<?xml version="1.0" encoding="UTF-8"?>
<!--
! CDDL HEADER START
!
! The contents of this file are subject to the terms of the
! Common Development and Distribution License, Version 1.0 only
! (the "License"). You may not use this file except in compliance
! with the License.
!
! You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
! See the License for the specific language governing permissions
! and limitations under the License.
!
! When distributing Covered Code, include this CDDL HEADER in each
! file and include the License file at legal-notices/CDDLv1_0.txt.
! If applicable, add the following below this CDDL HEADER, with the
! fields enclosed by brackets "[]" replaced with your own identifying
! information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CDDL HEADER END
!
!
! Copyright 2007-2009 Sun Microsystems, Inc.
! Portions Copyright 2011 ForgeRock AS
! -->
<adm:managed-object name="password-policy"
plural-name="password-policies"
extends="authentication-policy"
package="org.opends.server.admin.std"
xmlns:adm="http://www.opends.org/admin"
xmlns:ldap="http://www.opends.org/admin-ldap">
<adm:synopsis>
<adm:user-friendly-plural-name />
define a number of password management rules, as well as
requirements for authentication processing.
</adm:synopsis>
<adm:profile name="ldap">
<ldap:object-class>
<ldap:name>ds-cfg-password-policy</ldap:name>
<ldap:superior>ds-cfg-authentication-policy</ldap:superior>
</ldap:object-class>
</adm:profile>
<adm:property-override name="java-class" advanced="true">
<adm:default-behavior>
<adm:defined>
<adm:value>
</adm:value>
</adm:defined>
</adm:default-behavior>
</adm:property-override>
<adm:property name="password-attribute" mandatory="true">
<adm:synopsis>
Specifies the attribute type used to hold user passwords.
</adm:synopsis>
<adm:description>
This attribute type must be defined in the server schema, and it
must have either the user password or auth password syntax.
</adm:description>
<adm:syntax>
<adm:attribute-type />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-password-attribute</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="default-password-storage-scheme" mandatory="true"
multi-valued="true">
<adm:synopsis>
Specifies the names of the password storage schemes that are used
to encode clear-text passwords for this password policy.
</adm:synopsis>
<adm:syntax>
<adm:aggregation relation-name="password-storage-scheme"
parent-path="/">
<adm:constraint>
<adm:synopsis>
The referenced password storage schemes must be enabled.
</adm:synopsis>
<adm:target-is-enabled-condition>
<adm:contains property="enabled" value="true" />
</adm:target-is-enabled-condition>
</adm:constraint>
</adm:aggregation>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-default-password-storage-scheme</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="deprecated-password-storage-scheme"
multi-valued="true">
<adm:synopsis>
Specifies the names of the password storage schemes that are
considered deprecated for this password policy.
</adm:synopsis>
<adm:description>
If a user with this password policy authenticates to the server
values are removed and replaced with values encoded using the
default password storage scheme(s).
</adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
<adm:aggregation relation-name="password-storage-scheme"
parent-path="/">
<adm:constraint>
<adm:synopsis>
The referenced password storage schemes must be enabled.
</adm:synopsis>
<adm:target-is-enabled-condition>
<adm:contains property="enabled" value="true" />
</adm:target-is-enabled-condition>
</adm:constraint>
</adm:aggregation>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-deprecated-password-storage-scheme</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="password-validator" multi-valued="true">
<adm:synopsis>
Specifies the names of the password validators that are used
with the associated password storage scheme.
</adm:synopsis>
<adm:description>
The password validators are invoked when a user attempts to provide
a new password, to determine whether the new password is acceptable.
</adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
<adm:aggregation relation-name="password-validator"
parent-path="/">
<adm:constraint>
<adm:synopsis>
The referenced password validators must be enabled.
</adm:synopsis>
<adm:target-is-enabled-condition>
<adm:contains property="enabled" value="true" />
</adm:target-is-enabled-condition>
</adm:constraint>
</adm:aggregation>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-password-validator</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="account-status-notification-handler"
multi-valued="true">
<adm:synopsis>
Specifies the names of the account status notification handlers
that are used with the associated password storage scheme.
</adm:synopsis>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
<adm:aggregation
relation-name="account-status-notification-handler"
parent-path="/">
<adm:constraint>
<adm:synopsis>
The referenced account status notification handlers must be
enabled.
</adm:synopsis>
<adm:target-is-enabled-condition>
<adm:contains property="enabled" value="true" />
</adm:target-is-enabled-condition>
</adm:constraint>
</adm:aggregation>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>
ds-cfg-account-status-notification-handler
</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="allow-user-password-changes">
<adm:synopsis>
Indicates whether users can change their own
passwords.
</adm:synopsis>
<adm:description>
This check is made in addition to access control evaluation.
Both must allow the password change for it to occur.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>true</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-allow-user-password-changes</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="password-change-requires-current-password">
<adm:synopsis>
Indicates whether user password changes must use
the password modify extended operation and must include the user's
current password before the change is allowed.
</adm:synopsis>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>
ds-cfg-password-change-requires-current-password
</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="force-change-on-add">
<adm:synopsis>
Indicates whether users are forced to change their passwords
upon first authenticating to the directory server after their
account has been created.
</adm:synopsis>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-force-change-on-add</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="force-change-on-reset">
<adm:synopsis>
Indicates whether users are forced to change their passwords
if they are reset by an administrator.
</adm:synopsis>
<adm:description>
For this purpose, anyone with permission to change a given user's
password other than that user is considered an administrator.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-force-change-on-reset</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="skip-validation-for-administrators"
advanced="true">
<adm:synopsis>
Indicates whether passwords set by administrators are allowed
to bypass the password validation process that is required
for user password changes.
</adm:synopsis>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-skip-validation-for-administrators</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="password-generator">
<adm:synopsis>
Specifies the name of the password generator that is used
with the associated password policy.
</adm:synopsis>
<adm:description>
This is used in conjunction with the password modify extended
operation to generate a new password for a user when none was
provided in the request.
</adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
<adm:aggregation relation-name="password-generator"
parent-path="/">
<adm:constraint>
<adm:synopsis>
The referenced password generator must be enabled.
</adm:synopsis>
<adm:target-is-enabled-condition>
<adm:contains property="enabled" value="true" />
</adm:target-is-enabled-condition>
</adm:constraint>
</adm:aggregation>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-password-generator</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="require-secure-authentication">
<adm:synopsis>
Indicates whether users with the associated password policy are
required to authenticate in a secure manner.
</adm:synopsis>
<adm:description>
This might mean either using a secure communication channel
between the client and the server, or using a SASL mechanism that
does not expose the credentials.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-require-secure-authentication</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="require-secure-password-changes">
<adm:synopsis>
Indicates whether users with the associated password policy are
required to change their password in a secure manner that does
not expose the credentials.
</adm:synopsis>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-require-secure-password-changes</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="allow-multiple-password-values" advanced="true">
<adm:synopsis>
Indicates whether user entries can have multiple
distinct values for the password attribute.
</adm:synopsis>
<adm:description>
This is potentially dangerous because many mechanisms used to
change the password do not work well with such a configuration. If
multiple password values are allowed, then any of them can be used
to authenticate, and they are all subject to the same policy
constraints.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-allow-multiple-password-values</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="allow-pre-encoded-passwords" advanced="true">
<adm:synopsis>
Indicates whether users can change their passwords
by providing a pre-encoded value.
</adm:synopsis>
<adm:description>
This can cause a security risk because the clear-text version of
the password is not known and therefore validation checks cannot
be applied to it.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-allow-pre-encoded-passwords</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="min-password-age">
<adm:synopsis>
Specifies the minimum length of time after a
password change before the user is allowed to change the
password again.
</adm:synopsis>
<adm:description>
The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. This setting can
be used to prevent users from changing their passwords repeatedly
over a short period of time to flush an old password from the
history so that it can be re-used.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0 seconds</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-min-password-age</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="max-password-age">
<adm:synopsis>
Specifies the maximum length of time that a user can continue
using the same password before it must be changed (that is, the
password expiration interval).
</adm:synopsis>
<adm:description>
The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
seconds disables password expiration.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0 seconds</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-max-password-age</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="max-password-reset-age">
<adm:synopsis>
Specifies the maximum length of time that users have to change
passwords after they have been reset by an administrator before
they become locked.
</adm:synopsis>
<adm:description>
The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
seconds disables this feature.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0 seconds</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-max-password-reset-age</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="password-expiration-warning-interval">
<adm:synopsis>
Specifies the maximum length of time before a user's password
actually expires that the server begins to include warning
notifications in bind responses for that user.
</adm:synopsis>
<adm:description>
The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
seconds disables the warning interval.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>5 days</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:duration />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>
ds-cfg-password-expiration-warning-interval
</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="expire-passwords-without-warning">
<adm:synopsis>
Indicates whether the directory server allows a user's
password to expire even if that user has never seen an expiration
warning notification.
</adm:synopsis>
<adm:description>
If this property is true, accounts always expire when the
expiration time arrives. If this property is false or disabled, the user
always receives at least one warning notification, and the
password expiration is set to the warning time plus the
warning interval.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-expire-passwords-without-warning</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="allow-expired-password-changes">
<adm:synopsis>
Indicates whether a user whose password is expired is still
allowed to change that password using the password modify extended
operation.
</adm:synopsis>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-allow-expired-password-changes</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="grace-login-count">
<adm:synopsis>
Specifies the number of grace logins that a user is allowed
after the account has expired to allow that user to choose a new
password.
</adm:synopsis>
<adm:description>
A value of 0 indicates that no grace logins are allowed.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:integer lower-limit="0" upper-limit="2147483647" />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-grace-login-count</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="lockout-failure-count">
<adm:synopsis>
Specifies the maximum number of authentication failures that a
user is allowed before the account is locked out.
</adm:synopsis>
<adm:description>
A value of 0 indicates that accounts are never locked out
due to failed attempts.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:integer lower-limit="0" upper-limit="2147483647"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-lockout-failure-count</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="lockout-duration">
<adm:synopsis>
Specifies the length of time that an account is locked
after too many authentication failures.
</adm:synopsis>
<adm:description>
The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
seconds indicates that the account must remain locked until an
administrator resets the password.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0 seconds</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-lockout-duration</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="lockout-failure-expiration-interval">
<adm:synopsis>
Specifies the length of time before an
authentication failure is no longer counted against a user for the
purposes of account lockout.
</adm:synopsis>
<adm:description>
The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
seconds indicates that the authentication failures must never
expire. The failure count is always cleared upon a successful
authentication.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0 seconds</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:duration lower-limit="0" upper-limit="2147483647" base-unit="s"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>
ds-cfg-lockout-failure-expiration-interval
</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="require-change-by-time">
<adm:synopsis>
Specifies the time by which all users with the associated password
policy must change their passwords.
</adm:synopsis>
<adm:description>
The value is expressed in a generalized time format. If
this time is equal to the current time or is in the past, then all
users are required to change their passwords immediately. The
behavior of the server in this mode is identical to the
behavior observed when users are forced to change their passwords
after an administrative reset.
</adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
<adm:string>
<adm:pattern>
<adm:regex>.*</adm:regex>
<adm:usage>STRING</adm:usage>
<adm:synopsis>
A valid timestamp in generalized time form (for example,
a value of "20070409185811Z" indicates a value of April 9,
2007 at 6:58:11 pm GMT).
</adm:synopsis>
</adm:pattern>
</adm:string>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-require-change-by-time</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="last-login-time-attribute">
<adm:synopsis>
Specifies the name or OID of the attribute type that is
used to hold the last login time for users with the associated
password policy.
</adm:synopsis>
<adm:description>
This attribute type must be defined in the directory server schema
and must either be defined as an operational attribute or must be
allowed by the set of objectClasses for all users with the
associated password policy.
</adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
<adm:attribute-type />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-last-login-time-attribute</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="last-login-time-format">
<adm:synopsis>
Specifies the format string that is used to generate the
last login time value for users with the associated password
policy.
</adm:synopsis>
<adm:description>
This format string conforms to the syntax described in the
</adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
<adm:string>
<adm:pattern>
<adm:regex>.*</adm:regex>
<adm:usage>STRING</adm:usage>
<adm:synopsis>
Any valid format string that can be used with the
</adm:synopsis>
</adm:pattern>
</adm:string>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-last-login-time-format</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="previous-last-login-time-format"
multi-valued="true">
<adm:synopsis>
Specifies the format string(s) that might have been used with the
last login time at any point in the past for users associated with
the password policy.
</adm:synopsis>
<adm:description>
These values are used to make it possible to parse previous
values, but are not used to set new values. The format
strings conform to the syntax described in the API
</adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
<adm:string>
<adm:pattern>
<adm:regex>.*</adm:regex>
<adm:usage>STRING</adm:usage>
<adm:synopsis>
Any valid format string that can be used with the
</adm:synopsis>
</adm:pattern>
</adm:string>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-previous-last-login-time-format</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="idle-lockout-interval">
<adm:synopsis>
Specifies the maximum length of time that an account may remain
idle (that is, the associated user does not authenticate to the
server) before that user is locked out.
</adm:synopsis>
<adm:description>
The value of this attribute is an integer followed by a
unit of seconds, minutes, hours, days, or weeks. A value of 0
seconds indicates that idle accounts are not automatically
locked out. This feature is available only if the last login
time is maintained.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0 seconds</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:duration lower-limit="0" upper-limit="2147483647"/>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-idle-lockout-interval</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="state-update-failure-policy" advanced="true">
<adm:synopsis>
Specifies how the server deals with the inability to update
password policy state information during an authentication
attempt.
</adm:synopsis>
<adm:description>
In particular, this property can be used to control whether an otherwise
successful bind operation fails if a failure occurs while
attempting to update password policy state information (for example, to
clear a record of previous authentication failures or to update
the last login time). It can also be used to control whether to
reject a bind request if it is known ahead of time that it will not be
possible to update the authentication failure times in the event of an
unsuccessful bind attempt (for example, if the backend writability mode
is disabled).
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>reactive</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:enumeration>
<adm:value name="ignore">
<adm:synopsis>
If a bind attempt would otherwise be successful, then do not
reject it if a problem occurs while attempting to update the
password policy state information for the user.
</adm:synopsis>
</adm:value>
<adm:value name="reactive">
<adm:synopsis>
Even if a bind attempt would otherwise be successful, reject
it if a problem occurs while attempting to update the
password policy state information for the user.
</adm:synopsis>
</adm:value>
<adm:value name="proactive">
<adm:synopsis>
Proactively reject any bind attempt if it is known ahead of
time that it would not be possible to update the user's
password policy state information.
</adm:synopsis>
</adm:value>
</adm:enumeration>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-state-update-failure-policy</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="password-history-count">
<adm:synopsis>
Specifies the maximum number of former passwords to maintain in
the password history.
</adm:synopsis>
<adm:description>
When choosing a new password, the proposed password is
checked to ensure that it does not match the current password, nor
any other password in the history list. A value of zero indicates
that either no password history is to be maintained (if the
password history duration has a value of zero seconds), or that
there is no maximum number of passwords to maintain in the history
(if the password history duration has a value greater than zero
seconds).
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:integer lower-limit="0" upper-limit="2147483647" />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-password-history-count</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="password-history-duration">
<adm:synopsis>
Specifies the maximum length of time that passwords remain
in the password history.
</adm:synopsis>
<adm:description>
When choosing a new password, the proposed password is
checked to ensure that it does not match the current password, nor
any other password in the history list. A value of zero seconds
indicates that either no password history is to be maintained (if
the password history count has a value of zero), or that there is
no maximum duration for passwords in the history (if the password
history count has a value greater than zero).
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>0 seconds</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:duration base-unit="s" lower-limit="0"
upper-limit="2147483647" allow-unlimited="false" />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-password-history-duration</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
</adm:managed-object>