Other password policy configuration properties
The password policy configuration also provides additional configuration properties that don’t fall into any of the previously discussed categories.
They include:
password-attribute
-
Specifies the attribute used to hold the password in the user’s account. This is userPassword by default, but it can also be set to authPassword if you want to use the authentication password schema described in RFC 3112.
require-secure-authentication
-
Indicates whether users associated with this policy are required to authenticate in a secure manner. This is false by default, but we strongly recommend setting it to true.
requires-secure-password-changes
-
Indicates whether users associated with this policy are required to change their password in a secure manner. This is false by default, but we strongly recommend setting it to true.
allow-multiple-password-values
-
Indicates whether accounts are allowed to have multiple different passwords. Although this is technically allowed by LDAP specifications, it is strongly discouraged because it can be abused to allow a user to exempt themselves from certain password policy constraints like password expiration. If a user needs different passwords for different purposes, then we recommend creating separate accounts for that user.
require-change-by-time
-
Can be used to require that all users associated with the password policy change their password by a specified time. For example, this can be used to require all users to change their passwords after a data breach.