<?xml version="1.0" encoding="UTF-8"?>
|
<!--
|
! CDDL HEADER START
|
!
|
! The contents of this file are subject to the terms of the
|
! Common Development and Distribution License, Version 1.0 only
|
! (the "License"). You may not use this file except in compliance
|
! with the License.
|
!
|
! You can obtain a copy of the license at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE
|
! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
|
! See the License for the specific language governing permissions
|
! and limitations under the License.
|
!
|
! When distributing Covered Code, include this CDDL HEADER in each
|
! file and include the License file at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
|
! add the following below this CDDL HEADER, with the fields enclosed
|
! by brackets "[]" replaced with your own identifying information:
|
! Portions Copyright [yyyy] [name of copyright owner]
|
!
|
! CDDL HEADER END
|
!
|
!
|
! Portions Copyright 2007 Sun Microsystems, Inc.
|
! -->
|
|
<adm:managed-object name="password-policy"
|
plural-name="password-policies" package="org.opends.server.admin.std"
|
xmlns:adm="http://www.opends.org/admin"
|
xmlns:ldap="http://www.opends.org/admin-ldap">
|
<adm:synopsis>
|
Define a number of password management rules, as well as
|
requirements for authentication processing.
|
</adm:synopsis>
|
<adm:tag name="user-management"/>
|
<adm:profile name="ldap">
|
<ldap:object-class>
|
<ldap:name>ds-cfg-password-policy</ldap:name>
|
<ldap:superior>top</ldap:superior>
|
</ldap:object-class>
|
</adm:profile>
|
|
<adm:property name="password-attribute" mandatory="true"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the attribute type used to hold user passwords.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the attribute type used to hold user passwords. This
|
attribute type must be defined in the server schema, and it must have
|
either the user password or auth password syntax. Changes to this
|
configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:syntax>
|
<adm:attribute-type />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-attribute</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="default-password-storage-scheme" mandatory="true"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the the password storage schemes that will
|
be used to encode clear-text passwords for this password policy.
|
</adm:synopsis>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-storage-scheme"
|
parent-path="/">
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-default-password-storage-scheme</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="deprecated-password-storage-scheme"
|
mandatory="false" multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the password storage schemes that will be
|
considered deprecated for this password policy. If a user with
|
this password policy authenticates to the server and his/her
|
password is encoded with any deprecated schemes, then those values
|
will be removed and replaced with values encoded using the default
|
password storage scheme(s).
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-storage-scheme"
|
parent-path="/">
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-deprecated-password-storage-scheme</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="password-validator" mandatory="false"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the password validators that should be
|
used with the associated password storage scheme.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-validator"
|
parent-path="/">
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-validator</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="account-status-notification-handler"
|
mandatory="false" multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the account status notification handlers
|
that should be used with the associated password storage scheme.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation
|
relation-name="account-status-notification-handler"
|
parent-path="/">
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-account-status-notification-handler
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="allow-user-password-changes" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether users will be allowed to change their own
|
passwords.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users will be allowed to change their own
|
passwords. This check is made in addition to access control
|
evaluation, and therefore both must allow the password change for
|
it to occur. Changes to this configuration attribute will take
|
effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-user-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="password-change-requires-current-password"
|
mandatory="false" multi-valued="false">
|
<adm:synopsis>
|
Indicates whether user password changes will be required to use
|
the password modify extended operation and include the user's
|
current password before the change will be allowed.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether user password changes will be required to use
|
the password modify extended operation and include the user's
|
current password before the change will be allowed. Changes to
|
this configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-password-change-requires-current-password
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
|
</adm:property>
|
<adm:property name="force-change-on-add" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether users will be forced to change their passwords
|
upon first authenticating to the Directory Server after their
|
account has been created.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users will be forced to change their passwords
|
upon first authenticating to the Directory Server after their
|
account has been created. Changes to this configuration attribute
|
will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-force-change-on-add</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
|
<adm:property name="force-change-on-reset" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether users will be forced to change their passwords
|
if they are reset by an administrator.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users will be forced to change their passwords
|
if they are reset by an administrator. For this purpose, anyone
|
with permission to change a given user's password other than that
|
user will be considered an administrator. Changes to this
|
configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-force-change-on-reset</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
|
|
</adm:property>
|
<adm:property name="skip-validation-for-administrators"
|
mandatory="false" multi-valued="false">
|
<adm:synopsis>
|
Indicates whether passwords set by administrators will be allowed
|
to bypass the password validation process that will be required
|
for user password changes.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether passwords set by administrators (in add, modify,
|
or password modify operations) will be allowed to bypass the
|
password validation process that will be required for user
|
password changes. Changes to this configuration attribute will
|
take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-skip-validation-for-administrators</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
<adm:property name="password-generator" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the name of the password generator that should be used
|
with the associated password policy.
|
</adm:synopsis>
|
<adm:description>
|
This will be used in conjunction with the password modify extended
|
operation to generate a new password for a user when none was
|
provided in the request.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-generator"
|
parent-path="/">
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-generator</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
<adm:property name="require-secure-authentication" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether users with the associated password policy will
|
be required to authenticate in a secure manner.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users with the associated password policy will
|
be required to authenticate in a secure manner. This could mean
|
either using a secure communication channel between the client and
|
the server, or using a SASL mechanism that does not expose the
|
credentials. Changes to this configuration attribute will take
|
effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-require-secure-authentication</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
<adm:property name="require-secure-password-changes" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether users with the associated password policy will
|
be required to change their password in a secure manner that does
|
not expose the credentials.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users with the associated password policy will
|
be required to change their password in a secure manner that does
|
not expose the credentials. Changes to this configuration
|
attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-require-secure-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
<adm:property name="allow-multiple-password-values" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether user entries will be allowed to have multiple
|
distinct values for the password attribute.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether user entries will be allowed to have multiple
|
distinct values for the password attribute. This is potentially
|
dangerous because many mechanisms used to change the password do
|
not work well with such a configuration. If multiple password
|
values are allowed, then any of them may be used to authenticate,
|
and they will all be subject to the same policy constraints.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-multiple-password-values</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="allow-pre-encoded-passwords" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
_Indicates whether users will be allowed to change their passwords
|
by providing a pre-encoded value.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether users will be allowed to change their passwords
|
by providing a pre-encoded value. This can cause a security risk
|
because the clear-text version of the password is not known and
|
therefore validation checks cannot be applied to it. Changes to
|
this configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-pre-encoded-passwords</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="min-password-age" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the minimum length of time that must pass after a
|
password change before the user will be allowed to change the
|
password again.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the minimum length of time that must pass after a
|
password change before the user will be allowed to change the
|
password again. The value of this attribute should be an integer
|
followed by a unit of seconds, minutes, hours, days, or weeks.
|
This setting can be used to prevent users from changing their
|
passwords repeatedly over a short period of time to flush and old
|
password from the history so that it may be re-used. Changes to
|
this configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-min-password-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="max-password-age" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum length of time that a user may continue
|
using the same password before it must be changed.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the maximum length of time that a user may continue
|
using the same password before it must be changed (i.e., the
|
password expiration interval). The value of this attribute should
|
be an integer followed by a unit of seconds, minutes, hours, days,
|
or weeks. A value of 0 seconds will disable password expiration.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-max-password-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
|
<adm:property name="max-password-reset-age" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum length of time that users have to change
|
passwords after they have been reset by an administrator before
|
they become locked.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the maximum length of time that users have to change
|
passwords after they have been reset by an administrator before
|
they become locked. The value of this attribute should be an
|
integer followed by a unit of seconds, minutes, hours, days, or
|
weeks. A value of 0 seconds will disable this feature. Changes to
|
this configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-max-password-reset-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="password-expiration-warning-interval"
|
mandatory="false" multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum length of time before a user's password
|
actually expires that the server will begin to include warning
|
notifications in bind responses for that user.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the maximum length of time before a user's password
|
actually expires that the server will begin to include warning
|
notifications in bind responses for that user. The value of this
|
attribute should be an integer followed by a unit of seconds,
|
minutes, hours, days, or weeks. A value of 0 seconds will disable
|
the warning interval. Changes to this configuration attribute will
|
take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>5 days</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-password-expiration-warning-interval
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="expire-passwords-without-warning"
|
mandatory="false" multi-valued="false">
|
<adm:synopsis>
|
Indicates whether the Directory Server should allow a user's
|
password to expire even if that user has never seen an expiration
|
warning notification.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether the Directory Server should allow a user's
|
password to expire even if that user has never seen an expiration
|
warning notification. If this setting is enabled, then accounts
|
will always be expired when the expiration time arrives. If it is
|
disabled, then the user will always receive at least one warning
|
notification, and the password expiration will be set to the
|
warning time plus the warning interval. Changes to this
|
configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-expire-passwords-without-warning</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="allow-expired-password-changes" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Indicates whether a user whose password is expired will still be
|
allowed to change that password using the password modify extended
|
operation.
|
</adm:synopsis>
|
<adm:description>
|
Indicates whether a user whose password is expired will still be
|
allowed to change that password using the password modify extended
|
operation. Changes to this configuration attribute will take
|
effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-expired-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="grace-login-count" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the number of grace logins that a user will be allowed
|
after the account has expired to allow that user to choose a new
|
password.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the number of grace logins that a user will be allowed
|
after the account has expired to allow that user to choose a new
|
password. A value of 0 indicates that no grace logins will be
|
allowed. Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" upper-limit="2147483647" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-grace-login-count</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="lockout-failure-count" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum number of authentication failures that a
|
user should be allowed before the account is locked out.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the maximum number of authentication failures that a
|
user should be allowed before the account is locked out. A value
|
of 0 indicates that accounts should never be locked out due to
|
failed attempts. changes to this configuration attribute will take
|
effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" upper-limit="2147483647" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-lockout-failure-count</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="lockout-duration" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the length of time that an account should be locked
|
after too many authentication failures.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the length of time that an account should be locked
|
after too many authentication failures. The value of this
|
attribute should be an integer followed by a unit of seconds,
|
minutes, hours, days, or weeks. A value of 0 seconds indicates
|
that the account should remain locked until an administrator
|
resets the password. Changes to this configuration attribute will
|
take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-lockout-duration</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="lockout-failure-expiration-interval"
|
mandatory="false" multi-valued="false">
|
<adm:synopsis>
|
Specifies the length of time that should pass before an
|
authentication failure is no longer counted against a user for the
|
purposes of account lockout.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the length of time that should pass before an
|
authentication failure is no longer counted against a user for the
|
purposes of account lockout. The value of this attribute should be
|
an integer followed by a unit of seconds, minutes, hours, days, or
|
weeks. A value of 0 seconds indicates that the authentication
|
failures should never expire. The failure count will always be
|
cleared upon a successful authentication. Changes to this
|
configuration attribute will take effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-lockout-failure-expiration-interval
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="require-change-by-time" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the time by which all users with the associated password
|
policy must change their passwords.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the time by which all users with the associated password
|
policy must change their passwords. The value should be expressed
|
in a generalized time format. If this time is equal to the current
|
time or is in the past, then all users will be required to change
|
their passwords immediately. The behavior of the server in this
|
mode will be identical to the behavior observed when users are
|
forced to change their passwords after an administrative reset.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-require-change-by-time</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="last-login-time-attribute" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the name or OID of the attribute type that should be
|
used to hold the last login time for users with the associated
|
password policy.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the name or OID of the attribute type that should be
|
used to hold the last login time for users with the associated
|
password policy. This attribute type must be defined in the
|
Directory Server schema and must either be defined as an
|
operational attribute or must be allowed by the set of
|
objectClasses for all users with the associated password policy.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:attribute-type />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-last-login-time-attribute</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="last-login-time-format" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the format string that should be used to generate the
|
last login time value for users with the associated password
|
policy.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the format string that should be used to generate the
|
last login time value for users with the associated password
|
policy. This format string should conform to the syntax described
|
in the API documentation for the java.text.SimpleDateFormat class.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-last-login-time-format</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="previous-last-login-time-format" mandatory="false"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the format string(s) that may have been used with the
|
last login time at any point in the past for users associated with
|
the password policy.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the format string(s) that may have been used with the
|
last login time at any point in the past for users associated with
|
the password policy. These values are used to make it possible to
|
parse previous values, but will not be used to set new values.
|
These format strings should conform to the syntax described in the
|
API documentation for the java.text.SimpleDateFormat class.
|
Changes to this configuration attribute will take effect
|
immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-previous-last-login-time-format</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="idle-lockout-interval" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum length of time that an account may remain
|
idle (i.e., the associated user does not authenticate to the
|
server) before that user is locked out.
|
</adm:synopsis>
|
<adm:description>
|
Specifies the maximum length of time that an account may remain
|
idle (i.e., the associated user does not authenticate to the
|
server) before that user is locked out. The value of this
|
attribute should be an integer followed by a unit of seconds,
|
minutes, hours, days, or weeks. A value of 0 seconds indicates
|
that idle accounts should not automatically be locked out. This
|
feature will only be available if the last login time is
|
maintained. Changes to this configuration attribute will take
|
effect immediately.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-idle-lockout-interval</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="state-update-failure-policy" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies how the server should deal with the inability to update password
|
policy state information during an authentication attempt. In particular,
|
it may be used to control whether an otherwise successful bind operation
|
should fail if a failure occurs while attempting to update password policy
|
state information (e.g., to clear a record of previous authentication
|
failures or to update the last login time), or even whether to reject a
|
bind request if it is known ahead of time that it will not be possible to
|
update the authentication failure times in the event of an unsuccessful
|
bind attempt (e.g., if the backend writability mode is disabled).
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>reactive</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:enumeration>
|
<adm:value name="ignore">
|
<adm:synopsis>
|
If a bind attempt would otherwise be successful, then do not reject
|
it if a problem occurs while attempting to update the password
|
policy state information for the user.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="reactive">
|
<adm:synopsis>
|
Even if a bind attempt would otherwise be successful, reject it if a
|
problem occurs while attempting to update the password policy state
|
information for the user.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="proactive">
|
<adm:synopsis>
|
Proactively reject any bind attempt if it is known ahead of time
|
that it would not be possible to update the user's password policy
|
state information.
|
</adm:synopsis>
|
</adm:value>
|
</adm:enumeration>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-state-update-failure-policy</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="password-history-count" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum number of former passwords to maintain in the
|
password history. When choosing a new password, the proposed password
|
will be checked to ensure that it does not match the current password, nor
|
any other password in the history list. A value of zero indicates that
|
either no password history is to be maintained (if the password history
|
duration has a value of zero seconds), or that there is no maximum number
|
of passwords to maintain in the history (if the password history duration
|
has a value greater than zero seconds).
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" upper-limit="2147483647" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-history-count</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="password-history-duration" mandatory="false"
|
multi-valued="false">
|
<adm:synopsis>
|
Specifies the maximum length of time that passwords should remain in the
|
password history. When choosing a new password, the proposed password
|
will be checked to ensure that it does not match the current password, nor
|
any other password in the history list. A value of zero seconds indicates
|
that either no password history is to be maintained (if the password
|
history count has a value of zero), or that there is no maximum duration
|
for passwords in the history (if the password history count has a value
|
greater than zero).
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration base-unit="s" lower-limit="0" upper-limit="2147483647"
|
allow-unlimited="false" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-history-duration</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
</adm:managed-object>
|
