password policy are stored in the entry cn=Password Policy,cn=config. Note that in
Directory Server 5.1, password policy attributes were located directly under cn=config.
Directory Server 6.0 introduces the new pwdPolicy object class. The attributes of this object
class replace the old password policy attributes. For a description of these new attributes see the
pwdPolicy(5dsoc) man page.
By default, the new password policy is backward compatible with the old password policy.
However, because backward compatibility is not guaranteed indenitely, you should migrate to
the new password policy as soon as is convenient for your deployment. For information about
password policy compatibility, see
“Password Policy Compatibility” on page 75.
The following table provides a mapping of the new password policy attributes whose values
must be migrated from the legacy attributes.
TABLE 3–3 Mapping Between 5 and 6.0Password Policy Attributes
LegacyDirectoryServerAttribute DirectoryServer6.0Attribute
- (password policyis applied to the userPassword
attribute only.)
pwdAttribute
passwordMinAge pwdMinAge
passwordMaxAge pwdMaxAge
passwordInHistory pwdInHistory
passwordSyntax pwdCheckQuality
passwordMinLength pwdMinLength
passwordWarning pwdExpireWarning
- pwdGraceLoginLimit
passwordMustChange pwdMustChange
passwordChange pwdAllowUserChange
- pwdSafeModify
passwordExp -
passwordStorageScheme -
passwordExpireWithoutWarning -
passwordLockout pwdLockout
passwordLockoutDuration pwdLockoutDuration
passwordMaxFailure pwdMaxFailure
MigratingCongurationData Manually
Chapter3 • Migrating DirectoryServer Manually 43
SunCondential:Registered