Retiring a password
About this task
An account password can be retired and rotated out of service instead of being invalidated. Retiring a password enables a new password to be assigned to an account while keeping the original password valid for a period of time to enable a transition. This is useful for application service accounts that require uninterrupted authentication with the server.
Steps
-
To enable password retirement, set the
password-retirement-behaviorandmaximum-retired-password-ageproperties in the password policy configuration. -
To manually retire an account password or purge a password that has been retired, run the
ldapmodifyandldappasswordmodifytools with subcommands-- retireCurrentPasswordand--purgeCurrentPassword.To use these commands on an account, enable the
password-retirement-behaviorsubcommand on the password policy that governs the account.