An account password can be retired and rotated out of service instead of being invalidated. Retiring a password enables a new password to be assigned to an account while keeping the original password valid for a period of time to enable a transition. This is useful for application service accounts that require uninterrupted authentication with the server.
- To enable password retirement, set the password-retirement-behavior and maximum-retired-password-age properties in the password policy configuration.
To manually retire an account password or purge a password that has been retired,
run the ldapmodify and ldappasswordmodify tools
with subcommands -- retireCurrentPassword and
To use these commands on an account, enable the password-retirement-behavior subcommand on the password policy that governs the account.