An account password can be retired and rotated out of service, instead of immediately invalidated. This enables a new password to be assigned to an account while keeping the original password valid for a period of time to enable a transition. This is useful for application service accounts that require uninterrupted authentication with the server.

This behavior is disabled by default, but can be enabled in the password policy configuration by setting the password-retirement-behavior and maximum-retired-password-age properties.

To manually retire an account password or purge a password that has been retired, use the ldapmodify and ldappasswordmodify commands with options -- retireCurrentPassword and --purgeCurrentPassword. To use these commands on an account, the password policy that governs the account must have the password-retirement-behavior enabled.