An account password can be retired and rotated out of service instead of being invalidated. Retiring a password enables a new password to be assigned to an account while keeping the original password valid for a period of time to enable a transition. This is useful for application service accounts that require uninterrupted authentication with the server.

  • To enable password retirement, set the password-retirement-behavior and maximum-retired-password-age properties in the password policy configuration.
  • To manually retire an account password or purge a password that has been retired, run the ldapmodify and ldappasswordmodify tools with subcommands -- retireCurrentPassword and --purgeCurrentPassword.

    To use these commands on an account, enable the password-retirement-behavior subcommand on the password policy that governs the account.