They include:

password-attribute
Specifies the attribute used to hold the password in the user’s account. This is userPassword by default, but it can also be set to authPassword if you want to use the authentication password schema described in RFC 3112.
require-secure-authentication
Indicates whether users associated with this policy are required to authenticate in a secure manner. This is false by default, but we strongly recommend setting it to true.
requires-secure-password-changes
Indicates whether users associated with this policy are required to change their password in a secure manner. This is false by default, but we strongly recommend setting it to true.
allow-multiple-password-values
Indicates whether accounts are allowed to have multiple different passwords. Although this is technically allowed by LDAP specifications, it is strongly discouraged because it can be abused to allow a user to exempt themselves from certain password policy constraints like password expiration. If a user needs different passwords for different purposes, then we recommend creating separate accounts for that user.
require-change-by-time
Can be used to require that all users associated with the password policy change their password by a specified time. For example, this can be used to require all users to change their passwords after a data breach.