Name

dsconfig set-password-policy-prop — Modifies Authentication Policy properties

Synopsis

dsconfig set-password-policy-prop {options}

Options

The dsconfig set-password-policy-prop command takes the following options:

--policy-name {name}

The name of the Authentication Policy.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Authentication Policy properties depend on the Authentication Policy type, which depends on the --policy-name {name} option.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

Authentication Policy properties depend on the Authentication Policy type, which depends on the --policy-name {name} option.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

Authentication Policy properties depend on the Authentication Policy type, which depends on the --policy-name {name} option.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Authentication Policy properties depend on the Authentication Policy type, which depends on the --policy-name {name} option.

LDAP Pass Through Authentication Policy

Authentication Policies of type ldap-pass-through-authentication-policy have the following properties:

cached-password-storage-scheme
Description

Specifies the name of a password storage scheme which should be used for encoding cached passwords. Changing the password storage scheme will cause all existing cached passwords to be discarded.

Default Value

None

Allowed Values

The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

cached-password-ttl
Description

Specifies the maximum length of time that a locally cached password may be used for authentication before it is refreshed from the remote LDAP service. This property represents a cache timeout. Increasing the timeout period decreases the frequency that bind operations are delegated to the remote LDAP service, but increases the risk of users authenticating using stale passwords. Note that authentication attempts which fail because the provided password does not match the locally cached password will always be retried against the remote LDAP service.

Default Value

8 hours

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

connection-timeout
Description

Specifies the timeout used when connecting to remote LDAP directory servers, performing SSL negotiation, and for individual search and bind requests. If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available.

Default Value

3 seconds

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class which provides the LDAP Pass Through Authentication Policy implementation.

Default Value

org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory

Multi-valued

No

Required

Yes

Admin Action Required

The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

mapped-attribute
Description

Specifies one or more attributes in the user's entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user's local entry in order for authentication to proceed. When multiple attributes or values are found in the user's entry then the behavior is determined by the mapping policy.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-base-dn
Description

Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy. If multiple values are given, searches are performed below all specified base DNs.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-bind-dn
Description

Specifies the bind DN which should be used to perform user searches in the remote LDAP directory service.

Default Value

Searches will be performed anonymously.

Allowed Values

A valid DN.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-bind-password
Description

Specifies the bind password which should be used to perform user searches in the remote LDAP directory service.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-bind-password-environment-variable
Description

Specifies the name of an environment variable containing the bind password which should be used to perform user searches in the remote LDAP directory service.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-bind-password-file
Description

Specifies the name of a file containing the bind password which should be used to perform user searches in the remote LDAP directory service.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-bind-password-property
Description

Specifies the name of a Java property containing the bind password which should be used to perform user searches in the remote LDAP directory service.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-filter-template
Description

If defined, overrides the filter used when searching for the user, substituting %s with the value of the local entry's "mapped-attribute". The filter-template may include ZERO or ONE %s substitutions. If multiple mapped-attributes are configured, multiple renditions of this template will be aggregated into one larger filter using an OR (|) operator. An example use-case for this property would be to use a different attribute type on the mapped search. For example, mapped-attribute could be set to "uid" and filter-template to "(samAccountName=%s)". You can also use the filter to restrict search results. For example: "(&(uid=%s)(objectclass=student))"

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapping-policy
Description

Specifies the mapping algorithm for obtaining the bind DN from the user's entry.

Default Value

unmapped

Allowed Values
mapped-bind

Bind to the remote LDAP directory service using a DN obtained from an attribute in the user's entry. This policy will check each attribute named in the "mapped-attribute" property. If more than one attribute or value is present then the first one will be used.

mapped-search

Bind to the remote LDAP directory service using the DN of an entry obtained using a search against the remote LDAP directory service. The search filter will comprise of an equality matching filter whose attribute type is the "mapped-attribute" property, and whose assertion value is the attribute value obtained from the user's entry. If more than one attribute or value is present then the filter will be composed of multiple equality filters combined using a logical OR (union).

unmapped

Bind to the remote LDAP directory service using the DN of the user's entry in this directory server.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

primary-remote-ldap-server
Description

Specifies the primary list of remote LDAP servers which should be used for pass through authentication. If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined.

Default Value

None

Allowed Values

A host name followed by a ":" and a port number.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

secondary-remote-ldap-server
Description

Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable. If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available.

Default Value

No secondary LDAP servers.

Allowed Values

A host name followed by a ":" and a port number.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

source-address
Description

If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.

Default Value

Let the server decide.

Allowed Values

An IP address

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

ssl-cipher-suite
Description

Specifies the names of the SSL cipher suites that are allowed for use in SSL based LDAP connections.

Default Value

Uses the default set of SSL cipher suites provided by the server's JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

ssl-protocol
Description

Specifies the names of the SSL protocols which are allowed for use in SSL based LDAP connections.

Default Value

Uses the default set of SSL protocols provided by the server's JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

trust-manager-provider
Description

Specifies the name of the trust manager that should be used when negotiating SSL connections with remote LDAP directory servers.

Default Value

By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.

Allowed Values

The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.

Advanced Property

No

Read-only

No

use-password-caching
Description

Indicates whether passwords should be cached locally within the user's entry.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

use-ssl
Description

Indicates whether the LDAP Pass Through Authentication Policy should use SSL. If enabled, the LDAP Pass Through Authentication Policy will use SSL to encrypt communication with the clients.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

use-tcp-keep-alive
Description

Indicates whether LDAP connections should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

use-tcp-no-delay
Description

Indicates whether LDAP connections should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Password Policy

Authentication Policies of type password-policy have the following properties:

account-status-notification-handler
Description

Specifies the names of the account status notification handlers that are used with the associated password storage scheme.

Default Value

None

Allowed Values

The DN of any Account Status Notification Handler. The referenced account status notification handlers must be enabled.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

allow-expired-password-changes
Description

Indicates whether a user whose password is expired is still allowed to change that password using the password modify extended operation.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

allow-multiple-password-values
Description

Indicates whether user entries can have multiple distinct values for the password attribute. This is potentially dangerous because many mechanisms used to change the password do not work well with such a configuration. If multiple password values are allowed, then any of them can be used to authenticate, and they are all subject to the same policy constraints.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allow-pre-encoded-passwords
Description

Indicates whether users can change their passwords by providing a pre-encoded value. This can cause a security risk because the clear-text version of the password is not known and therefore validation checks cannot be applied to it.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allow-user-password-changes
Description

Indicates whether users can change their own passwords. This check is made in addition to access control evaluation. Both must allow the password change for it to occur.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

default-password-storage-scheme
Description

Specifies the names of the password storage schemes that are used to encode clear-text passwords for this password policy.

Default Value

None

Allowed Values

The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

deprecated-password-storage-scheme
Description

Specifies the names of the password storage schemes that are considered deprecated for this password policy. If a user with this password policy authenticates to the server and his/her password is encoded with a deprecated scheme, those values are removed and replaced with values encoded using the default password storage scheme(s).

Default Value

None

Allowed Values

The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

expire-passwords-without-warning
Description

Indicates whether the directory server allows a user's password to expire even if that user has never seen an expiration warning notification. If this property is true, accounts always expire when the expiration time arrives. If this property is false or disabled, the user always receives at least one warning notification, and the password expiration is set to the warning time plus the warning interval.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

force-change-on-add
Description

Indicates whether users are forced to change their passwords upon first authenticating to the directory server after their account has been created.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

force-change-on-reset
Description

Indicates whether users are forced to change their passwords if they are reset by an administrator. For this purpose, anyone with permission to change a given user's password other than that user is considered an administrator.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

grace-login-count
Description

Specifies the number of grace logins that a user is allowed after the account has expired to allow that user to choose a new password. A value of 0 indicates that no grace logins are allowed.

Default Value

0

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

idle-lockout-interval
Description

Specifies the maximum length of time that an account may remain idle (that is, the associated user does not authenticate to the server) before that user is locked out. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that idle accounts are not automatically locked out. This feature is available only if the last login time is maintained.

Default Value

0 seconds

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class which provides the Password Policy implementation.

Default Value

org.opends.server.core.PasswordPolicyFactory

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory

Multi-valued

No

Required

Yes

Admin Action Required

The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

last-login-time-attribute
Description

Specifies the name or OID of the attribute type that is used to hold the last login time for users with the associated password policy. This attribute type must be defined in the directory server schema and must either be defined as an operational attribute or must be allowed by the set of objectClasses for all users with the associated password policy.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

last-login-time-format
Description

Specifies the format string that is used to generate the last login time value for users with the associated password policy. This format string conforms to the syntax described in the API documentation for the java.text.SimpleDateFormat class.

Default Value

None

Allowed Values

Any valid format string that can be used with the java.text.SimpleDateFormat class.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

lockout-duration
Description

Specifies the length of time that an account is locked after too many authentication failures. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account must remain locked until an administrator resets the password.

Default Value

0 seconds

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

lockout-failure-count
Description

Specifies the maximum number of authentication failures that a user is allowed before the account is locked out. A value of 0 indicates that accounts are never locked out due to failed attempts.

Default Value

0

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

lockout-failure-expiration-interval
Description

Specifies the length of time before an authentication failure is no longer counted against a user for the purposes of account lockout. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the authentication failures must never expire. The failure count is always cleared upon a successful authentication.

Default Value

0 seconds

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

max-password-age
Description

Specifies the maximum length of time that a user can continue using the same password before it must be changed (that is, the password expiration interval). The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables password expiration.

Default Value

0 seconds

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

max-password-reset-age
Description

Specifies the maximum length of time that users have to change passwords after they have been reset by an administrator before they become locked. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables this feature.

Default Value

0 seconds

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

min-password-age
Description

Specifies the minimum length of time after a password change before the user is allowed to change the password again. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. This setting can be used to prevent users from changing their passwords repeatedly over a short period of time to flush an old password from the history so that it can be re-used.

Default Value

0 seconds

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-attribute
Description

Specifies the attribute type used to hold user passwords. This attribute type must be defined in the server schema, and it must have either the user password or auth password syntax.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

password-change-requires-current-password
Description

Indicates whether user password changes must use the password modify extended operation and must include the user's current password before the change is allowed.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-expiration-warning-interval
Description

Specifies the maximum length of time before a user's password actually expires that the server begins to include warning notifications in bind responses for that user. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables the warning interval.

Default Value

5 days

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-generator
Description

Specifies the name of the password generator that is used with the associated password policy. This is used in conjunction with the password modify extended operation to generate a new password for a user when none was provided in the request.

Default Value

None

Allowed Values

The DN of any Password Generator. The referenced password generator must be enabled.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-history-count
Description

Specifies the maximum number of former passwords to maintain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero indicates that either no password history is to be maintained (if the password history duration has a value of zero seconds), or that there is no maximum number of passwords to maintain in the history (if the password history duration has a value greater than zero seconds).

Default Value

0

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-history-duration
Description

Specifies the maximum length of time that passwords remain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero seconds indicates that either no password history is to be maintained (if the password history count has a value of zero), or that there is no maximum duration for passwords in the history (if the password history count has a value greater than zero).

Default Value

0 seconds

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-validator
Description

Specifies the names of the password validators that are used with the associated password storage scheme. The password validators are invoked when a user attempts to provide a new password, to determine whether the new password is acceptable.

Default Value

None

Allowed Values

The DN of any Password Validator. The referenced password validators must be enabled.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

previous-last-login-time-format
Description

Specifies the format string(s) that might have been used with the last login time at any point in the past for users associated with the password policy. These values are used to make it possible to parse previous values, but are not used to set new values. The format strings conform to the syntax described in the API documentation for the java.text.SimpleDateFormat class.

Default Value

None

Allowed Values

Any valid format string that can be used with the java.text.SimpleDateFormat class.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

require-change-by-time
Description

Specifies the time by which all users with the associated password policy must change their passwords. The value is expressed in a generalized time format. If this time is equal to the current time or is in the past, then all users are required to change their passwords immediately. The behavior of the server in this mode is identical to the behavior observed when users are forced to change their passwords after an administrative reset.

Default Value

None

Allowed Values

A valid timestamp in generalized time form (for example, a value of "20070409185811Z" indicates a value of April 9, 2007 at 6:58:11 pm GMT).

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

require-secure-authentication
Description

Indicates whether users with the associated password policy are required to authenticate in a secure manner. This might mean either using a secure communication channel between the client and the server, or using a SASL mechanism that does not expose the credentials.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

require-secure-password-changes
Description

Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

skip-validation-for-administrators
Description

Indicates whether passwords set by administrators are allowed to bypass the password validation process that is required for user password changes.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

state-update-failure-policy
Description

Specifies how the server deals with the inability to update password policy state information during an authentication attempt. In particular, this property can be used to control whether an otherwise successful bind operation fails if a failure occurs while attempting to update password policy state information (for example, to clear a record of previous authentication failures or to update the last login time). It can also be used to control whether to reject a bind request if it is known ahead of time that it will not be possible to update the authentication failure times in the event of an unsuccessful bind attempt (for example, if the backend writability mode is disabled).

Default Value

reactive

Allowed Values
ignore

If a bind attempt would otherwise be successful, then do not reject it if a problem occurs while attempting to update the password policy state information for the user.

proactive

Proactively reject any bind attempt if it is known ahead of time that it would not be possible to update the user's password policy state information.

reactive

Even if a bind attempt would otherwise be successful, reject it if a problem occurs while attempting to update the password policy state information for the user.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No