<?xml version="1.0" encoding="UTF-8"?>
|
<!--
|
! CDDL HEADER START
|
!
|
! The contents of this file are subject to the terms of the
|
! Common Development and Distribution License, Version 1.0 only
|
! (the "License"). You may not use this file except in compliance
|
! with the License.
|
!
|
! You can obtain a copy of the license at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE
|
! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
|
! See the License for the specific language governing permissions
|
! and limitations under the License.
|
!
|
! When distributing Covered Code, include this CDDL HEADER in each
|
! file and include the License file at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
|
! add the following below this CDDL HEADER, with the fields enclosed
|
! by brackets "[]" replaced with your own identifying information:
|
! Portions Copyright [yyyy] [name of copyright owner]
|
!
|
! CDDL HEADER END
|
!
|
!
|
! Portions Copyright 2007-2008 Sun Microsystems, Inc.
|
! -->
|
<adm:managed-object name="password-policy"
|
plural-name="password-policies" package="org.opends.server.admin.std"
|
xmlns:adm="http://www.opends.org/admin"
|
xmlns:ldap="http://www.opends.org/admin-ldap">
|
<adm:synopsis>
|
Define a number of password management rules, as well as
|
requirements for authentication processing.
|
</adm:synopsis>
|
<adm:tag name="user-management" />
|
<adm:profile name="ldap">
|
<ldap:object-class>
|
<ldap:name>ds-cfg-password-policy</ldap:name>
|
<ldap:superior>top</ldap:superior>
|
</ldap:object-class>
|
</adm:profile>
|
<adm:property name="password-attribute" mandatory="true">
|
<adm:synopsis>
|
Specifies the attribute type used to hold user passwords.
|
</adm:synopsis>
|
<adm:description>
|
This attribute type must be defined in the server schema, and it
|
must have either the user password or auth password syntax.
|
</adm:description>
|
<adm:syntax>
|
<adm:attribute-type />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-attribute</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="default-password-storage-scheme" mandatory="true"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the the password storage schemes that will
|
be used to encode clear-text passwords for this password policy.
|
</adm:synopsis>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-storage-scheme"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced password storage schemes must be enabled.
|
</adm:synopsis>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-default-password-storage-scheme</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="deprecated-password-storage-scheme"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the password storage schemes that will be
|
considered deprecated for this password policy.
|
</adm:synopsis>
|
<adm:description>
|
If a user with this password policy authenticates to the server
|
and his/her password is encoded with any deprecated schemes, then
|
those values will be removed and replaced with values encoded
|
using the default password storage scheme(s).
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-storage-scheme"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced password storage schemes must be enabled.
|
</adm:synopsis>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-deprecated-password-storage-scheme</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-validator" multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the password validators that should be used
|
with the associated password storage scheme.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-validator"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced password validators must be enabled.
|
</adm:synopsis>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-validator</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="account-status-notification-handler"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the names of the account status notification handlers
|
that should be used with the associated password storage scheme.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation
|
relation-name="account-status-notification-handler"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced account status notification handlers must be
|
enabled.
|
</adm:synopsis>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-account-status-notification-handler
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-user-password-changes">
|
<adm:synopsis>
|
Indicates whether users will be allowed to change their own
|
passwords.
|
</adm:synopsis>
|
<adm:description>
|
This check is made in addition to access control evaluation, and
|
therefore both must allow the password change for it to occur.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-user-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-change-requires-current-password">
|
<adm:synopsis>
|
Indicates whether user password changes will be required to use
|
the password modify extended operation and include the user's
|
current password before the change will be allowed.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-password-change-requires-current-password
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="force-change-on-add">
|
<adm:synopsis>
|
Indicates whether users will be forced to change their passwords
|
upon first authenticating to the Directory Server after their
|
account has been created.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-force-change-on-add</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="force-change-on-reset">
|
<adm:synopsis>
|
Indicates whether users will be forced to change their passwords
|
if they are reset by an administrator.
|
</adm:synopsis>
|
<adm:description>
|
For this purpose, anyone with permission to change a given user's
|
password other than that user will be considered an administrator.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-force-change-on-reset</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="skip-validation-for-administrators"
|
advanced="true">
|
<adm:synopsis>
|
Indicates whether passwords set by administrators will be allowed
|
to bypass the password validation process that will be required
|
for user password changes.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-skip-validation-for-administrators</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-generator">
|
<adm:synopsis>
|
Specifies the name of the password generator that should be used
|
with the associated password policy.
|
</adm:synopsis>
|
<adm:description>
|
This will be used in conjunction with the password modify extended
|
operation to generate a new password for a user when none was
|
provided in the request.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:aggregation relation-name="password-generator"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced password generator must be enabled.
|
</adm:synopsis>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-generator</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="require-secure-authentication">
|
<adm:synopsis>
|
Indicates whether users with the associated password policy will
|
be required to authenticate in a secure manner.
|
</adm:synopsis>
|
<adm:description>
|
This could mean either using a secure communication channel
|
between the client and the server, or using a SASL mechanism that
|
does not expose the credentials.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-require-secure-authentication</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="require-secure-password-changes">
|
<adm:synopsis>
|
Indicates whether users with the associated password policy will
|
be required to change their password in a secure manner that does
|
not expose the credentials.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-require-secure-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-multiple-password-values" advanced="true">
|
<adm:synopsis>
|
Indicates whether user entries will be allowed to have multiple
|
distinct values for the password attribute.
|
</adm:synopsis>
|
<adm:description>
|
This is potentially dangerous because many mechanisms used to
|
change the password do not work well with such a configuration. If
|
multiple password values are allowed, then any of them may be used
|
to authenticate, and they will all be subject to the same policy
|
constraints.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-multiple-password-values</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-pre-encoded-passwords" advanced="true">
|
<adm:synopsis>
|
Indicates whether users will be allowed to change their passwords
|
by providing a pre-encoded value.
|
</adm:synopsis>
|
<adm:description>
|
This can cause a security risk because the clear-text version of
|
the password is not known and therefore validation checks cannot
|
be applied to it.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-pre-encoded-passwords</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="min-password-age">
|
<adm:synopsis>
|
Specifies the minimum length of time that must pass after a
|
password change before the user will be allowed to change the
|
password again.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute should be an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. This setting can
|
be used to prevent users from changing their passwords repeatedly
|
over a short period of time to flush and old password from the
|
history so that it may be re-used.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-min-password-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="max-password-age">
|
<adm:synopsis>
|
Specifies the maximum length of time that a user may continue
|
using the same password before it must be changed (i.e., the
|
password expiration interval).
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute should be an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds will disable password expiration.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-max-password-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="max-password-reset-age">
|
<adm:synopsis>
|
Specifies the maximum length of time that users have to change
|
passwords after they have been reset by an administrator before
|
they become locked.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute should be an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds will disable this feature.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-max-password-reset-age</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-expiration-warning-interval">
|
<adm:synopsis>
|
Specifies the maximum length of time before a user's password
|
actually expires that the server will begin to include warning
|
notifications in bind responses for that user.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute should be an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds will disable the warning interval.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>5 days</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-password-expiration-warning-interval
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="expire-passwords-without-warning">
|
<adm:synopsis>
|
Indicates whether the Directory Server should allow a user's
|
password to expire even if that user has never seen an expiration
|
warning notification.
|
</adm:synopsis>
|
<adm:description>
|
If this setting is enabled, then accounts will always be expired
|
when the expiration time arrives. If it is disabled, then the user
|
will always receive at least one warning notification, and the
|
password expiration will be set to the warning time plus the
|
warning interval.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-expire-passwords-without-warning</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-expired-password-changes">
|
<adm:synopsis>
|
Indicates whether a user whose password is expired will still be
|
allowed to change that password using the password modify extended
|
operation.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-expired-password-changes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="grace-login-count">
|
<adm:synopsis>
|
Specifies the number of grace logins that a user will be allowed
|
after the account has expired to allow that user to choose a new
|
password.
|
</adm:synopsis>
|
<adm:description>
|
A value of 0 indicates that no grace logins will be allowed.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" upper-limit="2147483647" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-grace-login-count</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="lockout-failure-count">
|
<adm:synopsis>
|
Specifies the maximum number of authentication failures that a
|
user should be allowed before the account is locked out.
|
</adm:synopsis>
|
<adm:description>
|
A value of 0 indicates that accounts should never be locked out
|
due to failed attempts.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" upper-limit="2147483647" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-lockout-failure-count</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="lockout-duration">
|
<adm:synopsis>
|
Specifies the length of time that an account should be locked
|
after too many authentication failures.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute should be an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds indicates that the account should remain locked until an
|
administrator resets the password.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-lockout-duration</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="lockout-failure-expiration-interval">
|
<adm:synopsis>
|
Specifies the length of time that should pass before an
|
authentication failure is no longer counted against a user for the
|
purposes of account lockout.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute should be an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds indicates that the authentication failures should never
|
expire. The failure count will always be cleared upon a successful
|
authentication.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-lockout-failure-expiration-interval
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="require-change-by-time">
|
<adm:synopsis>
|
Specifies the time by which all users with the associated password
|
policy must change their passwords.
|
</adm:synopsis>
|
<adm:description>
|
The value should be expressed in a generalized time format. If
|
this time is equal to the current time or is in the past, then all
|
users will be required to change their passwords immediately. The
|
behavior of the server in this mode will be identical to the
|
behavior observed when users are forced to change their passwords
|
after an administrative reset.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-require-change-by-time</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="last-login-time-attribute">
|
<adm:synopsis>
|
Specifies the name or OID of the attribute type that should be
|
used to hold the last login time for users with the associated
|
password policy.
|
</adm:synopsis>
|
<adm:description>
|
This attribute type must be defined in the Directory Server schema
|
and must either be defined as an operational attribute or must be
|
allowed by the set of objectClasses for all users with the
|
associated password policy.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:attribute-type />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-last-login-time-attribute</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="last-login-time-format">
|
<adm:synopsis>
|
Specifies the format string that should be used to generate the
|
last login time value for users with the associated password
|
policy.
|
</adm:synopsis>
|
<adm:description>
|
This format string should conform to the syntax described in the
|
API documentation for the java.text.SimpleDateFormat class.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-last-login-time-format</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="previous-last-login-time-format"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies the format string(s) that may have been used with the
|
last login time at any point in the past for users associated with
|
the password policy.
|
</adm:synopsis>
|
<adm:description>
|
These values are used to make it possible to parse previous
|
values, but will not be used to set new values. These format
|
strings should conform to the syntax described in the API
|
documentation for the java.text.SimpleDateFormat class.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-previous-last-login-time-format</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="idle-lockout-interval">
|
<adm:synopsis>
|
Specifies the maximum length of time that an account may remain
|
idle (i.e., the associated user does not authenticate to the
|
server) before that user is locked out.
|
</adm:synopsis>
|
<adm:description>
|
The value of this attribute should be an integer followed by a
|
unit of seconds, minutes, hours, days, or weeks. A value of 0
|
seconds indicates that idle accounts should not automatically be
|
locked out. This feature will only be available if the last login
|
time is maintained.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-idle-lockout-interval</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="state-update-failure-policy" advanced="true">
|
<adm:synopsis>
|
Specifies how the server should deal with the inability to update
|
password policy state information during an authentication
|
attempt.
|
</adm:synopsis>
|
<adm:description>
|
In particular, it may be used to control whether an otherwise
|
successful bind operation should fail if a failure occurs while
|
attempting to update password policy state information (e.g., to
|
clear a record of previous authentication failures or to update
|
the last login time), or even whether to reject a bind request if
|
it is known ahead of time that it will not be possible to update
|
the authentication failure times in the event of an unsuccessful
|
bind attempt (e.g., if the backend writability mode is disabled).
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>reactive</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:enumeration>
|
<adm:value name="ignore">
|
<adm:synopsis>
|
If a bind attempt would otherwise be successful, then do not
|
reject it if a problem occurs while attempting to update the
|
password policy state information for the user.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="reactive">
|
<adm:synopsis>
|
Even if a bind attempt would otherwise be successful, reject
|
it if a problem occurs while attempting to update the
|
password policy state information for the user.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="proactive">
|
<adm:synopsis>
|
Proactively reject any bind attempt if it is known ahead of
|
time that it would not be possible to update the user's
|
password policy state information.
|
</adm:synopsis>
|
</adm:value>
|
</adm:enumeration>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-state-update-failure-policy</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-history-count">
|
<adm:synopsis>
|
Specifies the maximum number of former passwords to maintain in
|
the password history.
|
</adm:synopsis>
|
<adm:description>
|
When choosing a new password, the proposed password will be
|
checked to ensure that it does not match the current password, nor
|
any other password in the history list. A value of zero indicates
|
that either no password history is to be maintained (if the
|
password history duration has a value of zero seconds), or that
|
there is no maximum number of passwords to maintain in the history
|
(if the password history duration has a value greater than zero
|
seconds).
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" upper-limit="2147483647" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-history-count</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="password-history-duration">
|
<adm:synopsis>
|
Specifies the maximum length of time that passwords should remain
|
in the password history.
|
</adm:synopsis>
|
<adm:description>
|
When choosing a new password, the proposed password will be
|
checked to ensure that it does not match the current password, nor
|
any other password in the history list. A value of zero seconds
|
indicates that either no password history is to be maintained (if
|
the password history count has a value of zero), or that there is
|
no maximum duration for passwords in the history (if the password
|
history count has a value greater than zero).
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>0 seconds</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration base-unit="s" lower-limit="0"
|
upper-limit="2147483647" allow-unlimited="false" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-password-history-duration</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
</adm:managed-object>
|
