Define a number of password management rules, as well as requirements for authentication processing. 1.3.6.1.4.1.26027.1.2.62 ds-cfg-password-policy top Specifies the attribute type used to hold user passwords. Specifies the attribute type used to hold user passwords. This attribute type must be defined in the server schema. Changes to this configuration attribute will take effect immediately. 1.3.6.1.4.1.26027.1.1.192 ds-cfg-password-attribute Specifies the password storage scheme (or set of schemes) that will be used to encode clear-text passwords. Specifies the password storage scheme (or set of schemes) that will be used to encode clear-text passwords. If multiple default storage schemes are defined for a password policy, then the same password will be encoded using all of those schemes. Changes to this configuration attribute will take effect immediately. 1.3.6.1.4.1.26027.1.1.178 ds-cfg-default-password-storage-scheme Specifies the password storage scheme (or set of schemes) that should be considered deprecated. Specifies the password storage scheme (or set of schemes) that should be considered deprecated. If an authenticating user has a password encoded with one of these schemes, those passwords will be removed and replaced with passwords encoded using the default schemes. Changes to this configuration attribute will take effect immediately. 1.3.6.1.4.1.26027.1.1.179 ds-cfg-deprecated-password-storage-scheme Specifies the DN(s) of the password validator(s) that should be used with the associated password storage scheme. Specifies the DN(s) of the password validator(s) that should be used with the associated password storage scheme. Changes to this configuration attribute will take effect immediately. 1.3.6.1.4.1.26027.1.1.195 ds-cfg-password-validator-dn Specifies the DN(s) of the account status notification handler(s) that should be used with the associated password storage scheme. Specifies the DN(s) of the account status notification handler(s) that should be used with the associated password storage scheme. Changes to this configuration attribute will take effect immediately. 1.3.6.1.4.1.26027.1.1.174 ds-cfg-account-status-notification-handler-dn Indicates whether users will be allowed to change their own passwords. Indicates whether users will be allowed to change their own passwords. This check is made in addition to access control evaluation, and therefore both must allow the password change for it to occur. Changes to this configuration attribute will take effect immediately. true 1.3.6.1.4.1.26027.1.1.177 ds-cfg-allow-user-password-changes Indicates whether user password changes will be required to use the password modify extended operation and include the user's current password before the change will be allowed. Indicates whether user password changes will be required to use the password modify extended operation and include the user's current password before the change will be allowed. Changes to this configuration attribute will take effect immediately. false 1.3.6.1.4.1.26027.1.1.198 ds-cfg-password-change-requires-current-password Indicates whether users will be forced to change their passwords upon first authenticating to the Directory Server after their account has been created. Indicates whether users will be forced to change their passwords upon first authenticating to the Directory Server after their account has been created. Changes to this configuration attribute will take effect immediately. false 1.3.6.1.4.1.26027.1.1.208 ds-cfg-force-change-on-add Indicates whether users will be forced to change their passwords if they are reset by an administrator. Indicates whether users will be forced to change their passwords if they are reset by an administrator. For this purpose, anyone with permission to change a given user's password other than that user will be considered an administrator. Changes to this configuration attribute will take effect immediately. false 1.3.6.1.4.1.26027.1.1.181 ds-cfg-force-change-on-reset Indicates whether passwords set by administrators will be allowed to bypass the password validation process that will be required for user password changes. Indicates whether passwords set by administrators (in add, modify, or password modify operations) will be allowed to bypass the password validation process that will be required for user password changes. Changes to this configuration attribute will take effect immediately. false 1.3.6.1.4.1.26027.1.1.201 ds-cfg-skip-validation-for-administrators Specifies the DN of the configuration entry that references the password generator for use with the associated password policy. Specifies the DN of the configuration entry that references the password generator for use with the associated password policy. This will be used in conjunction with the password modify extended operation to generate a new password for a user when none was provided in the request. Changes to this configuration attribute will take effect immediately. 1.3.6.1.4.1.26027.1.1.194 ds-cfg-password-generator-dn Indicates whether users with the associated password policy will be required to authenticate in a secure manner. Indicates whether users with the associated password policy will be required to authenticate in a secure manner. This could mean either using a secure communication channel between the client and the server, or using a SASL mechanism that does not expose the credentials. Changes to this configuration attribute will take effect immediately. false 1.3.6.1.4.1.26027.1.1.199 ds-cfg-require-secure-authentication Indicates whether users with the associated password policy will be required to change their password in a secure manner that does not expose the credentials. Indicates whether users with the associated password policy will be required to change their password in a secure manner that does not expose the credentials. Changes to this configuration attribute will take effect immediately. false 1.3.6.1.4.1.26027.1.1.200 ds-cfg-require-secure-password-changes Indicates whether user entries will be allowed to have multiple distinct values for the password attribute. Indicates whether user entries will be allowed to have multiple distinct values for the password attribute. This is potentially dangerous because many mechanisms used to change the password do not work well with such a configuration. If multiple password values are allowed, then any of them may be used to authenticate, and they will all be subject to the same policy constraints. Changes to this configuration attribute will take effect immediately. false 1.3.6.1.4.1.26027.1.1.209 ds-cfg-allow-multiple-password-values _Indicates whether users will be allowed to change their passwords by providing a pre-encoded value. Indicates whether users will be allowed to change their passwords by providing a pre-encoded value. This can cause a security risk because the clear-text version of the password is not known and therefore validation checks cannot be applied to it. Changes to this configuration attribute will take effect immediately. false 1.3.6.1.4.1.26027.1.1.176 ds-cfg-allow-pre-encoded-passwords Specifies the minimum length of time that must pass after a password change before the user will be allowed to change the password again. Specifies the minimum length of time that must pass after a password change before the user will be allowed to change the password again. The value of this attribute should be an integer followed by a unit of seconds, minutes, hours, days, or weeks. This setting can be used to prevent users from changing their passwords repeatedly over a short period of time to flush and old password from the history so that it may be re-used. Changes to this configuration attribute will take effect immediately. 0 seconds 1.3.6.1.4.1.26027.1.1.191 ds-cfg-minimum-password-age Specifies the maximum length of time that a user may continue using the same password before it must be changed. Specifies the maximum length of time that a user may continue using the same password before it must be changed (i.e., the password expiration interval). The value of this attribute should be an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds will disable password expiration. Changes to this configuration attribute will take effect immediately. 0 seconds 1.3.6.1.4.1.26027.1.1.189 ds-cfg-maximum-password-age Specifies the maximum length of time that users have to change passwords after they have been reset by an administrator before they become locked. Specifies the maximum length of time that users have to change passwords after they have been reset by an administrator before they become locked. The value of this attribute should be an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds will disable this feature. Changes to this configuration attribute will take effect immediately. 0 seconds 1.3.6.1.4.1.26027.1.1.190 ds-cfg-maximum-password-reset-age Specifies the maximum length of time before a user's password actually expires that the server will begin to include warning notifications in bind responses for that user. Specifies the maximum length of time before a user's password actually expires that the server will begin to include warning notifications in bind responses for that user. The value of this attribute should be an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds will disable the warning interval. Changes to this configuration attribute will take effect immediately. 5 days 1.3.6.1.4.1.26027.1.1.193 ds-cfg-password-expiration-warning-interval Indicates whether the Directory Server should allow a user's password to expire even if that user has never seen an expiration warning notification. Indicates whether the Directory Server should allow a user's password to expire even if that user has never seen an expiration warning notification. If this setting is enabled, then accounts will always be expired when the expiration time arrives. If it is disabled, then the user will always receive at least one warning notification, and the password expiration will be set to the warning time plus the warning interval. Changes to this configuration attribute will take effect immediately. false 1.3.6.1.4.1.26027.1.1.180 ds-cfg-expire-passwords-without-warning Indicates whether a user whose password is expired will still be allowed to change that password using the password modify extended operation. Indicates whether a user whose password is expired will still be allowed to change that password using the password modify extended operation. Changes to this configuration attribute will take effect immediately. false 1.3.6.1.4.1.26027.1.1.175 ds-cfg-allow-expired-password-changes Specifies the number of grace logins that a user will be allowed after the account has expired to allow that user to choose a new password. Specifies the number of grace logins that a user will be allowed after the account has expired to allow that user to choose a new password. A value of 0 indicates that no grace logins will be allowed. Changes to this configuration attribute will take effect immediately. 0 1.3.6.1.4.1.26027.1.1.182 ds-cfg-grace-login-count Specifies the maximum number of authentication failures that a user should be allowed before the account is locked out. Specifies the maximum number of authentication failures that a user should be allowed before the account is locked out. A value of 0 indicates that accounts should never be locked out due to failed attempts. changes to this configuration attribute will take effect immediately. 0 1.3.6.1.4.1.26027.1.1.187 ds-cfg-lockout-failure-count Specifies the length of time that an account should be locked after too many authentication failures. Specifies the length of time that an account should be locked after too many authentication failures. The value of this attribute should be an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account should remain locked until an administrator resets the password. Changes to this configuration attribute will take effect immediately. 0 seconds 1.3.6.1.4.1.26027.1.1.186 ds-cfg-lockout-duration pecifies the length of time that should pass before an authentication failure is no longer counted against a user for the purposes of account lockout. Specifies the length of time that should pass before an authentication failure is no longer counted against a user for the purposes of account lockout. The value of this attribute should be an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the authentication failures should never expire. The failure count will always be cleared upon a successful authentication. Changes to this configuration attribute will take effect immediately. 0 seconds 1.3.6.1.4.1.26027.1.1.188 ds-cfg-lockout-failure-expiration-interval Specifies the time by which all users with the associated password policy must change their passwords. Specifies the time by which all users with the associated password policy must change their passwords. The value should be expressed in a generalized time format. If this time is equal to the current time or is in the past, then all users will be required to change their passwords immediately. The behavior of the server in this mode will be identical to the behavior observed when users are forced to change their passwords after an administrative reset. Changes to this configuration attribute will take effect immediately. 1.3.6.1.4.1.26027.1.1.197 ds-cfg-require-change-by-time Specifies the name or OID of the attribute type that should be used to hold the last login time for users with the associated password policy. Specifies the name or OID of the attribute type that should be used to hold the last login time for users with the associated password policy. This attribute type must be defined in the Directory Server schema and must either be defined as an operational attribute or must be allowed by the set of objectClasses for all users with the associated password policy. Changes to this configuration attribute will take effect immediately. 1.3.6.1.4.1.26027.1.1.184 ds-cfg-last-login-time-attribute Specifies the format string that should be used to generate the last login time value for users with the associated password policy. Specifies the format string that should be used to generate the last login time value for users with the associated password policy. This format string should conform to the syntax described in the API documentation for the java.text.SimpleDateFormat class. Changes to this configuration attribute will take effect immediately. 1.3.6.1.4.1.26027.1.1.185 ds-cfg-last-login-time-format Specifies the format string(s) that may have been used with the last login time at any point in the past for users associated with the password policy. Specifies the format string(s) that may have been used with the last login time at any point in the past for users associated with the password policy. These values are used to make it possible to parse previous values, but will not be used to set new values. These format strings should conform to the syntax described in the API documentation for the java.text.SimpleDateFormat class. Changes to this configuration attribute will take effect immediately. 1.3.6.1.4.1.26027.1.1.196 ds-cfg-previous-last-login-time-format Specifies the maximum length of time that an account may remain idle (i.e., the associated user does notauthenticate to the server) before that user is locked out. Specifies the maximum length of time that an account may remain idle (i.e., the associated user does notauthenticate to the server) before that user is locked out. The value of this attribute should be an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that idle accounts should not automatically be locked out. This feature will only be available if the last login time is maintained. Changes to this configuration attribute will take effect immediately. 0 seconds 1.3.6.1.4.1.26027.1.1.183 ds-cfg-idle-lockout-interval