Password policy settings
Use this information to set the password policy.
Password policy is a set of rules that controls how passwords are used and administered in Directory Server. These rules are made to ensure that users change their passwords periodically, and that the passwords meet the syntactic password requirements of an organization. These rules can also restrict the reuse of old passwords and ensure that users are locked out after a defined number of failed bind attempts.
When an administrator sends a request
to turn on password policy, the
ibm-pwdPolicyStartTime
attribute
is generated by the server. This attribute is an optional attribute,
which cannot be deleted or modified by a client request. Only administrators
with administrative control can modify the ibm-pwdPolicyStartTime
attribute.
The value of this attribute is changed when the Password Policy is
turned on and off by an administrator. When the ibm-pwdPolicyStartTime
attribute
is turned on and off, the value of the attribute gets reset. The user
entry last changed time, which is evaluated based on the modifyTimestamp
entry
and the ibm-pwdPolicyStartTime
might get changed.
As a result, some old passwords, which are expired might not expire
when the password policy is turned off and on. Note: A password policy
entry must be created before it can be associated with a user or a
group entry as an individual or a group password policy. If the referenced
password policy entry does not exist, a message
unwilling
to perform
is returned. When a password policy entry is referenced
by a user or group entry, it cannot be renamed or deleted. It is not
possible unless the association between the entry and the user or
group entry is removed.For more information about passwords, see Password Guidelines.
Directory Server provides three types of password policies: individual, group, and global password policies.