Password Policy

Password Policies define a number of password management rules, as well as requirements for authentication processing.

Relations from This Component Relations to This Component Properties dsconfig Usage

Relations from This Component

The following components have a direct aggregation relation from Password Policies:

Relations to This Component

The following components have a direct aggregation relation to Password Policies:

Properties

The properties supported by this managed object are as follows:


General Configuration Basic Properties: Advanced Properties:
 description  state-update-failure-policy
 require-secure-authentication  enable-debug
 require-secure-password-changes
 account-status-notification-handler
Password Storage Basic Properties: Advanced Properties:
 password-attribute  allow-multiple-password-values
 default-password-storage-scheme  allow-pre-encoded-passwords
 deprecated-password-storage-scheme
 re-encode-passwords-on-scheme-config-change
Password Quality Basic Properties: Advanced Properties:
 password-validator  None
 bind-password-validator
 minimum-bind-password-validation-frequency
 bind-password-validation-failure-action
 password-generator
 password-history-count
 password-history-duration
Password Expiration Basic Properties: Advanced Properties:
 min-password-age  None
 max-password-age
 password-expiration-warning-interval
 expire-passwords-without-warning
 return-password-expiration-controls
 allow-expired-password-changes
 grace-login-count
 require-change-by-time
Account Lockout Basic Properties: Advanced Properties:
 lockout-failure-count  ignore-duplicate-password-failures
 lockout-duration  failure-lockout-action
 lockout-failure-expiration-interval
 idle-lockout-interval
Self Password Changes Basic Properties: Advanced Properties:
 allow-user-password-changes  password-retirement-behavior
 password-change-requires-current-password  max-retired-password-age
 allowed-password-reset-token-use-condition
Administrative Password Resets Basic Properties: Advanced Properties:
 force-change-on-add  skip-validation-for-administrators
 force-change-on-reset
 max-password-reset-age
Login Tracking Basic Properties: Advanced Properties:
 maximum-recent-login-history-successful-authentication-count  None
 maximum-recent-login-history-successful-authentication-duration
 maximum-recent-login-history-failed-authentication-count
 maximum-recent-login-history-failed-authentication-duration
 recent-login-history-similar-attempt-behavior
 last-login-ip-address-attribute
 last-login-time-attribute
 last-login-time-format
 previous-last-login-time-format

Basic Properties

description

Property Group
General Configuration
Description
A description for this Password Policy
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

require-secure-authentication

Property Group
General Configuration
Description
Indicates whether users with the associated password policy are required to authenticate in a secure manner. This might mean either using a secure communication channel between the client and the server, or using a SASL mechanism that does not expose the credentials.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

require-secure-password-changes

Property Group
General Configuration
Description
Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

account-status-notification-handler

Property Group
General Configuration
Description
Specifies the names of the account status notification handlers that are used with the associated password storage scheme.
Default Value
None
Allowed Values
The DN of any Account Status Notification Handler. The referenced account status notification handlers must be enabled.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

password-attribute

Property Group
Password Storage
Description
Specifies the attribute type used to hold user passwords. This attribute type must be defined in the server schema, and it must have either the user password or auth password syntax.
Default Value
None
Allowed Values
The name or OID of an attribute type defined in the server schema.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

default-password-storage-scheme

Property Group
Password Storage
Description
Specifies the names of the password storage schemes that are used to encode clear-text passwords for this password policy.
Default Value
None
Allowed Values
The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

deprecated-password-storage-scheme

Property Group
Password Storage
Description
Specifies the names of the password storage schemes that are considered deprecated for this password policy. If a user authenticates to the server with a mechanism that provides the password in the clear, and if the password stored in their entry is currently encoded with a deprecated password storage scheme, then their password will be re-encoded with the default password storage scheme(s).
Default Value
None
Allowed Values
The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

re-encode-passwords-on-scheme-config-change

Property Group
Password Storage
Description
Indicates whether to re-encode passwords on authentication if the configuration for the underlying password storage scheme has changed. If a user authenticates to the server with a mechanism that provides the password in the clear, and if the password stored in their entry is encoded with settings that don't match the current configuration for the associated password storage scheme (e.g., if something like the salt length or iteration count has been updated), then their password will be re-encoded with default password storage scheme(s) using the current settings.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

password-validator

Property Group
Password Quality
Description
Specifies the names of the password validators that are used with the associated password storage scheme. The password validators are invoked when a user attempts to provide a new password, to determine whether the new password is acceptable.
Default Value
None
Allowed Values
The DN of any Password Validator. The referenced password validators must be enabled.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

bind-password-validator

Property Group
Password Quality
Description
Specifies the names of the password validators that should be invoked for bind operations. If one or more bind password validators are configured, then the minimum-bind-password-validation-frequency property will be used to determine how frequently validation should be performed for users to whom this password policy is assigned, and the bind-password-validation-failure-action property will specify the behavior the server should exhibit for unsuccessful validation attempts.
Default Value
None
Allowed Values
The DN of any Password Validator. The referenced password validators must be enabled.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

minimum-bind-password-validation-frequency

Property Group
Password Quality
Description
Indicates how frequently password validation should be performed during bind operations for each user to whom this password policy is assigned. A value of "0 s" indicates that password validation should be invoked for each successful bind attempt in which the user's clear-text password is available to the server. A nonzero frequency indicates that the server should only invoke password validators if at least this length of time has passed since the last time that password validation was performed for their account.
Default Value
30 d
Allowed Values
A duration. Lower limit is 0 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

bind-password-validation-failure-action

Property Group
Password Quality
Description
Specifies the behavior that the server should exhibit if a bind password fails validation by one or more of the configured bind password validators.
Default Value
force-password-change
Allowed Values
reject-bind - Indicates that users should not be permitted to authenticate with passwords that fail validation.

force-password-change - Indicates that authentication will succeed, but that the user will be required to choose a new password before they can perform any other operations on their account.

generate-account-status-notification - Indicates that the authentication attempt will succeed and the user can perform operations as normal, but an account status notification will be generated and can be used to perform custom processing (e.g., notifying the end user or administrators of the validation failure).
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

password-generator

Property Group
Password Quality
Description
Specifies the name of the password generator that is used with the associated password policy. This is used in conjunction with the password modify extended operation to generate a new password for a user when none was provided in the request.
Default Value
None
Allowed Values
The DN of any Password Generator. The referenced password generator must be enabled.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

password-history-count

Property Group
Password Quality
Description
Specifies the maximum number of former passwords to maintain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero indicates that either no password history is to be maintained (if the password history duration has a value of zero seconds), or that there is no maximum number of passwords to maintain in the history (if the password history duration has a value greater than zero seconds).
Default Value
0
Allowed Values
An integer value. Lower limit is 0. Upper limit is 2147483647 .
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

password-history-duration

Property Group
Password Quality
Description
Specifies the maximum length of time that passwords remain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero seconds indicates that either no password history is to be maintained (if the password history count has a value of zero), or that there is no maximum duration for passwords in the history (if the password history count has a value greater than zero).
Default Value
0 seconds
Allowed Values
A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

min-password-age

Property Group
Password Expiration
Description
Specifies the minimum length of time after a password change before the user is allowed to change the password again. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. This setting can be used to prevent users from changing their passwords repeatedly over a short period of time to flush an old password from the history so that it can be re-used.
Default Value
0 seconds
Allowed Values
A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

max-password-age

Property Group
Password Expiration
Description
Specifies the maximum length of time that a user can continue using the same password before it must be changed (that is, the password expiration interval). The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables password expiration.
Default Value
0 seconds
Allowed Values
A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

password-expiration-warning-interval

Property Group
Password Expiration
Description
Specifies the maximum length of time before a user's password actually expires that the server begins to include warning notifications in bind responses for that user. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables the warning interval.
Default Value
5 days
Allowed Values
A duration. Lower limit is 0 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

expire-passwords-without-warning

Property Group
Password Expiration
Description
Indicates whether the Directory Server allows a user's password to expire even if that user has never seen an expiration warning notification. If this property is true, accounts always expire when the expiration time arrives. If this property is false, the user always receives at least one warning notification, and the password expiration is set to the warning time plus the warning interval.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

return-password-expiration-controls

Property Group
Password Expiration
Description
Indicates whether the server should return the password expiring and password expired response controls (as described in draft-vchu-ldap-pwd-policy). The password expiring control may be used to indicate that the user's password is about to expire, and provides the length of time (in seconds) until the password is actually expired.
The password expired control may be used to indicate that the user's password is expired (if included in a bind response with a non-success result code), or that the user must change their password before they will be allowed to request any other operations (if included in a bind response with a success result code).
These controls are unsolicited (that is, the client does not explicitly request them). It is possible that some clients could behave in unexpected or undesirable ways if they are returned.
Default Value
unless-password-policy-control-is-used
Allowed Values
unless-password-policy-control-is-used - Indicates that the password expiring or password expired control should always be returned when appropriate unless the client included the password policy request control (as described in draft-behera-ldap-password-policy) in the bind request. The corresponding password policy response control provides access to the same information, and if the client requested that control, then it is likely that they will use that response control instead of the password expiring and password expired controls to identify expiration-related issues.

always - Indicates that the password expiring or password expired control should always be returned when appropriate, even if the password policy response control will also be returned.

never - Indicates that the password expiring or password expired control should never be returned.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allow-expired-password-changes

Property Group
Password Expiration
Description
Indicates whether a user whose password is expired is still allowed to change that password using the password modify extended operation.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

grace-login-count

Property Group
Password Expiration
Description
Specifies the number of grace logins that a user is allowed after the account has expired to allow that user to choose a new password. A value of 0 indicates that no grace logins are allowed.
Default Value
0
Allowed Values
An integer value. Lower limit is 0. Upper limit is 2147483647 .
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

require-change-by-time

Property Group
Password Expiration
Description
Specifies the time by which all users with the associated password policy must change their passwords. The value is expressed in a generalized time format. If this time is equal to the current time or is in the past, then all users are required to change their passwords immediately. The behavior of the server in this mode is identical to the behavior observed when users are forced to change their passwords after an administrative reset.
Default Value
None
Allowed Values
A valid timestamp in generalized time form (for example, a value of "20070409185811Z" indicates a value of April 9, 2007 at 6:58:11 pm GMT).
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

lockout-failure-count

Property Group
Account Lockout
Description
Specifies the maximum number of authentication failures that a user is allowed before the account is locked out. A value of 0 indicates that accounts are never locked out due to failed attempts.
Default Value
0
Allowed Values
An integer value. Lower limit is 0. Upper limit is 2147483647 .
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

lockout-duration

Property Group
Account Lockout
Description
Specifies the length of time that an account is locked after too many authentication failures. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account must remain locked until an administrator resets the password.
Default Value
0 seconds
Allowed Values
A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

lockout-failure-expiration-interval

Property Group
Account Lockout
Description
Specifies the length of time before an authentication failure is no longer counted against a user for the purposes of account lockout. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the authentication failures must never expire. The failure count is always cleared upon a successful authentication.
Default Value
0 seconds
Allowed Values
A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

idle-lockout-interval

Property Group
Account Lockout
Description
Specifies the maximum length of time that an account may remain idle (that is, the associated user does not authenticate to the server) before that user is locked out. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that idle accounts are not automatically locked out. This feature is available only if the last login time is maintained. If either or both of the last-login-time-attribute or last-login-time-format properties are undefined, then idle account lockout will not be enforced.
For accounts which do not have a last login time value, the password changed time, or failing that the account creation time, will be used. If none of that information is available, then the user will not be allowed to authenticate. It is strongly recommended that the server be allowed to run for a period of time with last login time tracking enabled (i.e., values for both last-login-time-attribute and last-login-time-format config properties) to ensure that users have a last login time before enabling idle account lockout.
Default Value
0 seconds
Allowed Values
A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds.
Multi-Valued
No
Required
No
Admin Action Required
Last login time tracking is required for idle account lockout to work properly. If you are enabling idle account lockout, then you should ensure that the last-login-time-attribute and last-login-time-format properties are also defined and that last login time tracking has been enabled long enough so that user accounts have had time to be marked with last login times. Ideally, last login time tracking should be enabled for at least as long as the idle lockout interval to ensure that users are not incorrectly locked out merely because their accounts do not have last login time information.

allow-user-password-changes

Property Group
Self Password Changes
Description
Indicates whether users can change their own passwords. This check is made in addition to access control evaluation. Both must allow the password change for it to occur.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

password-change-requires-current-password

Property Group
Self Password Changes
Description
Indicates whether user password changes must use the password modify extended operation and must include the user's current password before the change is allowed.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allowed-password-reset-token-use-condition

Property Group
Self Password Changes
Description
The set of conditions under which a user governed by this Password Policy will be permitted to generate a password reset token via the deliver password reset token extended operation, and to use that token in lieu of the current password via the password modify extended operation. See the configuration documentation for the deliver password reset token extended operation handler for more information about password reset tokens and how they can be used in the server.
Default Value
None
Allowed Values
account-usable - The user's account is in a usable state.

password-expired - The user's password has expired.

account-locked-due-to-failures - The user's account is locked after too many failed attempts.

account-locked-due-to-idle-time-limit - The user's account is locked after it has been too long since the user last authenticated.

account-locked-due-to-admin-reset-timeout - The user's account is locked because the user was required to change his/her password after it was reset by an administrator but failed to set a new password in the allowed window of time.

account-locked-due-to-validation-failure - The user's account is locked because it contains a password that does not satisfy all of the configured password validators.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

force-change-on-add

Property Group
Administrative Password Resets
Description
Indicates whether users are forced to change their passwords upon first authenticating to the Directory Server after their account has been created.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

force-change-on-reset

Property Group
Administrative Password Resets
Description
Indicates whether users are forced to change their passwords if they are reset by an administrator. If a user's password is changed by any other user, that is considered an administrative password reset.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

max-password-reset-age

Property Group
Administrative Password Resets
Description
Specifies the maximum length of time that users have to change passwords after they have been reset by an administrator before they become locked. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables this feature.
Default Value
0 seconds
Allowed Values
A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

maximum-recent-login-history-successful-authentication-count

Property Group
Login Tracking
Description
The maximum number of successful authentication attempts to include in the recent login history for each account. If only one of the maximum-recent-login-history-successful-authentication-count and maximum-recent-login-history-successful-authentication-duration properties is provided, then the specified property will be used to determine which successful attempts to retain in the recent login history.

If both properties are provided, then successful login attempts will be retained only if they satisfy the criteria for both properties (that is, if a login attempt falls outside either the maximum count or duration, then it will be removed).

If neither property is present, then no successful authentications will be retained in the user's recent login history.

Default Value
The server will not consider the number of successful attempts when maintaining the recent login history.
Allowed Values
An integer value. Lower limit is 1.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

maximum-recent-login-history-successful-authentication-duration

Property Group
Login Tracking
Description
The maximum age of successful authentication attempts to include in the recent login history for each account. If only one of the maximum-recent-login-history-successful-authentication-count and maximum-recent-login-history-successful-authentication-duration properties is provided, then the specified property will be used to determine which successful attempts to retain in the recent login history.

If both properties are provided, then successful login attempts will be retained only if they satisfy the criteria for both properties (that is, if a login attempt falls outside either the maximum count or duration, then it will be removed).

If neither property is present, then no successful authentications will be retained in the user's recent login history.

Note that if a maximum duration is configured (with or without a maximum count) for successful attempts, then the server will always maintain the most recent successful attempt in login history, even if it is older than the maximum duration.

Default Value
The server will not consider the age of successful attempts when maintaining the recent login history.
Allowed Values
A duration. Lower limit is 1 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

maximum-recent-login-history-failed-authentication-count

Property Group
Login Tracking
Description
The maximum number of failed authentication attempts to include in the recent login history for each account. If only one of the maximum-recent-login-history-failed-authentication-count and maximum-recent-login-history-failed-authentication-duration properties is provided, then the specified property will be used to determine which failed attempts to retain in the recent login history.

If both properties are provided, then failed login attempts will be retained only if they satisfy the criteria for both properties (that is, if a login attempt falls outside either the maximum count or duration, then it will be removed).

If neither property is present, then no failed authentications will be retained in the user's recent login history.

Default Value
The server will not consider the number of failed attempts when maintaining the recent login history.
Allowed Values
An integer value. Lower limit is 1.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

maximum-recent-login-history-failed-authentication-duration

Property Group
Login Tracking
Description
The maximum age of failed authentication attempts to include in the recent login history for each account. If only one of the maximum-recent-login-history-failed-authentication-count and maximum-recent-login-history-failed-authentication-duration properties is provided, then the specified property will be used to determine which failed attempts to retain in the recent login history.

If both properties are provided, then failed login attempts will be retained only if they satisfy the criteria for both properties (that is, if a login attempt falls outside either the maximum count or duration, then it will be removed).

If neither property is present, then no failed authentications will be retained in the user's recent login history.

Note that if a maximum duration is configured (with or without a maximum count) for failed attempts, then the server will always maintain the most recent failed attempt in login history, even if it is older than the maximum duration.

Default Value
The server will not consider the age of failed attempts when maintaining the recent login history.
Allowed Values
A duration. Lower limit is 1 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

recent-login-history-similar-attempt-behavior

Property Group
Login Tracking
Description
The behavior that the server will exhibit when multiple similar authentication attempts (with the same values for the successful, authentication-method, client-ip-address, and failure-reason fields) are processed for an account.
Default Value
collapse-similar-attempts-on-the-same-date
Allowed Values
collapse-similar-attempts-on-the-same-date - Similar authentication attempts that occur on the same date (within the UTC time zone) will be collapsed into a single record, with the additional-attempt-count field used to keep track of the number of additional similar attempts that were made on the same date. The timestamp will reflect the most recent of the collapsed attempts, and the login history will be updated for each attempt.

maintain-every-attempt - The server will maintain a separate record for each authentication attempt, regardless of how similar they are to previous attempts.

update-at-most-once-per-day - The server will only update the account's recent login history at most once per day for each similar attempt. Any subsequent attempts that occur on the same date (within the UTC time zone) as a previous similar attempt will not be recorded in the history. This will limit the number of writes to the recent login history, but the timestamp field may not reflect the most recent attempt on that date.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

last-login-ip-address-attribute

Property Group
Login Tracking
Description
Specifies the name or OID of the attribute type that is used to hold the IP address of the client from which the user last authenticated. This attribute type must be defined in the Directory Server schema and must either be defined as an operational attribute or must be allowed by the set of objectClasses for all users with the associated password policy. The ds-pwp-last-login-ip-address attribute has been defined in the server schema for this purpose.
Default Value
None
Allowed Values
The name or OID of an attribute type defined in the server schema.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

last-login-time-attribute

Property Group
Login Tracking
Description
Specifies the name or OID of the attribute type that is used to hold the last login time for users with the associated password policy. This attribute type must be defined in the Directory Server schema and must either be defined as an operational attribute or must be allowed by the set of objectClasses for all users with the associated password policy.
Default Value
ds-pwp-last-login-time
Allowed Values
The name or OID of an attribute type defined in the server schema.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

last-login-time-format

Property Group
Login Tracking
Description
Specifies the format string that is used to generate the last login time value for users with the associated password policy. Last login time values will be written using the UTC (also known as GMT, or Greenwich Mean Time) time zone. This format string conforms to the syntax described in the API documentation for the java.text.SimpleDateFormat class. Common values for usage include:
  • yyyyMMddHHmmss'Z' -- Generalized time format with second-level accuracy.
  • yyyyMMddHHmmss.SSS'Z' -- Generalized time format with millisecond-level accuracy.
  • yyyyMMdd -- Only include the date but not the time. This format will cause the last login time to be updated at most once a day for each user.
In addition to formatting new values, the format string must be parseable as a date input because the server will evaluate the formatted date to determine whether the last-login-time-format needs to be updated.
Default Value
None
Allowed Values
Any valid format string that can be used for date formatting and date input parsing using the java.text.SimpleDateFormat class.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

previous-last-login-time-format

Property Group
Login Tracking
Description
Specifies the format string(s) that might have been used with the last login time at any point in the past for users associated with the password policy. These values are used to make it possible to parse previous values, but are not used to set new values. The format strings conform to the syntax described in the API documentation for the java.text.SimpleDateFormat class.
Default Value
None
Allowed Values
Any valid format string that can be used to parse a date input with the java.text.SimpleDateFormat class.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

state-update-failure-policy (Advanced Property)

Property Group
General Configuration
Description
Specifies how the server deals with the inability to update password policy state information during an authentication attempt. In particular, this property can be used to control whether an otherwise successful bind operation fails if a failure occurs while attempting to update password policy state information (for example, to clear a record of previous authentication failures or to update the last login time). It can also be used to control whether to reject a bind request if it is known ahead of time that it will not be possible to update the authentication failure times in the event of an unsuccessful bind attempt (for example, if the backend writability mode is disabled).
Default Value
reactive
Allowed Values
ignore - If a bind attempt would otherwise be successful, then do not reject it if a problem occurs while attempting to update the password policy state information for the user.

reactive - Even if a bind attempt would otherwise be successful, reject it if a problem occurs while attempting to update the password policy state information for the user.

proactive - Proactively reject any bind attempt if it is known ahead of time that it would not be possible to update the user's password policy state information.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enable-debug (Advanced Property)

Property Group
General Configuration
Description
Indicates whether to enable debugging for the password policy state. To limit the scope of the debugging to a specific set of users, clone this password policy and then assign that new password policy to the target users by setting the value of the ds-pwp-password-policy-dn operational attribute to the DN of the new password policy. When debugging is complete, restore the former value of the ds-pwp-password-policy-dn attribute or remove that attribute entirely to use the default password policy for the user. If you remove a password policy while users are still configured to be governed by that policy, then those users will be unable to authenticate.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
When enable-debug is set to true, additional configuration changes are required. 1. Create a Debug Target targeting the password policy class: dsconfig create-debug-target --publisher-name "File-Based Debug Logger" --target-name com.unboundid.directory.server.core.PasswordPolicyState --set debug-level:verbose 2. Enable the debug logger: dsconfig set-log-publisher-prop --publisher-name "File-Based Debug Logger" --set enabled:true With the default configuration settings, debugging information will be written to the logs/debug file.

allow-multiple-password-values (Advanced Property)

Property Group
Password Storage
Description
Indicates whether user entries can have multiple distinct values for the password attribute. This is potentially dangerous because many mechanisms used to change the password do not work well with such a configuration. If multiple password values are allowed, then any of them can be used to authenticate, and they are all subject to the same policy constraints.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allow-pre-encoded-passwords (Advanced Property)

Property Group
Password Storage
Description
Indicates whether users can change their passwords by providing a pre-encoded value. Allowing pre-encoded passwords can be a security risk for several reasons, including:
  • If the server doesn't have access to the clear-text representation of the password at the time it's set, then it can't verify that the password satisfies the configured validation requirements. As such, it could allow users to set weaker passwords than should be allowed.
  • Because most schemes allow the same password to be encoded multiple ways (e.g., using different salts for each encoding), it could allow a user to "change" their password to a different encoding of the same password, or of a password they had formerly used in the past. This could circumvent constraints like password expiration and password history.
  • If clients are allowed to provide pre-encoded passwords, they could use a different scheme than the server is configured to use, and they may use a scheme that is considered weaker than you want to allow.
  • More advanced password storage schemes (e.g., Argon2, bcrypt, scrypt, and PBKDF2) have a variety of parameters that affect the strength of the encoding. If clients are allowed to provide pre-encoded passwords, they could supply passwords with parameters that are weaker than you want to allow. Alternatively, they could also supply passwords with parameters that are stronger than you want to allow, which could cause substantial resource consumption on the server when processing bind requests.
Most of these risks apply primarily to self password changes, in which users are changing their own passwords. If you have certain administrative processes that may need to occasionally set pre-encoded passwords, then it would be better to use one of the "add-only", "admin-reset-only", or "add-and-admin-reset-only" values so that they are allowed for those types of operations without allowing them for self password changes.

Also note that you can use the password update behavior request control to override this restriction on a per-request basis. If a requester is authorized to use that control, they would be allowed to explicitly set a pre-encoded password for a user even if it would otherwise be rejected by the password policy configuration.

Default Value
false
Allowed Values
false - Do not allow pre-encoded passwords for add operations, for self password changes, or for administrative password resets.

add-only - Allow pre-encoded passwords for add operations, but do not allow pre-encoded passwords for either self password changes or administrative password resets.

admin-reset-only - Allow pre-encoded passwords for administrative password resets, but not for add operations or self password changes.

add-and-admin-reset-only - Allow pre-encoded passwords for add operations and for administrative password resets, but not for self password changes.

true - Allow pre-encoded passwords for add operations, for self password changes, and for administrative password resets. This is not recommended, as it is a potential security risk to allow self password changes with pre-encoded passwords.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

ignore-duplicate-password-failures (Advanced Property)

Property Group
Account Lockout
Description
Indicates whether to ignore subsequent authentication failures using the same password as an earlier failed authentication attempt (within the time frame defined by the lockout failure expiration interval). If this option is "true", then multiple failed attempts using the same password will be considered only a single failure. If this option is "false", then any failure will be tracked regardless of whether it used the same password as an earlier attempt. This will only be applicable to simple bind attempts, or when using the password modify extended operation with an old password. It will not be used with SASL authentication.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

failure-lockout-action (Advanced Property)

Property Group
Account Lockout
Description
The action that the server should take for authentication attempts that target a user with more than the configured number of outstanding authentication failures.
Default Value
Users with too many failed authentication attempts will not be permitted to authenticate.
Allowed Values
The DN of any Failure Lockout Action.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

password-retirement-behavior (Advanced Property)

Property Group
Self Password Changes
Description
Specifies the conditions under which the server may retire a user's current password in the course of setting a new password for that user (whether via a modify operation or a password modify extended operation). If a password is retired, then it will remain usable for a period of time (as specified by the max-retired-password-age property) in addition to the new password for that user. This feature makes it possible to gracefully change the password for a user in a way that allows any applications which may have been configured with that user's password to continue using the former password until they can be updated to use the new password instead.
Note that retired password functionality cannot be used if the allow-multiple-password-values property is configured with a value of true.
Default Value
Passwords will not be retired for any kind of password change or reset.
Allowed Values
retire-on-self-change - Whenever users change their own password, their former password will automatically be retired unless the request includes a purge password request control. Note that if the request includes a critical retire password request control, then the operation will only succeed if this property also has a value of retire-on-request-with-control.

retire-on-administrative-reset - Whenever a user's password is changed by someone else, their former password will automatically be retired unless the request includes a purge password request control. Note that if the request includes a critical retire password request control, then the operation will only succeed if this property also has a value of retire-on-request-with-control.

retire-on-request-with-control - If a password change request (whether a self change or administrative reset) includes the retire password request control, the user's former password will automatically be retired.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

max-retired-password-age (Advanced Property)

Property Group
Self Password Changes
Description
Specifies the maximum length of time that a retired password should be considered valid and may be used to authenticate to the server. If a user account contains a retired password that has exceeded its maximum age, then that retired password may be removed from the user's entry the next time the user attempts to authenticate.
Default Value
1d
Allowed Values
A duration. Lower limit is 1 milliseconds. Upper limit is 2147483647 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

skip-validation-for-administrators (Advanced Property)

Property Group
Administrative Password Resets
Description
Indicates whether passwords set by administrators are allowed to bypass the password validation process that is required for user password changes.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Password Policies:

dsconfig list-password-policies
     [--property {propertyName}] ...

To view the configuration for an existing Password Policy:

dsconfig get-password-policy-prop
     --policy-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Password Policy:

dsconfig set-password-policy-prop
     --policy-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Password Policy:

dsconfig create-password-policy
     --policy-name {name}
     --set password-attribute:{propertyValue}
     --set default-password-storage-scheme:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Password Policy:

dsconfig delete-password-policy
     --policy-name {name}