Each user is associated with a password policy that governs their activity in the server, and different users can have different password policies.
Whenever the server processes an operation that attempts to authenticate a user, change their password, or interact with their password policy state in some way, it needs to select an appropriate password policy to use for that processing.
A user can be associated with a password policy through the
ds-pwp-password-policy-dn operational attribute. If this attribute
exists in the user’s entry and refers to a valid password policy, then the user is
subject to that password policy. If that attribute exists but refers to a nonexistent
policy, then that user is unable to authenticate or be used as an alternate
authorization identity. If a user’s entry does not include the
ds-pwp-password-policy-dn operational attribute, then that user is
subject to the server’s default password policy, which is specified by the
default-password-policy property in the global configuration.
ds-pwp-password-policy-dn operational attribute can be
either real or virtual. You can explicitly set a value for the attribute in a user’s
entry, but it is also possible to have the server generate a value for that attribute
based on some criteria using the virtual attribute subsystem. For example, you could use
a virtual attribute to automatically assign the same password policy to all members of a
specified group or to all users in a specified portion of the DIT.
A user should not be conditionally subjected to different password policies under
different circumstances. While it is technically possible to use virtual attributes
that assign different values to the same attribute under different conditions, this
capability should not be used for the
For example, you should not attempt to detect which application has issued a request and select a password policy based on that application. The server only maintains one set of password policy state for each user, and attempting to access the same user under different password policies might have unexpected adverse effects and can introduce security risks.