From 71c986adf196ba33b1835b666cc8d1b45902b2e9 Mon Sep 17 00:00:00 2001
From: lfrost <lfrost@localhost>
Date: Tue, 29 Jan 2008 10:37:26 +0000
Subject: [PATCH] Doc changes to Network Groups and Password Configuration docs and some copyright changes. Thanks to Daniel & Matt for the review.
---
opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml | 230 +++++++++++++++++++++++++++++++++------------------------
1 files changed, 132 insertions(+), 98 deletions(-)
diff --git a/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml b/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml
index 4919851..2fc11ce 100644
--- a/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml
+++ b/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml
@@ -30,7 +30,8 @@
xmlns:adm="http://www.opends.org/admin"
xmlns:ldap="http://www.opends.org/admin-ldap">
<adm:synopsis>
- Define a number of password management rules, as well as
+ <adm:user-friendly-plural-name />
+ define a number of password management rules, as well as
requirements for authentication processing.
</adm:synopsis>
<adm:tag name="user-management" />
@@ -60,8 +61,8 @@
<adm:property name="default-password-storage-scheme" mandatory="true"
multi-valued="true">
<adm:synopsis>
- Specifies the names of the the password storage schemes that will
- be used to encode clear-text passwords for this password policy.
+ Specifies the names of the password storage schemes that are used
+ to encode clear-text passwords for this password policy.
</adm:synopsis>
<adm:syntax>
<adm:aggregation relation-name="password-storage-scheme"
@@ -85,14 +86,14 @@
<adm:property name="deprecated-password-storage-scheme"
multi-valued="true">
<adm:synopsis>
- Specifies the names of the password storage schemes that will be
+ Specifies the names of the password storage schemes that are
considered deprecated for this password policy.
</adm:synopsis>
<adm:description>
If a user with this password policy authenticates to the server
- and his/her password is encoded with any deprecated schemes, then
- those values will be removed and replaced with values encoded
- using the default password storage scheme(s).
+ and his/her password is encoded with a deprecated scheme, those
+ values are removed and replaced with values encoded using the
+ default password storage scheme(s).
</adm:description>
<adm:default-behavior>
<adm:undefined />
@@ -118,9 +119,13 @@
</adm:property>
<adm:property name="password-validator" multi-valued="true">
<adm:synopsis>
- Specifies the names of the password validators that should be used
+ Specifies the names of the password validators that are used
with the associated password storage scheme.
</adm:synopsis>
+ <adm:description>
+ The password validators are invoked when a user attempts to provide
+ a new password, to determine whether the new password is acceptable.
+ </adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
@@ -147,7 +152,7 @@
multi-valued="true">
<adm:synopsis>
Specifies the names of the account status notification handlers
- that should be used with the associated password storage scheme.
+ that are used with the associated password storage scheme.
</adm:synopsis>
<adm:default-behavior>
<adm:undefined />
@@ -177,12 +182,12 @@
</adm:property>
<adm:property name="allow-user-password-changes">
<adm:synopsis>
- Indicates whether users will be allowed to change their own
+ Indicates whether users can change their own
passwords.
</adm:synopsis>
<adm:description>
- This check is made in addition to access control evaluation, and
- therefore both must allow the password change for it to occur.
+ This check is made in addition to access control evaluation.
+ Both must allow the password change for it to occur.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -200,9 +205,9 @@
</adm:property>
<adm:property name="password-change-requires-current-password">
<adm:synopsis>
- Indicates whether user password changes will be required to use
- the password modify extended operation and include the user's
- current password before the change will be allowed.
+ Indicates whether user password changes must use
+ the password modify extended operation and must include the user's
+ current password before the change is allowed.
</adm:synopsis>
<adm:default-behavior>
<adm:defined>
@@ -222,7 +227,7 @@
</adm:property>
<adm:property name="force-change-on-add">
<adm:synopsis>
- Indicates whether users will be forced to change their passwords
+ Indicates whether users are forced to change their passwords
upon first authenticating to the Directory Server after their
account has been created.
</adm:synopsis>
@@ -242,12 +247,12 @@
</adm:property>
<adm:property name="force-change-on-reset">
<adm:synopsis>
- Indicates whether users will be forced to change their passwords
+ Indicates whether users are forced to change their passwords
if they are reset by an administrator.
</adm:synopsis>
<adm:description>
For this purpose, anyone with permission to change a given user's
- password other than that user will be considered an administrator.
+ password other than that user is considered an administrator.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -266,8 +271,8 @@
<adm:property name="skip-validation-for-administrators"
advanced="true">
<adm:synopsis>
- Indicates whether passwords set by administrators will be allowed
- to bypass the password validation process that will be required
+ Indicates whether passwords set by administrators are allowed
+ to bypass the password validation process that is required
for user password changes.
</adm:synopsis>
<adm:default-behavior>
@@ -286,11 +291,11 @@
</adm:property>
<adm:property name="password-generator">
<adm:synopsis>
- Specifies the name of the password generator that should be used
+ Specifies the name of the password generator that is used
with the associated password policy.
</adm:synopsis>
<adm:description>
- This will be used in conjunction with the password modify extended
+ This is used in conjunction with the password modify extended
operation to generate a new password for a user when none was
provided in the request.
</adm:description>
@@ -318,11 +323,11 @@
</adm:property>
<adm:property name="require-secure-authentication">
<adm:synopsis>
- Indicates whether users with the associated password policy will
- be required to authenticate in a secure manner.
+ Indicates whether users with the associated password policy are
+ required to authenticate in a secure manner.
</adm:synopsis>
<adm:description>
- This could mean either using a secure communication channel
+ This might mean either using a secure communication channel
between the client and the server, or using a SASL mechanism that
does not expose the credentials.
</adm:description>
@@ -342,8 +347,8 @@
</adm:property>
<adm:property name="require-secure-password-changes">
<adm:synopsis>
- Indicates whether users with the associated password policy will
- be required to change their password in a secure manner that does
+ Indicates whether users with the associated password policy are
+ required to change their password in a secure manner that does
not expose the credentials.
</adm:synopsis>
<adm:default-behavior>
@@ -362,14 +367,14 @@
</adm:property>
<adm:property name="allow-multiple-password-values" advanced="true">
<adm:synopsis>
- Indicates whether user entries will be allowed to have multiple
+ Indicates whether user entries can have multiple
distinct values for the password attribute.
</adm:synopsis>
<adm:description>
This is potentially dangerous because many mechanisms used to
change the password do not work well with such a configuration. If
- multiple password values are allowed, then any of them may be used
- to authenticate, and they will all be subject to the same policy
+ multiple password values are allowed, then any of them can be used
+ to authenticate, and they are all subject to the same policy
constraints.
</adm:description>
<adm:default-behavior>
@@ -388,7 +393,7 @@
</adm:property>
<adm:property name="allow-pre-encoded-passwords" advanced="true">
<adm:synopsis>
- Indicates whether users will be allowed to change their passwords
+ Indicates whether users can change their passwords
by providing a pre-encoded value.
</adm:synopsis>
<adm:description>
@@ -412,16 +417,16 @@
</adm:property>
<adm:property name="min-password-age">
<adm:synopsis>
- Specifies the minimum length of time that must pass after a
- password change before the user will be allowed to change the
+ Specifies the minimum length of time after a
+ password change before the user is allowed to change the
password again.
</adm:synopsis>
<adm:description>
- The value of this attribute should be an integer followed by a
+ The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. This setting can
be used to prevent users from changing their passwords repeatedly
- over a short period of time to flush and old password from the
- history so that it may be re-used.
+ over a short period of time to flush an old password from the
+ history so that it can be re-used.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -429,7 +434,7 @@
</adm:defined>
</adm:default-behavior>
<adm:syntax>
- <adm:duration />
+ <adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
@@ -439,14 +444,14 @@
</adm:property>
<adm:property name="max-password-age">
<adm:synopsis>
- Specifies the maximum length of time that a user may continue
- using the same password before it must be changed (i.e., the
+ Specifies the maximum length of time that a user can continue
+ using the same password before it must be changed (that is, the
password expiration interval).
</adm:synopsis>
<adm:description>
- The value of this attribute should be an integer followed by a
+ The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
- seconds will disable password expiration.
+ seconds disables password expiration.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -454,7 +459,7 @@
</adm:defined>
</adm:default-behavior>
<adm:syntax>
- <adm:duration />
+ <adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
@@ -469,9 +474,9 @@
they become locked.
</adm:synopsis>
<adm:description>
- The value of this attribute should be an integer followed by a
+ The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
- seconds will disable this feature.
+ seconds disables this feature.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -479,7 +484,7 @@
</adm:defined>
</adm:default-behavior>
<adm:syntax>
- <adm:duration />
+ <adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
@@ -490,13 +495,13 @@
<adm:property name="password-expiration-warning-interval">
<adm:synopsis>
Specifies the maximum length of time before a user's password
- actually expires that the server will begin to include warning
+ actually expires that the server begins to include warning
notifications in bind responses for that user.
</adm:synopsis>
<adm:description>
- The value of this attribute should be an integer followed by a
+ The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
- seconds will disable the warning interval.
+ seconds disables the warning interval.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -516,15 +521,15 @@
</adm:property>
<adm:property name="expire-passwords-without-warning">
<adm:synopsis>
- Indicates whether the Directory Server should allow a user's
+ Indicates whether the Directory Server allows a user's
password to expire even if that user has never seen an expiration
warning notification.
</adm:synopsis>
<adm:description>
- If this setting is enabled, then accounts will always be expired
- when the expiration time arrives. If it is disabled, then the user
- will always receive at least one warning notification, and the
- password expiration will be set to the warning time plus the
+ If this property is true, accounts always expire when the
+ expiration time arrives. If this property is false disabled, the user
+ always receives at least one warning notification, and the
+ password expiration is set to the warning time plus the
warning interval.
</adm:description>
<adm:default-behavior>
@@ -543,7 +548,7 @@
</adm:property>
<adm:property name="allow-expired-password-changes">
<adm:synopsis>
- Indicates whether a user whose password is expired will still be
+ Indicates whether a user whose password is expired is still
allowed to change that password using the password modify extended
operation.
</adm:synopsis>
@@ -563,12 +568,12 @@
</adm:property>
<adm:property name="grace-login-count">
<adm:synopsis>
- Specifies the number of grace logins that a user will be allowed
+ Specifies the number of grace logins that a user is allowed
after the account has expired to allow that user to choose a new
password.
</adm:synopsis>
<adm:description>
- A value of 0 indicates that no grace logins will be allowed.
+ A value of 0 indicates that no grace logins are allowed.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -587,10 +592,10 @@
<adm:property name="lockout-failure-count">
<adm:synopsis>
Specifies the maximum number of authentication failures that a
- user should be allowed before the account is locked out.
+ user is allowed before the account is locked out.
</adm:synopsis>
<adm:description>
- A value of 0 indicates that accounts should never be locked out
+ A value of 0 indicates that accounts are never locked out
due to failed attempts.
</adm:description>
<adm:default-behavior>
@@ -599,7 +604,7 @@
</adm:defined>
</adm:default-behavior>
<adm:syntax>
- <adm:integer lower-limit="0" upper-limit="2147483647" />
+ <adm:integer lower-limit="0" upper-limit="2147483647"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
@@ -609,13 +614,13 @@
</adm:property>
<adm:property name="lockout-duration">
<adm:synopsis>
- Specifies the length of time that an account should be locked
+ Specifies the length of time that an account is locked
after too many authentication failures.
</adm:synopsis>
<adm:description>
- The value of this attribute should be an integer followed by a
+ The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
- seconds indicates that the account should remain locked until an
+ seconds indicates that the account must remain locked until an
administrator resets the password.
</adm:description>
<adm:default-behavior>
@@ -624,7 +629,7 @@
</adm:defined>
</adm:default-behavior>
<adm:syntax>
- <adm:duration />
+ <adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
@@ -634,15 +639,15 @@
</adm:property>
<adm:property name="lockout-failure-expiration-interval">
<adm:synopsis>
- Specifies the length of time that should pass before an
+ Specifies the length of time before an
authentication failure is no longer counted against a user for the
purposes of account lockout.
</adm:synopsis>
<adm:description>
- The value of this attribute should be an integer followed by a
+ The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
- seconds indicates that the authentication failures should never
- expire. The failure count will always be cleared upon a successful
+ seconds indicates that the authentication failures must never
+ expire. The failure count is always cleared upon a successful
authentication.
</adm:description>
<adm:default-behavior>
@@ -651,7 +656,7 @@
</adm:defined>
</adm:default-behavior>
<adm:syntax>
- <adm:duration />
+ <adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
@@ -667,10 +672,10 @@
policy must change their passwords.
</adm:synopsis>
<adm:description>
- The value should be expressed in a generalized time format. If
+ The value is expressed in a generalized time format. If
this time is equal to the current time or is in the past, then all
- users will be required to change their passwords immediately. The
- behavior of the server in this mode will be identical to the
+ users are required to change their passwords immediately. The
+ behavior of the server in this mode is identical to the
behavior observed when users are forced to change their passwords
after an administrative reset.
</adm:description>
@@ -678,7 +683,17 @@
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
- <adm:string />
+ <adm:string>
+ <adm:pattern>
+ <adm:regex>.*</adm:regex>
+ <adm:usage>STRING</adm:usage>
+ <adm:synopsis>
+ A valid timestamp in generalized time form (for example,
+ a value of "20070409185811Z" indicates a value of April 9,
+ 2007 at 6:58:11 pm GMT).
+ </adm:synopsis>
+ </adm:pattern>
+ </adm:string>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
@@ -688,7 +703,7 @@
</adm:property>
<adm:property name="last-login-time-attribute">
<adm:synopsis>
- Specifies the name or OID of the attribute type that should be
+ Specifies the name or OID of the attribute type that is
used to hold the last login time for users with the associated
password policy.
</adm:synopsis>
@@ -712,19 +727,28 @@
</adm:property>
<adm:property name="last-login-time-format">
<adm:synopsis>
- Specifies the format string that should be used to generate the
+ Specifies the format string that is used to generate the
last login time value for users with the associated password
policy.
</adm:synopsis>
<adm:description>
- This format string should conform to the syntax described in the
+ This format string conforms to the syntax described in the
API documentation for the java.text.SimpleDateFormat class.
</adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
- <adm:syntax>
- <adm:string />
+ <adm:syntax>
+ <adm:string>
+ <adm:pattern>
+ <adm:regex>.*</adm:regex>
+ <adm:usage>STRING</adm:usage>
+ <adm:synopsis>
+ Any valid format string that can be used with the
+ java.text.SimpleDateFormat class.
+ </adm:synopsis>
+ </adm:pattern>
+ </adm:string>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
@@ -735,21 +759,30 @@
<adm:property name="previous-last-login-time-format"
multi-valued="true">
<adm:synopsis>
- Specifies the format string(s) that may have been used with the
+ Specifies the format string(s) that might have been used with the
last login time at any point in the past for users associated with
the password policy.
</adm:synopsis>
<adm:description>
These values are used to make it possible to parse previous
- values, but will not be used to set new values. These format
- strings should conform to the syntax described in the API
+ values, but are not used to set new values. The format
+ strings conform to the syntax described in the API
documentation for the java.text.SimpleDateFormat class.
</adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
- <adm:syntax>
- <adm:string />
+ <adm:syntax>
+ <adm:string>
+ <adm:pattern>
+ <adm:regex>.*</adm:regex>
+ <adm:usage>STRING</adm:usage>
+ <adm:synopsis>
+ Any valid format string that can be used with the
+ java.text.SimpleDateFormat class.
+ </adm:synopsis>
+ </adm:pattern>
+ </adm:string>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
@@ -760,14 +793,14 @@
<adm:property name="idle-lockout-interval">
<adm:synopsis>
Specifies the maximum length of time that an account may remain
- idle (i.e., the associated user does not authenticate to the
+ idle (that is, the associated user does not authenticate to the
server) before that user is locked out.
</adm:synopsis>
<adm:description>
- The value of this attribute should be an integer followed by a
+ The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
- seconds indicates that idle accounts should not automatically be
- locked out. This feature will only be available if the last login
+ seconds indicates that idle accounts are not automatically
+ locked out. This feature is available only if the last login
time is maintained.
</adm:description>
<adm:default-behavior>
@@ -776,7 +809,7 @@
</adm:defined>
</adm:default-behavior>
<adm:syntax>
- <adm:duration />
+ <adm:duration lower-limit="0" upper-limit="2147483647"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
@@ -786,19 +819,20 @@
</adm:property>
<adm:property name="state-update-failure-policy" advanced="true">
<adm:synopsis>
- Specifies how the server should deal with the inability to update
+ Specifies how the server deals with the inability to update
password policy state information during an authentication
attempt.
</adm:synopsis>
<adm:description>
- In particular, it may be used to control whether an otherwise
- successful bind operation should fail if a failure occurs while
- attempting to update password policy state information (e.g., to
+ In particular, this property can be used to control whether an otherwise
+ successful bind operation fails if a failure occurs while
+ attempting to update password policy state information (for example, to
clear a record of previous authentication failures or to update
- the last login time), or even whether to reject a bind request if
- it is known ahead of time that it will not be possible to update
- the authentication failure times in the event of an unsuccessful
- bind attempt (e.g., if the backend writability mode is disabled).
+ the last login time). It can also be used to control whether to
+ reject a bind request if it is known ahead of time that it will not be
+ possible to update the authentication failure times in the event of an
+ unsuccessful bind attempt (for example, if the backend writability mode
+ is disabled).
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -842,7 +876,7 @@
the password history.
</adm:synopsis>
<adm:description>
- When choosing a new password, the proposed password will be
+ When choosing a new password, the proposed password is
checked to ensure that it does not match the current password, nor
any other password in the history list. A value of zero indicates
that either no password history is to be maintained (if the
@@ -867,11 +901,11 @@
</adm:property>
<adm:property name="password-history-duration">
<adm:synopsis>
- Specifies the maximum length of time that passwords should remain
+ Specifies the maximum length of time that passwords remain
in the password history.
</adm:synopsis>
<adm:description>
- When choosing a new password, the proposed password will be
+ When choosing a new password, the proposed password is
checked to ensure that it does not match the current password, nor
any other password in the history list. A value of zero seconds
indicates that either no password history is to be maintained (if
--
Gitblit v1.10.0