Administration Guide › Manage User Accounts and Passwords › Create a Password Policy › Create Multiple Password Policies for Each DSA

Create Multiple Password Policies for Each DSA

In versions before CA Directory r12 SP12, each DSA could have only a single set of password rules. You could not apply different password policies to users stored within the same DSA.

From CA Directory r12 SP12 onwards, you can apply multiple password policies to each DSA. You can then assign a particular password policy to a user.

The set target-password-policy command defines a password policy. All password commands after this command apply to that policy.

If you do not use set target-password-policy command, the DSA has a single password policy named Default.

DXmanager does not support multiple password policies.

Follow these steps:

1. Add the following command to the DSA configuration:

   set target-password-policy = policy-name;
   

   Any password commands before this setting apply to the Default policy.

   Any password commands after this setting apply to the named policy. The named policy inherits settings from the Default policy.

2. (Optional) Create more password policies by adding more instances of the set target-password-policy command with a unique policy name.
3. To apply a password policy, add the dxPwdPolicy attribute containing the password policy-name to the user's entry.

   Users without a dxPwdPolicy attribute have the Default policy. Users whose dxPwdPolicy attribute value does not match any defined policy also have the Default policy.

Note: The following password settings apply to all policies:

• set password-force-change
• set password-allow-locking
• set password-allow-ignore-expired
• set password-allow-ignore-suspended

More information:

set target-password-policy Command—Create Multiple Password Policies

Example: Multiple Password Policies