external-software/github_OpenIdentityPlatform_OpenDJ.git

			@@ -2631,6 +2631,26 @@
			SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
			SINGLE-VALUE
			X-ORIGIN 'OpenDJ Directory Server' )
			attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.23
			NAME 'ds-cfg-use-password-caching'
			SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
			SINGLE-VALUE
			X-ORIGIN 'OpenDJ Directory Server' )
			attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.24
			NAME 'ds-cfg-cached-password-storage-scheme'
			SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
			SINGLE-VALUE
			X-ORIGIN 'OpenDJ Directory Server' )
			attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.25
			NAME 'ds-cfg-cached-password-min-age'
			SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
			SINGLE-VALUE
			X-ORIGIN 'OpenDJ Directory Server' )
			attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.26
			NAME 'ds-cfg-cached-password-max-age'
			SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
			SINGLE-VALUE
			X-ORIGIN 'OpenDJ Directory Server' )
			objectClasses: ( 1.3.6.1.4.1.26027.1.2.1
			NAME 'ds-cfg-access-control-handler'
			SUP top
			@@ -4377,7 +4397,8 @@
			STRUCTURAL
			MUST ( ds-cfg-java-class $
			ds-cfg-primary-remote-ldap-server $
			ds-cfg-mapping-policy )
			ds-cfg-mapping-policy $
			ds-cfg-use-password-caching )
			MAY ( ds-cfg-secondary-remote-ldap-server $
			ds-cfg-mapped-attribute $
			ds-cfg-mapped-search-bind-dn $
			@@ -4392,5 +4413,8 @@
			ds-cfg-use-tcp-keep-alive $
			ds-cfg-use-tcp-no-delay $
			ds-cfg-ssl-protocol $
			ds-cfg-ssl-cipher-suite )
			ds-cfg-ssl-cipher-suite $
			ds-cfg-cached-password-storage-scheme $
			ds-cfg-cached-password-min-age $
			ds-cfg-cached-password-max-age )
			X-ORIGIN 'OpenDJ Directory Server' )

			@@ -91,6 +91,19 @@
			</adm:condition>
			</adm:constraint>

			<adm:constraint>
			<adm:synopsis>
			The cached password storage scheme must be specified when password
			caching is enabled.
			</adm:synopsis>
			<adm:condition>
			<adm:implies>
			<adm:contains property="use-password-caching" value="true" />
			<adm:is-present property="cached-password-storage-scheme" />
			</adm:implies>
			</adm:condition>
			</adm:constraint>

			<adm:profile name="ldap">
			<ldap:object-class>
			<ldap:name>ds-cfg-ldap-pass-through-authentication-policy</ldap:name>
			@@ -565,4 +578,121 @@
			</adm:profile>
			</adm:property>

			<adm:property name="use-password-caching" mandatory="true">
			<adm:synopsis>
			Indicates whether passwords should be cached locally within the user's
			entry.
			</adm:synopsis>
			<adm:default-behavior>
			<adm:defined>
			<adm:value>false</adm:value>
			</adm:defined>
			</adm:default-behavior>
			<adm:syntax>
			<adm:boolean />
			</adm:syntax>
			<adm:profile name="ldap">
			<ldap:attribute>
			<ldap:name>ds-cfg-use-password-caching</ldap:name>
			</ldap:attribute>
			</adm:profile>
			</adm:property>

			<adm:property name="cached-password-storage-scheme">
			<adm:synopsis>
			Specifies the name of a password storage scheme which should be used
			for encoding cached passwords.
			</adm:synopsis>
			<adm:description>
			Changing the password storage scheme will cause all existing cached
			passwords to be discarded.
			</adm:description>
			<adm:default-behavior>
			<adm:undefined/>
			</adm:default-behavior>
			<adm:syntax>
			<adm:aggregation relation-name="password-storage-scheme"
			parent-path="/">
			<adm:constraint>
			<adm:synopsis>
			The referenced password storage schemes must be enabled.
			</adm:synopsis>
			<adm:target-is-enabled-condition>
			<adm:contains property="enabled" value="true" />
			</adm:target-is-enabled-condition>
			</adm:constraint>
			</adm:aggregation>
			</adm:syntax>
			<adm:profile name="ldap">
			<ldap:attribute>
			<ldap:name>ds-cfg-cached-password-storage-scheme</ldap:name>
			</ldap:attribute>
			</adm:profile>
			</adm:property>

			<adm:property name="cached-password-min-age">
			<adm:synopsis>
			Specifies the minimum length of time that a locally cached password must
			be used for authentication.
			</adm:synopsis>
			<adm:description>
			This property should be used in order to control the rate at which failed
			authentication attempts are forwarded to the remote LDAP server and, as
			a consequence, reduce the impact of a denial of service attack.

			An authentication attempt which fails because the provided password does
			not match the locally cached password will be retried against the remote
			LDAP service only if the cached password is older than the
			minimum age.

			Increasing the minimum age increases the period a user will have to wait
			before being able to authenticate using a new password.
			</adm:description>
			<adm:default-behavior>
			<adm:defined>
			<adm:value>10 seconds</adm:value>
			</adm:defined>
			</adm:default-behavior>
			<adm:syntax>
			<adm:duration base-unit="s"/>
			</adm:syntax>
			<adm:profile name="ldap">
			<ldap:attribute>
			<ldap:name>ds-cfg-cached-password-min-age</ldap:name>
			</ldap:attribute>
			</adm:profile>
			</adm:property>

			<adm:property name="cached-password-max-age">
			<adm:synopsis>
			Specifies the maximum length of time that a locally cached password may
			be used for authentication before it is refreshed from the remote LDAP
			service.
			</adm:synopsis>
			<adm:description>
			This property represents a cache timeout. Increasing the timeout period
			decreases the frequency that bind operations are delegated to the
			remote LDAP service, but increases the risk of users authenticating
			using stale passwords.

			Note that authentication attempts which fail because the provided password
			does not match the locally cached password will always be retried against
			the remote LDAP service, unless the cached password is newer than the
			minimum age.
			</adm:description>
			<adm:default-behavior>
			<adm:defined>
			<adm:value>1 days</adm:value>
			</adm:defined>
			</adm:default-behavior>
			<adm:syntax>
			<adm:duration base-unit="s"/>
			</adm:syntax>
			<adm:profile name="ldap">
			<ldap:attribute>
			<ldap:name>ds-cfg-cached-password-max-age</ldap:name>
			</ldap:attribute>
			</adm:profile>
			</adm:property>

			</adm:managed-object>