From e958eb5bcfc9feccbda7c0841b05939506143ad8 Mon Sep 17 00:00:00 2001
From: matthew_swift <matthew_swift@localhost>
Date: Fri, 16 Nov 2007 10:47:40 +0000
Subject: [PATCH] Advanced properties phase 1: tag advanced properties and perform various clean-up to the XML definitions:
---
opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml | 526 ++++++++++++++++++++-------------------------------------
1 files changed, 186 insertions(+), 340 deletions(-)
diff --git a/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml b/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml
index 53fde07..b618eb6 100644
--- a/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml
+++ b/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml
@@ -1,31 +1,30 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
- ! CDDL HEADER START
- !
- ! The contents of this file are subject to the terms of the
- ! Common Development and Distribution License, Version 1.0 only
- ! (the "License"). You may not use this file except in compliance
- ! with the License.
- !
- ! You can obtain a copy of the license at
- ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
- ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
- ! See the License for the specific language governing permissions
- ! and limitations under the License.
- !
- ! When distributing Covered Code, include this CDDL HEADER in each
- ! file and include the License file at
- ! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
- ! add the following below this CDDL HEADER, with the fields enclosed
- ! by brackets "[]" replaced with your own identifying information:
- ! Portions Copyright [yyyy] [name of copyright owner]
- !
- ! CDDL HEADER END
- !
- !
- ! Portions Copyright 2007 Sun Microsystems, Inc.
- ! -->
-
+ ! CDDL HEADER START
+ !
+ ! The contents of this file are subject to the terms of the
+ ! Common Development and Distribution License, Version 1.0 only
+ ! (the "License"). You may not use this file except in compliance
+ ! with the License.
+ !
+ ! You can obtain a copy of the license at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
+ ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
+ ! See the License for the specific language governing permissions
+ ! and limitations under the License.
+ !
+ ! When distributing Covered Code, include this CDDL HEADER in each
+ ! file and include the License file at
+ ! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
+ ! add the following below this CDDL HEADER, with the fields enclosed
+ ! by brackets "[]" replaced with your own identifying information:
+ ! Portions Copyright [yyyy] [name of copyright owner]
+ !
+ ! CDDL HEADER END
+ !
+ !
+ ! Portions Copyright 2007 Sun Microsystems, Inc.
+ ! -->
<adm:managed-object name="password-policy"
plural-name="password-policies" package="org.opends.server.admin.std"
xmlns:adm="http://www.opends.org/admin"
@@ -34,24 +33,20 @@
Define a number of password management rules, as well as
requirements for authentication processing.
</adm:synopsis>
- <adm:tag name="user-management"/>
+ <adm:tag name="user-management" />
<adm:profile name="ldap">
<ldap:object-class>
<ldap:name>ds-cfg-password-policy</ldap:name>
<ldap:superior>top</ldap:superior>
</ldap:object-class>
</adm:profile>
-
- <adm:property name="password-attribute" mandatory="true"
- multi-valued="false">
+ <adm:property name="password-attribute" mandatory="true">
<adm:synopsis>
Specifies the attribute type used to hold user passwords.
</adm:synopsis>
<adm:description>
- Specifies the attribute type used to hold user passwords. This
- attribute type must be defined in the server schema, and it must have
- either the user password or auth password syntax. Changes to this
- configuration attribute will take effect immediately.
+ This attribute type must be defined in the server schema, and it
+ must have either the user password or auth password syntax.
</adm:description>
<adm:syntax>
<adm:attribute-type />
@@ -62,7 +57,6 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
<adm:property name="default-password-storage-scheme" mandatory="true"
multi-valued="true">
<adm:synopsis>
@@ -83,17 +77,18 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
<adm:property name="deprecated-password-storage-scheme"
- mandatory="false" multi-valued="true">
+ multi-valued="true">
<adm:synopsis>
Specifies the names of the password storage schemes that will be
- considered deprecated for this password policy. If a user with
- this password policy authenticates to the server and his/her
- password is encoded with any deprecated schemes, then those values
- will be removed and replaced with values encoded using the default
- password storage scheme(s).
+ considered deprecated for this password policy.
</adm:synopsis>
+ <adm:description>
+ If a user with this password policy authenticates to the server
+ and his/her password is encoded with any deprecated schemes, then
+ those values will be removed and replaced with values encoded
+ using the default password storage scheme(s).
+ </adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
@@ -111,12 +106,10 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="password-validator" mandatory="false"
- multi-valued="true">
+ <adm:property name="password-validator" multi-valued="true">
<adm:synopsis>
- Specifies the names of the password validators that should be
- used with the associated password storage scheme.
+ Specifies the names of the password validators that should be used
+ with the associated password storage scheme.
</adm:synopsis>
<adm:default-behavior>
<adm:undefined />
@@ -135,9 +128,8 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
<adm:property name="account-status-notification-handler"
- mandatory="false" multi-valued="true">
+ multi-valued="true">
<adm:synopsis>
Specifies the names of the account status notification handlers
that should be used with the associated password storage scheme.
@@ -162,19 +154,14 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="allow-user-password-changes" mandatory="false"
- multi-valued="false">
+ <adm:property name="allow-user-password-changes">
<adm:synopsis>
Indicates whether users will be allowed to change their own
passwords.
</adm:synopsis>
<adm:description>
- Indicates whether users will be allowed to change their own
- passwords. This check is made in addition to access control
- evaluation, and therefore both must allow the password change for
- it to occur. Changes to this configuration attribute will take
- effect immediately.
+ This check is made in addition to access control evaluation, and
+ therefore both must allow the password change for it to occur.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -190,20 +177,12 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="password-change-requires-current-password"
- mandatory="false" multi-valued="false">
+ <adm:property name="password-change-requires-current-password">
<adm:synopsis>
Indicates whether user password changes will be required to use
the password modify extended operation and include the user's
current password before the change will be allowed.
</adm:synopsis>
- <adm:description>
- Indicates whether user password changes will be required to use
- the password modify extended operation and include the user's
- current password before the change will be allowed. Changes to
- this configuration attribute will take effect immediately.
- </adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
@@ -219,21 +198,13 @@
</ldap:name>
</ldap:attribute>
</adm:profile>
-
</adm:property>
- <adm:property name="force-change-on-add" mandatory="false"
- multi-valued="false">
+ <adm:property name="force-change-on-add">
<adm:synopsis>
Indicates whether users will be forced to change their passwords
upon first authenticating to the Directory Server after their
account has been created.
</adm:synopsis>
- <adm:description>
- Indicates whether users will be forced to change their passwords
- upon first authenticating to the Directory Server after their
- account has been created. Changes to this configuration attribute
- will take effect immediately.
- </adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
@@ -248,21 +219,14 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
-
-
- <adm:property name="force-change-on-reset" mandatory="false"
- multi-valued="false">
+ <adm:property name="force-change-on-reset">
<adm:synopsis>
Indicates whether users will be forced to change their passwords
if they are reset by an administrator.
</adm:synopsis>
<adm:description>
- Indicates whether users will be forced to change their passwords
- if they are reset by an administrator. For this purpose, anyone
- with permission to change a given user's password other than that
- user will be considered an administrator. Changes to this
- configuration attribute will take effect immediately.
+ For this purpose, anyone with permission to change a given user's
+ password other than that user will be considered an administrator.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -277,23 +241,14 @@
<ldap:name>ds-cfg-force-change-on-reset</ldap:name>
</ldap:attribute>
</adm:profile>
-
-
</adm:property>
<adm:property name="skip-validation-for-administrators"
- mandatory="false" multi-valued="false">
+ advanced="true">
<adm:synopsis>
Indicates whether passwords set by administrators will be allowed
to bypass the password validation process that will be required
for user password changes.
</adm:synopsis>
- <adm:description>
- Indicates whether passwords set by administrators (in add, modify,
- or password modify operations) will be allowed to bypass the
- password validation process that will be required for user
- password changes. Changes to this configuration attribute will
- take effect immediately.
- </adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
@@ -308,10 +263,7 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
-
- <adm:property name="password-generator" mandatory="false"
- multi-valued="false">
+ <adm:property name="password-generator">
<adm:synopsis>
Specifies the name of the password generator that should be used
with the associated password policy.
@@ -338,21 +290,15 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
-
- <adm:property name="require-secure-authentication" mandatory="false"
- multi-valued="false">
+ <adm:property name="require-secure-authentication">
<adm:synopsis>
Indicates whether users with the associated password policy will
be required to authenticate in a secure manner.
</adm:synopsis>
<adm:description>
- Indicates whether users with the associated password policy will
- be required to authenticate in a secure manner. This could mean
- either using a secure communication channel between the client and
- the server, or using a SASL mechanism that does not expose the
- credentials. Changes to this configuration attribute will take
- effect immediately.
+ This could mean either using a secure communication channel
+ between the client and the server, or using a SASL mechanism that
+ does not expose the credentials.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -368,21 +314,12 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
-
- <adm:property name="require-secure-password-changes" mandatory="false"
- multi-valued="false">
+ <adm:property name="require-secure-password-changes">
<adm:synopsis>
Indicates whether users with the associated password policy will
be required to change their password in a secure manner that does
not expose the credentials.
</adm:synopsis>
- <adm:description>
- Indicates whether users with the associated password policy will
- be required to change their password in a secure manner that does
- not expose the credentials. Changes to this configuration
- attribute will take effect immediately.
- </adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
@@ -397,23 +334,17 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
-
- <adm:property name="allow-multiple-password-values" mandatory="false"
- multi-valued="false">
+ <adm:property name="allow-multiple-password-values" advanced="true">
<adm:synopsis>
Indicates whether user entries will be allowed to have multiple
distinct values for the password attribute.
</adm:synopsis>
<adm:description>
- Indicates whether user entries will be allowed to have multiple
- distinct values for the password attribute. This is potentially
- dangerous because many mechanisms used to change the password do
- not work well with such a configuration. If multiple password
- values are allowed, then any of them may be used to authenticate,
- and they will all be subject to the same policy constraints.
- Changes to this configuration attribute will take effect
- immediately.
+ This is potentially dangerous because many mechanisms used to
+ change the password do not work well with such a configuration. If
+ multiple password values are allowed, then any of them may be used
+ to authenticate, and they will all be subject to the same policy
+ constraints.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -429,19 +360,15 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="allow-pre-encoded-passwords" mandatory="false"
- multi-valued="false">
+ <adm:property name="allow-pre-encoded-passwords" advanced="true">
<adm:synopsis>
- _Indicates whether users will be allowed to change their passwords
+ Indicates whether users will be allowed to change their passwords
by providing a pre-encoded value.
</adm:synopsis>
<adm:description>
- Indicates whether users will be allowed to change their passwords
- by providing a pre-encoded value. This can cause a security risk
- because the clear-text version of the password is not known and
- therefore validation checks cannot be applied to it. Changes to
- this configuration attribute will take effect immediately.
+ This can cause a security risk because the clear-text version of
+ the password is not known and therefore validation checks cannot
+ be applied to it.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -457,23 +384,18 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="min-password-age" mandatory="false"
- multi-valued="false">
+ <adm:property name="min-password-age">
<adm:synopsis>
Specifies the minimum length of time that must pass after a
password change before the user will be allowed to change the
password again.
</adm:synopsis>
<adm:description>
- Specifies the minimum length of time that must pass after a
- password change before the user will be allowed to change the
- password again. The value of this attribute should be an integer
- followed by a unit of seconds, minutes, hours, days, or weeks.
- This setting can be used to prevent users from changing their
- passwords repeatedly over a short period of time to flush and old
- password from the history so that it may be re-used. Changes to
- this configuration attribute will take effect immediately.
+ The value of this attribute should be an integer followed by a
+ unit of seconds, minutes, hours, days, or weeks. This setting can
+ be used to prevent users from changing their passwords repeatedly
+ over a short period of time to flush and old password from the
+ history so that it may be re-used.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -489,21 +411,16 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="max-password-age" mandatory="false"
- multi-valued="false">
+ <adm:property name="max-password-age">
<adm:synopsis>
Specifies the maximum length of time that a user may continue
- using the same password before it must be changed.
+ using the same password before it must be changed (i.e., the
+ password expiration interval).
</adm:synopsis>
<adm:description>
- Specifies the maximum length of time that a user may continue
- using the same password before it must be changed (i.e., the
- password expiration interval). The value of this attribute should
- be an integer followed by a unit of seconds, minutes, hours, days,
- or weeks. A value of 0 seconds will disable password expiration.
- Changes to this configuration attribute will take effect
- immediately.
+ The value of this attribute should be an integer followed by a
+ unit of seconds, minutes, hours, days, or weeks. A value of 0
+ seconds will disable password expiration.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -519,22 +436,16 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
-
- <adm:property name="max-password-reset-age" mandatory="false"
- multi-valued="false">
+ <adm:property name="max-password-reset-age">
<adm:synopsis>
Specifies the maximum length of time that users have to change
passwords after they have been reset by an administrator before
they become locked.
</adm:synopsis>
<adm:description>
- Specifies the maximum length of time that users have to change
- passwords after they have been reset by an administrator before
- they become locked. The value of this attribute should be an
- integer followed by a unit of seconds, minutes, hours, days, or
- weeks. A value of 0 seconds will disable this feature. Changes to
- this configuration attribute will take effect immediately.
+ The value of this attribute should be an integer followed by a
+ unit of seconds, minutes, hours, days, or weeks. A value of 0
+ seconds will disable this feature.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -550,22 +461,16 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="password-expiration-warning-interval"
- mandatory="false" multi-valued="false">
+ <adm:property name="password-expiration-warning-interval">
<adm:synopsis>
Specifies the maximum length of time before a user's password
actually expires that the server will begin to include warning
notifications in bind responses for that user.
</adm:synopsis>
<adm:description>
- Specifies the maximum length of time before a user's password
- actually expires that the server will begin to include warning
- notifications in bind responses for that user. The value of this
- attribute should be an integer followed by a unit of seconds,
- minutes, hours, days, or weeks. A value of 0 seconds will disable
- the warning interval. Changes to this configuration attribute will
- take effect immediately.
+ The value of this attribute should be an integer followed by a
+ unit of seconds, minutes, hours, days, or weeks. A value of 0
+ seconds will disable the warning interval.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -583,23 +488,18 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="expire-passwords-without-warning"
- mandatory="false" multi-valued="false">
+ <adm:property name="expire-passwords-without-warning">
<adm:synopsis>
Indicates whether the Directory Server should allow a user's
password to expire even if that user has never seen an expiration
warning notification.
</adm:synopsis>
<adm:description>
- Indicates whether the Directory Server should allow a user's
- password to expire even if that user has never seen an expiration
- warning notification. If this setting is enabled, then accounts
- will always be expired when the expiration time arrives. If it is
- disabled, then the user will always receive at least one warning
- notification, and the password expiration will be set to the
- warning time plus the warning interval. Changes to this
- configuration attribute will take effect immediately.
+ If this setting is enabled, then accounts will always be expired
+ when the expiration time arrives. If it is disabled, then the user
+ will always receive at least one warning notification, and the
+ password expiration will be set to the warning time plus the
+ warning interval.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -615,20 +515,12 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="allow-expired-password-changes" mandatory="false"
- multi-valued="false">
+ <adm:property name="allow-expired-password-changes">
<adm:synopsis>
Indicates whether a user whose password is expired will still be
allowed to change that password using the password modify extended
operation.
</adm:synopsis>
- <adm:description>
- Indicates whether a user whose password is expired will still be
- allowed to change that password using the password modify extended
- operation. Changes to this configuration attribute will take
- effect immediately.
- </adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
@@ -643,20 +535,14 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="grace-login-count" mandatory="false"
- multi-valued="false">
+ <adm:property name="grace-login-count">
<adm:synopsis>
Specifies the number of grace logins that a user will be allowed
after the account has expired to allow that user to choose a new
password.
</adm:synopsis>
<adm:description>
- Specifies the number of grace logins that a user will be allowed
- after the account has expired to allow that user to choose a new
- password. A value of 0 indicates that no grace logins will be
- allowed. Changes to this configuration attribute will take effect
- immediately.
+ A value of 0 indicates that no grace logins will be allowed.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -672,19 +558,14 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="lockout-failure-count" mandatory="false"
- multi-valued="false">
+ <adm:property name="lockout-failure-count">
<adm:synopsis>
Specifies the maximum number of authentication failures that a
user should be allowed before the account is locked out.
</adm:synopsis>
<adm:description>
- Specifies the maximum number of authentication failures that a
- user should be allowed before the account is locked out. A value
- of 0 indicates that accounts should never be locked out due to
- failed attempts. changes to this configuration attribute will take
- effect immediately.
+ A value of 0 indicates that accounts should never be locked out
+ due to failed attempts.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -700,21 +581,16 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="lockout-duration" mandatory="false"
- multi-valued="false">
+ <adm:property name="lockout-duration">
<adm:synopsis>
Specifies the length of time that an account should be locked
after too many authentication failures.
</adm:synopsis>
<adm:description>
- Specifies the length of time that an account should be locked
- after too many authentication failures. The value of this
- attribute should be an integer followed by a unit of seconds,
- minutes, hours, days, or weeks. A value of 0 seconds indicates
- that the account should remain locked until an administrator
- resets the password. Changes to this configuration attribute will
- take effect immediately.
+ The value of this attribute should be an integer followed by a
+ unit of seconds, minutes, hours, days, or weeks. A value of 0
+ seconds indicates that the account should remain locked until an
+ administrator resets the password.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -730,23 +606,18 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="lockout-failure-expiration-interval"
- mandatory="false" multi-valued="false">
+ <adm:property name="lockout-failure-expiration-interval">
<adm:synopsis>
Specifies the length of time that should pass before an
authentication failure is no longer counted against a user for the
purposes of account lockout.
</adm:synopsis>
<adm:description>
- Specifies the length of time that should pass before an
- authentication failure is no longer counted against a user for the
- purposes of account lockout. The value of this attribute should be
- an integer followed by a unit of seconds, minutes, hours, days, or
- weeks. A value of 0 seconds indicates that the authentication
- failures should never expire. The failure count will always be
- cleared upon a successful authentication. Changes to this
- configuration attribute will take effect immediately.
+ The value of this attribute should be an integer followed by a
+ unit of seconds, minutes, hours, days, or weeks. A value of 0
+ seconds indicates that the authentication failures should never
+ expire. The failure count will always be cleared upon a successful
+ authentication.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -764,23 +635,18 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="require-change-by-time" mandatory="false"
- multi-valued="false">
+ <adm:property name="require-change-by-time">
<adm:synopsis>
Specifies the time by which all users with the associated password
policy must change their passwords.
</adm:synopsis>
<adm:description>
- Specifies the time by which all users with the associated password
- policy must change their passwords. The value should be expressed
- in a generalized time format. If this time is equal to the current
- time or is in the past, then all users will be required to change
- their passwords immediately. The behavior of the server in this
- mode will be identical to the behavior observed when users are
- forced to change their passwords after an administrative reset.
- Changes to this configuration attribute will take effect
- immediately.
+ The value should be expressed in a generalized time format. If
+ this time is equal to the current time or is in the past, then all
+ users will be required to change their passwords immediately. The
+ behavior of the server in this mode will be identical to the
+ behavior observed when users are forced to change their passwords
+ after an administrative reset.
</adm:description>
<adm:default-behavior>
<adm:undefined />
@@ -794,23 +660,17 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="last-login-time-attribute" mandatory="false"
- multi-valued="false">
+ <adm:property name="last-login-time-attribute">
<adm:synopsis>
Specifies the name or OID of the attribute type that should be
used to hold the last login time for users with the associated
password policy.
</adm:synopsis>
<adm:description>
- Specifies the name or OID of the attribute type that should be
- used to hold the last login time for users with the associated
- password policy. This attribute type must be defined in the
- Directory Server schema and must either be defined as an
- operational attribute or must be allowed by the set of
- objectClasses for all users with the associated password policy.
- Changes to this configuration attribute will take effect
- immediately.
+ This attribute type must be defined in the Directory Server schema
+ and must either be defined as an operational attribute or must be
+ allowed by the set of objectClasses for all users with the
+ associated password policy.
</adm:description>
<adm:default-behavior>
<adm:undefined />
@@ -824,21 +684,15 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="last-login-time-format" mandatory="false"
- multi-valued="false">
+ <adm:property name="last-login-time-format">
<adm:synopsis>
Specifies the format string that should be used to generate the
last login time value for users with the associated password
policy.
</adm:synopsis>
<adm:description>
- Specifies the format string that should be used to generate the
- last login time value for users with the associated password
- policy. This format string should conform to the syntax described
- in the API documentation for the java.text.SimpleDateFormat class.
- Changes to this configuration attribute will take effect
- immediately.
+ This format string should conform to the syntax described in the
+ API documentation for the java.text.SimpleDateFormat class.
</adm:description>
<adm:default-behavior>
<adm:undefined />
@@ -852,8 +706,7 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="previous-last-login-time-format" mandatory="false"
+ <adm:property name="previous-last-login-time-format"
multi-valued="true">
<adm:synopsis>
Specifies the format string(s) that may have been used with the
@@ -861,14 +714,10 @@
the password policy.
</adm:synopsis>
<adm:description>
- Specifies the format string(s) that may have been used with the
- last login time at any point in the past for users associated with
- the password policy. These values are used to make it possible to
- parse previous values, but will not be used to set new values.
- These format strings should conform to the syntax described in the
- API documentation for the java.text.SimpleDateFormat class.
- Changes to this configuration attribute will take effect
- immediately.
+ These values are used to make it possible to parse previous
+ values, but will not be used to set new values. These format
+ strings should conform to the syntax described in the API
+ documentation for the java.text.SimpleDateFormat class.
</adm:description>
<adm:default-behavior>
<adm:undefined />
@@ -882,24 +731,18 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="idle-lockout-interval" mandatory="false"
- multi-valued="false">
+ <adm:property name="idle-lockout-interval">
<adm:synopsis>
Specifies the maximum length of time that an account may remain
idle (i.e., the associated user does not authenticate to the
server) before that user is locked out.
</adm:synopsis>
<adm:description>
- Specifies the maximum length of time that an account may remain
- idle (i.e., the associated user does not authenticate to the
- server) before that user is locked out. The value of this
- attribute should be an integer followed by a unit of seconds,
- minutes, hours, days, or weeks. A value of 0 seconds indicates
- that idle accounts should not automatically be locked out. This
- feature will only be available if the last login time is
- maintained. Changes to this configuration attribute will take
- effect immediately.
+ The value of this attribute should be an integer followed by a
+ unit of seconds, minutes, hours, days, or weeks. A value of 0
+ seconds indicates that idle accounts should not automatically be
+ locked out. This feature will only be available if the last login
+ time is maintained.
</adm:description>
<adm:default-behavior>
<adm:defined>
@@ -915,20 +758,22 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="state-update-failure-policy" mandatory="false"
- multi-valued="false">
+ <adm:property name="state-update-failure-policy" advanced="true">
<adm:synopsis>
- Specifies how the server should deal with the inability to update password
- policy state information during an authentication attempt. In particular,
- it may be used to control whether an otherwise successful bind operation
- should fail if a failure occurs while attempting to update password policy
- state information (e.g., to clear a record of previous authentication
- failures or to update the last login time), or even whether to reject a
- bind request if it is known ahead of time that it will not be possible to
- update the authentication failure times in the event of an unsuccessful
- bind attempt (e.g., if the backend writability mode is disabled).
+ Specifies how the server should deal with the inability to update
+ password policy state information during an authentication
+ attempt.
</adm:synopsis>
+ <adm:description>
+ In particular, it may be used to control whether an otherwise
+ successful bind operation should fail if a failure occurs while
+ attempting to update password policy state information (e.g., to
+ clear a record of previous authentication failures or to update
+ the last login time), or even whether to reject a bind request if
+ it is known ahead of time that it will not be possible to update
+ the authentication failure times in the event of an unsuccessful
+ bind attempt (e.g., if the backend writability mode is disabled).
+ </adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>reactive</adm:value>
@@ -938,23 +783,23 @@
<adm:enumeration>
<adm:value name="ignore">
<adm:synopsis>
- If a bind attempt would otherwise be successful, then do not reject
- it if a problem occurs while attempting to update the password
- policy state information for the user.
+ If a bind attempt would otherwise be successful, then do not
+ reject it if a problem occurs while attempting to update the
+ password policy state information for the user.
</adm:synopsis>
</adm:value>
<adm:value name="reactive">
<adm:synopsis>
- Even if a bind attempt would otherwise be successful, reject it if a
- problem occurs while attempting to update the password policy state
- information for the user.
+ Even if a bind attempt would otherwise be successful, reject
+ it if a problem occurs while attempting to update the
+ password policy state information for the user.
</adm:synopsis>
</adm:value>
<adm:value name="proactive">
<adm:synopsis>
- Proactively reject any bind attempt if it is known ahead of time
- that it would not be possible to update the user's password policy
- state information.
+ Proactively reject any bind attempt if it is known ahead of
+ time that it would not be possible to update the user's
+ password policy state information.
</adm:synopsis>
</adm:value>
</adm:enumeration>
@@ -965,19 +810,21 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="password-history-count" mandatory="false"
- multi-valued="false">
+ <adm:property name="password-history-count">
<adm:synopsis>
- Specifies the maximum number of former passwords to maintain in the
- password history. When choosing a new password, the proposed password
- will be checked to ensure that it does not match the current password, nor
- any other password in the history list. A value of zero indicates that
- either no password history is to be maintained (if the password history
- duration has a value of zero seconds), or that there is no maximum number
- of passwords to maintain in the history (if the password history duration
- has a value greater than zero seconds).
+ Specifies the maximum number of former passwords to maintain in
+ the password history.
</adm:synopsis>
+ <adm:description>
+ When choosing a new password, the proposed password will be
+ checked to ensure that it does not match the current password, nor
+ any other password in the history list. A value of zero indicates
+ that either no password history is to be maintained (if the
+ password history duration has a value of zero seconds), or that
+ there is no maximum number of passwords to maintain in the history
+ (if the password history duration has a value greater than zero
+ seconds).
+ </adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0</adm:value>
@@ -992,27 +839,28 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
- <adm:property name="password-history-duration" mandatory="false"
- multi-valued="false">
+ <adm:property name="password-history-duration">
<adm:synopsis>
- Specifies the maximum length of time that passwords should remain in the
- password history. When choosing a new password, the proposed password
- will be checked to ensure that it does not match the current password, nor
- any other password in the history list. A value of zero seconds indicates
- that either no password history is to be maintained (if the password
- history count has a value of zero), or that there is no maximum duration
- for passwords in the history (if the password history count has a value
- greater than zero).
+ Specifies the maximum length of time that passwords should remain
+ in the password history.
</adm:synopsis>
+ <adm:description>
+ When choosing a new password, the proposed password will be
+ checked to ensure that it does not match the current password, nor
+ any other password in the history list. A value of zero seconds
+ indicates that either no password history is to be maintained (if
+ the password history count has a value of zero), or that there is
+ no maximum duration for passwords in the history (if the password
+ history count has a value greater than zero).
+ </adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0 seconds</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
- <adm:duration base-unit="s" lower-limit="0" upper-limit="2147483647"
- allow-unlimited="false" />
+ <adm:duration base-unit="s" lower-limit="0"
+ upper-limit="2147483647" allow-unlimited="false" />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
@@ -1020,6 +868,4 @@
</ldap:attribute>
</adm:profile>
</adm:property>
-
</adm:managed-object>
-
--
Gitblit v1.10.0