From 4a563468dbe03e9b6e286a549c2c366f41388adb Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Mon, 03 Feb 2014 14:54:08 +0000
Subject: [PATCH] CR-2934 fix for OPENDJ-1318: Document password policy subentry mechanism for setting a password validator

---
 opendj-sdk/opends/src/main/docbkx/admin-guide/chap-pwd-policy.xml  |   66 ++++++++++++++++++++++++++++++++
 opendj-sdk/opends/src/main/docbkx/release-notes/chap-whats-new.xml |   18 +++++++--
 2 files changed, 79 insertions(+), 5 deletions(-)

diff --git a/opendj-sdk/opends/src/main/docbkx/admin-guide/chap-pwd-policy.xml b/opendj-sdk/opends/src/main/docbkx/admin-guide/chap-pwd-policy.xml
index d240434..4ce28a5 100644
--- a/opendj-sdk/opends/src/main/docbkx/admin-guide/chap-pwd-policy.xml
+++ b/opendj-sdk/opends/src/main/docbkx/admin-guide/chap-pwd-policy.xml
@@ -232,7 +232,7 @@
      password policy attributes.</para>
     </listitem>
    </itemizedlist>
-   
+
    <para>Values of the following properties are inherited from the default
    password policy for Internet-Draft based password policies.</para>
    <itemizedlist>
@@ -258,6 +258,65 @@
     <listitem><para><literal>skip-validation-for-administrators</literal></para></listitem>
     <listitem><para><literal>state-update-failure-policy</literal></para></listitem>
    </itemizedlist>
+
+   <para>
+    If you would rather specify password validators for your policy,
+    you can configure password validators for a subentry password policy
+    by adding the auxiliary object class <literal>pwdValidatorPolicy</literal>
+    and setting the multi-valued attribute,
+    <literal>ds-cfg-password-validator</literal>,
+    to the DNs of the password validator configuration entries.
+   </para>
+
+   <para>
+    The following example shows a subentry password policy
+    that references two password validator configuration entries.
+    The Character Set password validator determines
+    whether a proposed password is acceptable
+    by checking whether it contains a sufficient number of characters
+    from one or more user-defined character sets and ranges.
+    The Length-Based password validator determines
+    whether a proposed password is acceptable
+    based on whether the number of characters it contains
+    falls within an acceptable range of values.
+    Both are enabled in the default OpenDJ directory server configuration.
+   </para>
+
+   <programlisting language="ldif"
+   >dn: cn=Subentry Password Policy with Validators,dc=example,dc=com
+objectClass: top
+objectClass: subentry
+objectClass: pwdPolicy
+objectClass: pwdValidatorPolicy
+cn: Subentry Password Policy with Validators
+pwdAttribute: userPassword
+pwdLockout: TRUE
+pwdMaxFailure: 3
+pwdFailureCountInterval: 300
+pwdLockoutDuration: 300
+pwdAllowUserChange: TRUE
+pwdSafeModify: TRUE
+ds-cfg-password-validator: cn=Character Set,cn=Password Validators,cn=config
+ds-cfg-password-validator: cn=Length-Based Password Validator,
+ cn=Password Validators,cn=config
+subtreeSpecification: {base "ou=people", specificationFilter
+  "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
+
+</programlisting>
+
+   <para>
+    If a referenced password validator cannot be found,
+    then OpenDJ directory server logs an error message
+    when the password policy is invoked.
+    This can occur for example when a subentry password policy is replicated
+    to a directory server where the password validator is not (yet) configured.
+    In that case when a user attempts to change their password,
+    the server fails to find the referenced password validator.
+   </para>
+
+   <para>
+    See also <xref linkend="create-repl-pwp" />.
+   </para>
   </section>
   
   <section xml:id="pwp-application">
@@ -1071,6 +1130,11 @@
 
   <para>Validation does not affect existing passwords, but only takes effect
   when the password is updated.</para>
+
+  <para>
+   You can reference password validators from subentry password policies.
+   See <xref linkend="pwp-replicated" /> for an example.
+  </para>
  </section>
 
  <section xml:id="sample-password-policies">
diff --git a/opendj-sdk/opends/src/main/docbkx/release-notes/chap-whats-new.xml b/opendj-sdk/opends/src/main/docbkx/release-notes/chap-whats-new.xml
index 4564fd2..4ac1b11 100644
--- a/opendj-sdk/opends/src/main/docbkx/release-notes/chap-whats-new.xml
+++ b/opendj-sdk/opends/src/main/docbkx/release-notes/chap-whats-new.xml
@@ -20,15 +20,15 @@
   !
   ! CCPL HEADER END
   !
-  !      Copyright 2011-2013 ForgeRock AS
+  !      Copyright 2011-2014 ForgeRock AS
   !    
 -->
 <chapter xml:id='chap-whats-new'
   xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
   xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
-  xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
-  xmlns:xlink='http://www.w3.org/1999/xlink'
-  xmlns:xinclude='http://www.w3.org/2001/XInclude'>
+  xsi:schemaLocation='http://docbook.org/ns/docbook
+                      http://docbook.org/xml/5.0/xsd/docbook.xsd'
+  xmlns:xlink='http://www.w3.org/1999/xlink'>
   <title>What's New in OpenDJ <?eval ${docTargetVersion}?></title>
 
   <para>Compared to the OpenDJ <?eval ${docPreviousVersion}?> release, OpenDJ
@@ -41,6 +41,16 @@
     </listitem>
 
     <listitem>
+     <para>
+      OpenDJ directory server now provides a mechanism
+      to reference password validators from subentry password policies
+      (<link xlink:show="new"
+             xlink:href="https://bugster.forgerock.org/jira/browse/OPENDJ-1295"
+      >OPENDJ-1295</link>).
+     </para>
+    </listitem>
+
+    <listitem>
      <para>Debian and RPM packages now provide service management scripts so
      that you can manage the server with the <command>service</command>, and
      include documentation files under <filename>/usr/share/doc/opendj*</filename>

--
Gitblit v1.10.0