The following example shows how to create a user-defined virtual attribute that assigns an Employee Password Policy to any entry that matches the filter "(employeeType=employee)".

  1. Run dsconfig to configure the user-defined virtual attribute. Specify the connection port, bind DN, password, and host information. Then type the LDAP connection parameter for your Directory Server: 1 for LDAP, 2 for SSL, 3 for StartTLS.
  2. On the Directory Server main menu, type o to change the object menu, and then type the number to select Standard.
  3. On the Directory Server main menu, type the number corresponding to virtual attributes.
  4. On the Virtual Attribute management menu, type the number to create a new virtual attribute.
  5. Next, you can use an existing virtual attribute as a template for your new attribute, or your can create a new attribute from scratch. In this example, type n to create a new Virtual Attribute from scratch.
  6. On the Virtual Attribute Type menu, enter a number corresponding to the type of virtual attribute that you want to create. In this example, type the number corresponding to User Defined Virtual Attribute.
  7. Next, enter a name for the new virtual attribute. In this example, enter "Employee Password Policy Assignment."
  8. On the Enabled Property menu, enter the number to set the property to true (enable).
  9. On the Attribute-Type Property menu, type the attribute-type property for the new virtual attribute. You can enter the OID number or attribute name. The attribute-type property must conform to your schema. For this example, type "ds-pwp-password-policy-dn".
  10. Enter the value for the virtual attribute, and then press Enter or Return to continue. In this example, enter cn=Employee Password Policy,cn=Password Policies,cn=config, and then type Enter or Return to continue.
  11. On the User Defined Virtual Attributes menu, enter a description for the virtual attribute. Though optional, this step is useful if you plan to create a lot of virtual attributes. Enter the option to change the value, and then type a description of the virtual attribute. In this example, enter: Virtual attribute that assigns the Employee Password Policy to all entries that match (employeeType=employee).
  12. On the User Defined Virtual Attribute menu, type the number corresponding to the filter.
  13. On the Filter Property menu, enter the option to add one or more filter properties, type the filter, and then press Enter to continue. In this example, type (employeeType=employee). Press the number to use the filter value entered.
  14. On the User Defined Virtual Attribute menu, type f to finish creating the virtual attribute.
  15. Verify that the attribute was created successfully. Add the employeeType=employee attribute to an entry (e.g., uid=user.0) using ldapmodify. Add the employeeType=contractor attribute to another entry (e.g., uid=user.1).
  16. Use ldapsearch to search for the user with the employeeType=employee attribute (e.g., uid=user.0). You will notice the ds-pwp-password-policy-dn attribute has the assigned password policy as its value.
    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" \
      ds-password-policy-dn
    dn: uid=user.0,ou=People,dc=example,dc=com
    ds-pwp-password-policy-dn: cn=Employee Password Policy,cn=Password Policies,cn=config
  17. Run ldapsearch again using the filter "(uid=user.1)", the ds-pwp-password-policy-dn attribute will not be present in the entry, because the entry has the attribute, employeeType=contractor.
    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.1)" \
      ds-password-policy-dn
    dn: uid=user.1,ou=People,dc=example,dc=com