X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fslapo-ppolicy.5;h=2bb99e4af79211fd0138558a11bb0d53013594d5;hb=80526326891ed511e7842d46b8699e1037c5583e;hp=9d098b7ed13a23dc7b5a640b3588f05b993ba2d1;hpb=8f7ec6b6cab0d6fbcf7bec4c59802a04c50d0945;p=openldap diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5 index 9d098b7ed1..2bb99e4af7 100644 --- a/doc/man/man5/slapo-ppolicy.5 +++ b/doc/man/man5/slapo-ppolicy.5 @@ -1,9 +1,9 @@ -.\" $OpenLDAP$ +.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION" .\" Copyright 2004-2009 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. -.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ .SH NAME -slapo-ppolicy \- Password Policy overlay to slapd +slapo\-ppolicy \- Password Policy overlay to slapd .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION @@ -17,7 +17,7 @@ decodes and applies specific password policy controls to overall use of a backend database, changes to user password fields, etc. .P The overlay provides a variety of password control mechanisms. They -include password aging--both minimum and maximum ages, password +include password aging -- both minimum and maximum ages, password reuse and duplication control, account time-outs, mandatory password resets, acceptable password content, and even grace logins. Different groups of users may be associated with different password @@ -49,6 +49,17 @@ Specify the DN of the pwdPolicy object to use when no specific policy is set on a given user's entry. If there is no specific policy for an entry and no default is given, then no policies will be enforced. .TP +.B ppolicy_forward_updates +Specify that policy state changes that result from Bind operations (such +as recording failures, lockout, etc.) on a consumer should be forwarded +to a master instead of being written directly into the consumer's local +database. This setting is only useful on a replication consumer, and +also requires the +.B updateref +setting and +.B chain +overlay to be appropriately configured. +.TP .B ppolicy_hash_cleartext Specify that cleartext passwords present in Add and Modify requests should be hashed before being stored in the database. This violates the X.500/LDAP @@ -159,7 +170,7 @@ modified whenever and however often is desired). NAME 'pwdMinAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMaxAge @@ -173,7 +184,7 @@ value is zero (0), then passwords will not expire. NAME 'pwdMaxAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdInHistory @@ -196,7 +207,7 @@ although the password is saved in the history. NAME 'pwdInHistory' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdCheckQuality @@ -217,7 +228,7 @@ error refusing the password. NAME 'pwdCheckQuality' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMinLength @@ -245,7 +256,7 @@ is two (2)). NAME 'pwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdExpireWarning @@ -261,7 +272,7 @@ present, or if the value is zero (0), no warnings will be sent. NAME 'pwdExpireWarning' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdGraceAuthnLimit @@ -277,7 +288,7 @@ directory. NAME 'pwdGraceAuthnLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdLockout @@ -303,7 +314,7 @@ attempts have been made. NAME 'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdLockoutDuration @@ -327,7 +338,7 @@ again until it is reset by an administrator. NAME 'pwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMaxFailure @@ -351,7 +362,7 @@ and NAME 'pwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdFailureCountInterval @@ -369,7 +380,7 @@ counter will only be reset by a successful authentication. NAME 'pwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMustChange @@ -391,7 +402,7 @@ the administrator sets or resets the password. NAME 'pwdMustChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdAllowUserChange @@ -408,7 +419,7 @@ users will not be allowed to change their own passwords. NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdSafeModify @@ -426,7 +437,7 @@ along with the new password. NAME 'pwdSafeModify' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdCheckModule @@ -473,7 +484,7 @@ be free()'d by slapd. NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .P Note: @@ -546,8 +557,8 @@ policy rules will be enforced. this object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - SINGLE-VALUE - NO-USER-MODIFICATION + SINGLE\-VALUE + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -567,8 +578,8 @@ does not exist, the user's password will not expire. SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch - SINGLE-VALUE - NO-USER-MODIFICATION + SINGLE\-VALUE + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -588,8 +599,8 @@ and may only be unlocked by an administrator. SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch - SINGLE-VALUE - NO-USER-MODIFICATION + SINGLE\-VALUE + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -623,7 +634,7 @@ will be cleansed of entries. SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch - NO-USER-MODIFICATION + NO\-USER\-MODIFICATION USAGE directoryOperation ) .RE @@ -677,7 +688,7 @@ field is in GMT format. DESC 'The history of user passwords' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 EQUALITY octetStringMatch - NO-USER-MODIFICATION + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -701,7 +712,7 @@ attribute. DESC 'The timestamps of the grace login once the password has expired' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch - NO-USER-MODIFICATION + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -723,7 +734,7 @@ administrative reset. been reset' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE + SINGLE\-VALUE USAGE directoryOperation) .RE @@ -733,7 +744,7 @@ administrative reset. .nf database bdb suffix dc=example,dc=com -\... +\|... overlay ppolicy ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com" .fi @@ -742,7 +753,8 @@ ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com" .SH SEE ALSO .BR ldap (3), .BR slapd.conf (5), -.BR slapd\-config (5). +.BR slapd\-config (5), +.BR slapo\-chain (5). .LP "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) .LP