<?xml version="1.0" encoding="UTF-8"?>
|
<!--
|
! CDDL HEADER START
|
!
|
! The contents of this file are subject to the terms of the
|
! Common Development and Distribution License, Version 1.0 only
|
! (the "License"). You may not use this file except in compliance
|
! with the License.
|
!
|
! You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
|
! or http://forgerock.org/license/CDDLv1.0.html.
|
! See the License for the specific language governing permissions
|
! and limitations under the License.
|
!
|
! When distributing Covered Code, include this CDDL HEADER in each
|
! file and include the License file at legal-notices/CDDLv1_0.txt.
|
! If applicable, add the following below this CDDL HEADER, with the
|
! fields enclosed by brackets "[]" replaced with your own identifying
|
! information:
|
! Portions Copyright [yyyy] [name of copyright owner]
|
!
|
! CDDL HEADER END
|
!
|
!
|
! Copyright 2007-2009 Sun Microsystems, Inc.
|
! Portions Copyright 2011 ForgeRock AS
|
! -->
|
<adm:managed-object name="password-policy"
|
plural-name="password-policies"
|
extends="authentication-policy"
|
package="org.opends.server.admin.std"
|
xmlns:adm="http://www.opends.org/admin"
|
xmlns:ldap="http://www.opends.org/admin-ldap">
|
<adm:synopsis>
|
<adm:user-friendly-plural-name />
|
define a number of password management rules, as well as
|
requirements for authentication processing.
|
</adm:synopsis>
|
<adm:profile name="ldap">
|
<ldap:object-class>
|
<ldap:name>ds-cfg-password-policy</ldap:name>
|
<ldap:superior>ds-cfg-authentication-policy</ldap:superior>
|
</ldap:object-class>
|
</adm:profile>
|
<adm:property-override name="java-class" advanced="true">
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
org.opends.server.core.PasswordPolicyFactory
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
</adm:property-override>
|
<adm:property name="password-attribute" mandatory="true">
|
<adm:synopsis>
|
Specifies the attribute type used to hold user passwords.
|
</adm:synopsis>
|
<adm:description>
|
This attribute type must be defined in the server schema, and it
|
must have either the user password or auth password syntax.
|
</adm:description>
|
<adm:syntax>
|
<adm:attribute-type />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-attribute</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="default-password-storage-scheme" mandatory="true"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the password storage schemes that are used
|
to encode clear-text passwords for this password policy.
|
</adm:synopsis>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-storage-scheme"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced password storage schemes must be enabled.
|
</adm:synopsis>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-default-password-storage-scheme</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="deprecated-password-storage-scheme"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the password storage schemes that are
|
considered deprecated for this password policy.
|
</adm:synopsis>
|
<adm:description>
|
If a user with this password policy authenticates to the server
|
and his/her password is encoded with a deprecated scheme, those
|
values are removed and replaced with values encoded using the
|
default password storage scheme(s).
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-storage-scheme"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced password storage schemes must be enabled.
|
</adm:synopsis>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-deprecated-password-storage-scheme</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-validator" multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the password validators that are used
|
with the associated password storage scheme.
|
</adm:synopsis>
|
<adm:description>
|
The password validators are invoked when a user attempts to provide
|
a new password, to determine whether the new password is acceptable.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-validator"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced password validators must be enabled.
|
</adm:synopsis>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-validator</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="account-status-notification-handler"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the account status notification handlers
|
that are used with the associated password storage scheme.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation
|
relation-name="account-status-notification-handler"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced account status notification handlers must be
|
enabled.
|
</adm:synopsis>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-account-status-notification-handler
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-user-password-changes">
|
<adm:synopsis>
|
Indicates whether users can change their own
|
passwords.
|
</adm:synopsis>
|
<adm:description>
|
This check is made in addition to access control evaluation.
|
Both must allow the password change for it to occur.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-user-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-change-requires-current-password">
|
<adm:synopsis>
|
Indicates whether user password changes must use
|
the password modify extended operation and must include the user's
|
current password before the change is allowed.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-password-change-requires-current-password
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="force-change-on-add">
|
<adm:synopsis>
|
Indicates whether users are forced to change their passwords
|
upon first authenticating to the directory server after their
|
account has been created.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-force-change-on-add</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="force-change-on-reset">
|
<adm:synopsis>
|
Indicates whether users are forced to change their passwords
|
if they are reset by an administrator.
|
</adm:synopsis>
|
<adm:description>
|
For this purpose, anyone with permission to change a given user's
|
password other than that user is considered an administrator.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-force-change-on-reset</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="skip-validation-for-administrators"
|
advanced="true">
|
<adm:synopsis>
|
Indicates whether passwords set by administrators are allowed
|
to bypass the password validation process that is required
|
for user password changes.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-skip-validation-for-administrators</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-generator">
|
<adm:synopsis>
|
Specifies the name of the password generator that is used
|
with the associated password policy.
|
</adm:synopsis>
|
<adm:description>
|
This is used in conjunction with the password modify extended
|
operation to generate a new password for a user when none was
|
provided in the request.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-generator"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced password generator must be enabled.
|
</adm:synopsis>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-generator</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="require-secure-authentication">
|
<adm:synopsis>
|
Indicates whether users with the associated password policy are
|
required to authenticate in a secure manner.
|
</adm:synopsis>
|
<adm:description>
|
This might mean either using a secure communication channel
|
between the client and the server, or using a SASL mechanism that
|
does not expose the credentials.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-require-secure-authentication</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="require-secure-password-changes">
|
<adm:synopsis>
|
Indicates whether users with the associated password policy are
|
required to change their password in a secure manner that does
|
not expose the credentials.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-require-secure-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-multiple-password-values" advanced="true">
|
<adm:synopsis>
|
Indicates whether user entries can have multiple
|
distinct values for the password attribute.
|
</adm:synopsis>
|
<adm:description>
|
This is potentially dangerous because many mechanisms used to
|
change the password do not work well with such a configuration. If
|
multiple password values are allowed, then any of them can be used
|
to authenticate, and they are all subject to the same policy
|
constraints.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-multiple-password-values</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-pre-encoded-passwords" advanced="true">
|
<adm:synopsis>
|
Indicates whether users can change their passwords
|
by providing a pre-encoded value.
|
</adm:synopsis>
|
<adm:description>
|
This can cause a security risk because the clear-text version of
|
the password is not known and therefore validation checks cannot
|
be applied to it.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-pre-encoded-passwords</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="min-password-age">
|
<adm:synopsis>
|
Specifies the minimum length of time after a
|
password change before the user is allowed to change the
|
password again.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute is an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. This setting can
|
be used to prevent users from changing their passwords repeatedly
|
over a short period of time to flush an old password from the
|
history so that it can be re-used.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-min-password-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="max-password-age">
|
<adm:synopsis>
|
Specifies the maximum length of time that a user can continue
|
using the same password before it must be changed (that is, the
|
password expiration interval).
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute is an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds disables password expiration.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-max-password-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="max-password-reset-age">
|
<adm:synopsis>
|
Specifies the maximum length of time that users have to change
|
passwords after they have been reset by an administrator before
|
they become locked.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute is an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds disables this feature.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-max-password-reset-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-expiration-warning-interval">
|
<adm:synopsis>
|
Specifies the maximum length of time before a user's password
|
actually expires that the server begins to include warning
|
notifications in bind responses for that user.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute is an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds disables the warning interval.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>5 days</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-password-expiration-warning-interval
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="expire-passwords-without-warning">
|
<adm:synopsis>
|
Indicates whether the directory server allows a user's
|
password to expire even if that user has never seen an expiration
|
warning notification.
|
</adm:synopsis>
|
<adm:description>
|
If this property is true, accounts always expire when the
|
expiration time arrives. If this property is false or disabled, the user
|
always receives at least one warning notification, and the
|
password expiration is set to the warning time plus the
|
warning interval.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-expire-passwords-without-warning</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-expired-password-changes">
|
<adm:synopsis>
|
Indicates whether a user whose password is expired is still
|
allowed to change that password using the password modify extended
|
operation.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-expired-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="grace-login-count">
|
<adm:synopsis>
|
Specifies the number of grace logins that a user is allowed
|
after the account has expired to allow that user to choose a new
|
password.
|
</adm:synopsis>
|
<adm:description>
|
A value of 0 indicates that no grace logins are allowed.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" upper-limit="2147483647" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-grace-login-count</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="lockout-failure-count">
|
<adm:synopsis>
|
Specifies the maximum number of authentication failures that a
|
user is allowed before the account is locked out.
|
</adm:synopsis>
|
<adm:description>
|
A value of 0 indicates that accounts are never locked out
|
due to failed attempts.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" upper-limit="2147483647"/>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-lockout-failure-count</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="lockout-duration">
|
<adm:synopsis>
|
Specifies the length of time that an account is locked
|
after too many authentication failures.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute is an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds indicates that the account must remain locked until an
|
administrator resets the password.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-lockout-duration</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="lockout-failure-expiration-interval">
|
<adm:synopsis>
|
Specifies the length of time before an
|
authentication failure is no longer counted against a user for the
|
purposes of account lockout.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute is an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds indicates that the authentication failures must never
|
expire. The failure count is always cleared upon a successful
|
authentication.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-lockout-failure-expiration-interval
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="require-change-by-time">
|
<adm:synopsis>
|
Specifies the time by which all users with the associated password
|
policy must change their passwords.
|
</adm:synopsis>
|
<adm:description>
|
The value is expressed in a generalized time format. If
|
this time is equal to the current time or is in the past, then all
|
users are required to change their passwords immediately. The
|
behavior of the server in this mode is identical to the
|
behavior observed when users are forced to change their passwords
|
after an administrative reset.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string>
|
<adm:pattern>
|
<adm:regex>.*</adm:regex>
|
<adm:usage>STRING</adm:usage>
|
<adm:synopsis>
|
A valid timestamp in generalized time form (for example,
|
a value of "20070409185811Z" indicates a value of April 9,
|
2007 at 6:58:11 pm GMT).
|
</adm:synopsis>
|
</adm:pattern>
|
</adm:string>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-require-change-by-time</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="last-login-time-attribute">
|
<adm:synopsis>
|
Specifies the name or OID of the attribute type that is
|
used to hold the last login time for users with the associated
|
password policy.
|
</adm:synopsis>
|
<adm:description>
|
This attribute type must be defined in the directory server schema
|
and must either be defined as an operational attribute or must be
|
allowed by the set of objectClasses for all users with the
|
associated password policy.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:attribute-type />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-last-login-time-attribute</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="last-login-time-format">
|
<adm:synopsis>
|
Specifies the format string that is used to generate the
|
last login time value for users with the associated password
|
policy.
|
</adm:synopsis>
|
<adm:description>
|
This format string conforms to the syntax described in the
|
API documentation for the java.text.SimpleDateFormat class.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string>
|
<adm:pattern>
|
<adm:regex>.*</adm:regex>
|
<adm:usage>STRING</adm:usage>
|
<adm:synopsis>
|
Any valid format string that can be used with the
|
java.text.SimpleDateFormat class.
|
</adm:synopsis>
|
</adm:pattern>
|
</adm:string>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-last-login-time-format</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="previous-last-login-time-format"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the format string(s) that might have been used with the
|
last login time at any point in the past for users associated with
|
the password policy.
|
</adm:synopsis>
|
<adm:description>
|
These values are used to make it possible to parse previous
|
values, but are not used to set new values. The format
|
strings conform to the syntax described in the API
|
documentation for the java.text.SimpleDateFormat class.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string>
|
<adm:pattern>
|
<adm:regex>.*</adm:regex>
|
<adm:usage>STRING</adm:usage>
|
<adm:synopsis>
|
Any valid format string that can be used with the
|
java.text.SimpleDateFormat class.
|
</adm:synopsis>
|
</adm:pattern>
|
</adm:string>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-previous-last-login-time-format</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="idle-lockout-interval">
|
<adm:synopsis>
|
Specifies the maximum length of time that an account may remain
|
idle (that is, the associated user does not authenticate to the
|
server) before that user is locked out.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute is an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds indicates that idle accounts are not automatically
|
locked out. This feature is available only if the last login
|
time is maintained.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration lower-limit="0" upper-limit="2147483647"/>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-idle-lockout-interval</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="state-update-failure-policy" advanced="true">
|
<adm:synopsis>
|
Specifies how the server deals with the inability to update
|
password policy state information during an authentication
|
attempt.
|
</adm:synopsis>
|
<adm:description>
|
In particular, this property can be used to control whether an otherwise
|
successful bind operation fails if a failure occurs while
|
attempting to update password policy state information (for example, to
|
clear a record of previous authentication failures or to update
|
the last login time). It can also be used to control whether to
|
reject a bind request if it is known ahead of time that it will not be
|
possible to update the authentication failure times in the event of an
|
unsuccessful bind attempt (for example, if the backend writability mode
|
is disabled).
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>reactive</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:enumeration>
|
<adm:value name="ignore">
|
<adm:synopsis>
|
If a bind attempt would otherwise be successful, then do not
|
reject it if a problem occurs while attempting to update the
|
password policy state information for the user.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="reactive">
|
<adm:synopsis>
|
Even if a bind attempt would otherwise be successful, reject
|
it if a problem occurs while attempting to update the
|
password policy state information for the user.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="proactive">
|
<adm:synopsis>
|
Proactively reject any bind attempt if it is known ahead of
|
time that it would not be possible to update the user's
|
password policy state information.
|
</adm:synopsis>
|
</adm:value>
|
</adm:enumeration>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-state-update-failure-policy</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-history-count">
|
<adm:synopsis>
|
Specifies the maximum number of former passwords to maintain in
|
the password history.
|
</adm:synopsis>
|
<adm:description>
|
When choosing a new password, the proposed password is
|
checked to ensure that it does not match the current password, nor
|
any other password in the history list. A value of zero indicates
|
that either no password history is to be maintained (if the
|
password history duration has a value of zero seconds), or that
|
there is no maximum number of passwords to maintain in the history
|
(if the password history duration has a value greater than zero
|
seconds).
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" upper-limit="2147483647" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-history-count</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-history-duration">
|
<adm:synopsis>
|
Specifies the maximum length of time that passwords remain
|
in the password history.
|
</adm:synopsis>
|
<adm:description>
|
When choosing a new password, the proposed password is
|
checked to ensure that it does not match the current password, nor
|
any other password in the history list. A value of zero seconds
|
indicates that either no password history is to be maintained (if
|
the password history count has a value of zero), or that there is
|
no maximum duration for passwords in the history (if the password
|
history count has a value greater than zero).
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration base-unit="s" lower-limit="0"
|
upper-limit="2147483647" allow-unlimited="false" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-history-duration</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
</adm:managed-object>
|
