Whenever a password is set through an add operation, a modify operation, or a password modify extended operation, and when clear-text passwords are included in entries imported from LDIF, the server uses a component called a password storage scheme to encode that password. Whenever a client attempts a password-based bind, the password storage scheme determines whether the password included in the bind request matches one stored in the user’s entry.

The server allows users to authenticate with passwords encoded using any scheme that the server supports. However, when storing new passwords, it uses the default-password-storage-scheme property in the password policy configuration to determine which scheme to use when encoding that password. Although it is technically possible to have multiple default schemes enabled simultaneously within the same password policy, only enable one scheme at a time unless you need to synchronize encoded passwords to multiple different systems that require different encodings.