-.\" $OpenLDAP$
+.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2004-2009 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
-.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
.SH NAME
-slapo-ppolicy \- Password Policy overlay to slapd
+slapo\-ppolicy \- Password Policy overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
use of a backend database, changes to user password fields, etc.
.P
The overlay provides a variety of password control mechanisms. They
-include password aging--both minimum and maximum ages, password
+include password aging -- both minimum and maximum ages, password
reuse and duplication control, account time-outs, mandatory password
resets, acceptable password content, and even grace logins.
Different groups of users may be associated with different password
set on a given user's entry. If there is no specific policy for an entry
and no default is given, then no policies will be enforced.
.TP
+.B ppolicy_forward_updates
+Specify that policy state changes that result from Bind operations (such
+as recording failures, lockout, etc.) on a consumer should be forwarded
+to a master instead of being written directly into the consumer's local
+database. This setting is only useful on a replication consumer, and
+also requires the
+.B updateref
+setting and
+.B chain
+overlay to be appropriately configured.
+.TP
.B ppolicy_hash_cleartext
Specify that cleartext passwords present in Add and Modify requests should
be hashed before being stored in the database. This violates the X.500/LDAP
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMaxAge
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdInHistory
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdCheckQuality
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMinLength
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdExpireWarning
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdGraceAuthnLimit
NAME 'pwdGraceAuthnLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdLockout
NAME 'pwdLockout'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdLockoutDuration
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMaxFailure
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdFailureCountInterval
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMustChange
NAME 'pwdMustChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdAllowUserChange
NAME 'pwdAllowUserChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdSafeModify
NAME 'pwdSafeModify'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdCheckModule
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.P
Note:
this object'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE
- NO-USER-MODIFICATION
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
- SINGLE-VALUE
- NO-USER-MODIFICATION
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
- SINGLE-VALUE
- NO-USER-MODIFICATION
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
- NO-USER-MODIFICATION
+ NO\-USER\-MODIFICATION
USAGE directoryOperation )
.RE
DESC 'The history of user passwords'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
EQUALITY octetStringMatch
- NO-USER-MODIFICATION
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
DESC 'The timestamps of the grace login once the password has expired'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
- NO-USER-MODIFICATION
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
been reset'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE
+ SINGLE\-VALUE
USAGE directoryOperation)
.RE
.nf
database bdb
suffix dc=example,dc=com
-\...
+\|...
overlay ppolicy
ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
.fi
.SH SEE ALSO
.BR ldap (3),
.BR slapd.conf (5),
-.BR slapd\-config (5).
+.BR slapd\-config (5),
+.BR slapo\-chain (5).
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.LP