11.1.2. Subentry Based Password Policies

You manage subentry password policies by adding the subentries alongside the user data. Thus OpenDJ can replicate subentry password policies across servers.

Subentry password policies support the Internet-Draft Password Policy for LDAP Directories (version 09). A subentry password policy effectively overrides settings in the default password policy defined in the OpenDJ configuration. Settings not supported or not included in the subentry password policy are thus inherited from the default password policy.

As a result, the following Internet-Draft password policy attributes override the default password policy when you set them in the subentry.

  • pwdAllowUserChange, corresponding to the OpenDJ password policy property allow-user-password-changes

  • pwdMustChange, corresponding to the OpenDJ password policy property force-change-on-reset

  • pwdGraceAuthNLimit, corresponding to the OpenDJ password policy property grace-login-count

  • pwdLockoutDuration, corresponding to the OpenDJ password policy property lockout-duration

  • pwdMaxFailure, corresponding to the OpenDJ password policy property lockout-failure-count

  • pwdFailureCountInterval, corresponding to the OpenDJ password policy property lockout-failure-expiration-interval

  • pwdMaxAge, corresponding to the OpenDJ password policy property max-password-age

  • pwdMinAge, corresponding to the OpenDJ password policy property min-password-age

  • pwdAttribute, corresponding to the OpenDJ password policy property password-attribute

  • pwdSafeModify, corresponding to the OpenDJ password policy property password-change-requires-current-password

  • pwdExpireWarning, corresponding to the OpenDJ password policy property password-expiration-warning-interval

  • pwdInHistory, corresponding to the OpenDJ password policy property password-history-count

The following Internet-Draft password policy attributes are not taken into account by OpenDJ.

  • pwdCheckQuality, as OpenDJ has password validators. You can set password validators to use in the default password policy.

  • pwdMinLength, as this is handled by the Length Based Password Validator. You can configure this as part of the default password policy.

  • pwdLockout, as OpenDJ can deduce whether lockout is configured based on the values of other lockout-related password policy attributes.

Values of the following properties are inherited from the default password policy for Internet-Draft based password policies.

  • account-status-notification-handlers

  • allow-expired-password-changes

  • allow-multiple-password-values

  • allow-pre-encoded-passwords

  • default-password-storage-schemes

  • deprecated-password-storage-schemes

  • expire-passwords-without-warning

  • force-change-on-add

  • idle-lockout-interval

  • last-login-time-attribute

  • last-login-time-format

  • max-password-reset-age

  • password-generator

  • password-history-duration

  • password-validators

  • previous-last-login-time-formats

  • require-change-by-time

  • require-secure-authentication

  • require-secure-password-changes

  • skip-validation-for-administrators

  • state-update-failure-policy