bind responses for that user. The value of this
|
attribute should be an integer followed by a unit of seconds,
|
minutes, hours, days, or weeks. A value of 0 seconds will disable
|
the warning interval. Changes to this configuration attribute will
|
take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>5 days</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.193</ldap:oid>
|
<ldap:name>
|
ds-cfg-password-expiration-warning-interval
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="expire-passwords-without-warning"
|
mandatory="false" multi-valued="false">
|
<adm:synopsis>
|
Indicates whether the Directory Server should allow a user's
|
password to expire even if that user has never seen an expiration
|
warning notification.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether the Directory Server should allow a user's
|
password to expire even if that user has never seen an expiration
|
warning notification. If this setting is enabled, then accounts
|
will always be expired when the expiration time arrives. If it is
|
disabled, then the user will always receive at least one warning
|
notification, and the password expiration will be set to the
|
warning time plus the warning interval. Changes to this
|
configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.180</ldap:oid>
|
<ldap:name>ds-cfg-expire-passwords-without-warning</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="allow-expired-password-changes" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether a user whose password is expired will still be
|
allowed to change that password using the password modify extended
|
operation.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether a user whose password is expired will still be
|
allowed to change that password using the password modify extended
|
operation. Changes to this configuration attribute will take
|
effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.175</ldap:oid>
|
<ldap:name>ds-cfg-allow-expired-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="grace-login-count" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the number of grace logins that a user will be allowed
|
after the account has expired to allow that user to choose a new
|
password.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the number of grace logins that a user will be allowed
|
after the account has expired to allow that user to choose a new
|
password. A value of 0 indicates that no grace logins will be
|
allowed. Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" upper-limit="2147483647" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.182</ldap:oid>
|
<ldap:name>ds-cfg-grace-login-count</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="lockout-failure-count" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum number of authentication failures that a
|
user should be allowed before the account is locked out.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the maximum number of authentication failures that a
|
user should be allowed before the account is locked out. A value
|
of 0 indicates that accounts should never be locked out due to
|
failed attempts. changes to this configuration attribute will take
|
effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" upper-limit="2147483647" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.187</ldap:oid>
|
<ldap:name>ds-cfg-lockout-failure-count</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="lockout-duration" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the length of time that an account should be locked
|
after too many authentication failures.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the length of time that an account should be locked
|
after too many authentication failures. The value of this
|
attribute should be an integer followed by a unit of seconds,
|
minutes, hours, days, or weeks. A value of 0 seconds indicates
|
that the account should remain locked until an administrator
|
resets the password. Changes to this configuration attribute will
|
take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.186</ldap:oid>
|
<ldap:name>ds-cfg-lockout-duration</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="lockout-failure-expiration-interval"
|
mandatory="false" multi-valued="false">
|
<adm:synopsis>
|
pecifies the length of time that should pass before an
|
authentication failure is no longer counted against a user for the
|
purposes of account lockout.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the length of time that should pass before an
|
authentication failure is no longer counted against a user for the
|
purposes of account lockout. The value of this attribute should be
|
an integer followed by a unit of seconds, minutes, hours, days, or
|
weeks. A value of 0 seconds indicates that the authentication
|
failures should never expire. The failure count will always be
|
cleared upon a successful authentication. Changes to this
|
configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.188</ldap:oid>
|
<ldap:name>
|
ds-cfg-lockout-failure-expiration-interval
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="require-change-by-time" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the time by which all users with the associated password
|
policy must change their passwords.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the time by which all users with the associated password
|
policy must change their passwords. The value should be expressed
|
in a generalized time format. If this time is equal to the current
|
time or is in the past, then all users will be required to change
|
their passwords immediately. The behavior of the server in this
|
mode will be identical to the behavior observed when users are
|
forced to change their passwords after an administrative reset.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.197</ldap:oid>
|
<ldap:name>ds-cfg-require-change-by-time</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="last-login-time-attribute" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the name or OID of the attribute type that should be
|
used to hold the last login time for users with the associated
|
password policy.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the name or OID of the attribute type that should be
|
used to hold the last login time for users with the associated
|
password policy. This attribute type must be defined in the
|
Directory Server schema and must either be defined as an
|
operational attribute or must be allowed by the set of
|
objectClasses for all users with the associated password policy.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:oid />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.184</ldap:oid>
|
<ldap:name>ds-cfg-last-login-time-attribute</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="last-login-time-format" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the format string that should be used to generate the
|
last login time value for users with the associated password
|
policy.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the format string that should be used to generate the
|
last login time value for users with the associated password
|
policy. This format string should conform to the syntax described
|
in the API documentation for the java.text.SimpleDateFormat class.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.185</ldap:oid>
|
<ldap:name>ds-cfg-last-login-time-format</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="previous-last-login-time-format" mandatory="false"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the format string(s) that may have been used with the
|
last login time at any point in the past for users associated with
|
the password policy.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the format string(s) that may have been used with the
|
last login time at any point in the past for users associated with
|
the password policy. These values are used to make it possible to
|
parse previous values, but will not be used to set new values.
|
These format strings should conform to the syntax described in the
|
API documentation for the java.text.SimpleDateFormat class.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.196</ldap:oid>
|
<ldap:name>ds-cfg-previous-last-login-time-format</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="idle-lockout-interval" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum length of time that an account may remain
|
idle (i.e., the associated user does notauthenticate to the
|
server) before that user is locked out.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the maximum length of time that an account may remain
|
idle (i.e., the associated user does notauthenticate to the
|
server) before that user is locked out. The value of this
|
attribute should be an integer followed by a unit of seconds,
|
minutes, hours, days, or weeks. A value of 0 seconds indicates
|
that idle accounts should not automatically be locked out. This
|
feature will only be available if the last login time is
|
maintained. Changes to this configuration attribute will take
|
effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.183</ldap:oid>
|
<ldap:name>ds-cfg-idle-lockout-interval</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
</adm:managed-object>
|
