You can automatically assign a custom password policy for a set of users using a virtual attribute. You can configure the virtual attribute so that it uses a range of criteria for selecting the entries for which the virtual attribute should appear.

  1. Create an LDIF file, which you can use to add a group to the server. 
    dn: ou=Groups,dc=example,dc=com 
objectClass: organizationalunit 
objectClass: top 
ou: Groups

dn: cn=Engineering Managers,ou=groups,dc=example,dc=com 
objectClass: groupOfUniqueNames 
objectClass: top 
cn: Engineering Managers
uniqueMember: uid=user.0,ou=People,dc=example,dc=com ou: groups
  2. To add the entries to the server, run the ldapmodify tool. 
    $ bin/ldapmodify --defaultAdd --filename groups.ldif
  3. To create a virtual attribute, run dsconfig.

    This virtual attribute adds the ds-pwp-password-policy-dn attribute with a value of cn=Demo Password Policy,cn=Password Policies,cn=config to the entries for all users that are members of the cn=Engineering Managers,ou=Groups,dc=example,dc=com group.

    $ bin/dsconfig create-virtual-attribute \ 
  --name "Eng Mgrs Password Policy" \ 
  --type user-defined \ 
  --set "description:Eng Mgrs Grp PWPolicy" \
  --set enabled:true \ 
  --set attribute-type:ds-pwp-password-policy-dn \ 
  --set "value:cn=Demo Password Policy,cn=Password Policies,cn=config" \ 
  --set "group-dn:cn=Engineering Managers,ou=Groups,dc=example,dc=com
  4. To verify that a user in the group contains the assigned password policy distinguished name (DN), run the ldapsearch tool. 
    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" \ 
ds-pwp-password-policy-dn
    dn: uid=user.0,ou=People,dc=example,dc=com 
ds-pwp-password-policy-dn: cn=Demo Password Policy,cn=Password Policies,cn=config