Password policy settings

Use this information to set the password policy.

Password policy is a set of rules that controls how passwords are used and administered in Directory Server. These rules are made to ensure that users change their passwords periodically, and that the passwords meet the syntactic password requirements of an organization. These rules can also restrict the reuse of old passwords and ensure that users are locked out after a defined number of failed bind attempts.

When an administrator sends a request to turn on password policy, the ibm-pwdPolicyStartTime attribute is generated by the server. This attribute is an optional attribute, which cannot be deleted or modified by a client request. Only administrators with administrative control can modify the ibm-pwdPolicyStartTime attribute. The value of this attribute is changed when the Password Policy is turned on and off by an administrator. When the ibm-pwdPolicyStartTime attribute is turned on and off, the value of the attribute gets reset. The user entry last changed time, which is evaluated based on the modifyTimestamp entry and the ibm-pwdPolicyStartTime might get changed. As a result, some old passwords, which are expired might not expire when the password policy is turned off and on.

Note: A password policy entry must be created before it can be associated with a user or a group entry as an individual or a group password policy. If the referenced password policy entry does not exist, a message

unwilling
to perform

is returned. When a password policy entry is referenced by a user or group entry, it cannot be renamed or deleted. It is not possible unless the association between the entry and the user or group entry is removed.

For more information about passwords, see Password Guidelines.

Directory Server provides three types of password policies: individual, group, and global password policies.