Overview#A Universal Password Policy is NOT in effect until you assign it to one or more Entries.
You can assign a password policy to the following Entries. Only one Universal Password Policy is effective for a user at a time. NMAS determines which policy is effective for a user by at attribute nspmPasswordPolicyDN which determines specific nspmPasswordPolicy for the entry according in the following order and applying the first one found: (IN THIS ORDER)
- Specific user assignment: If a password policy has been assigned specifically to the user, that policy is applied.
- Container: If the user has no specific assignment, NMAS applies the policy that is assigned to the container that holds the user.
- If you assign a policy to a container that is not the root of a partition, the policy assignment is inherited only by users in that specific container. If you want the policy to apply to all users below a container that is not a partition root, you must assign the policy to each subcontainer individually.
- Partition Root Entry: If no policy is assigned to the user or to the container directly above the user, the policy assigned to the partition root container is applied IF present.
- If you assign a policy to a container that is the root of a partition, the policy assignment is inherited by all users in that partition, including users in subcontainers.
- Login Policy object
The first nspmPasswordPolicyDN value encountered is the Universal Password Policy Assignment for the entry.
If are no nspmPasswordPolicyDN value encountered then there is no Universal Password Policy Assignment for the entry.