Override subentry object class in password policy

This topic has 3 replies, 2 voices, and was last updated 5 years, 8 months ago by bikumar.

  • Author
  • #16368


    I have gone through the password policy documentation and found this

    The Subentry Based Password Policies are inherited by default. My question here is that when we create password policy at organization level (one password policy per organization) the following attributes
    are inherited to the policy we create. I don’t want to modify default password policy but set these attributes in the password policy created for a particular organization. We use rest API to create password policy.

    Attached is the screenshot of OpenDJ control panel. As seen in the screenshot the Object class for Subentry Based Password Policies is inherited but not overridden. How do I override instead of inheriting

    Opendj Control Panel

    If you are unable to view the image click on https://postimg.org/image/ysyj4ukzh/


    This is an immediate requirement for us, any help on this is highly appreciated.



    This is a community forum.
    If you are a ForgeRock customer, please raise a ticket in Backstage.forgerock.com.
    I think you are confusing the terms inherited and overriden…
    To create a Subentry Password Policy, you must create an entry with the appropriate objectClass, i.e. subEntry, pwdPolicy and possibly pwdPolicyValidator if you want to specify alternate password validation.
    Any attribute in the subEntry (allowed from the pwdPolicy definition) will override its equivalent in the default password policy. And the remaining aspects of the policy with inherit from the default policy, when applying the policy to a user, not physically in the entry.

    I hope this clarifies.


    Hello Ludo,

    Thanks for taking out your time to reply. I have already created a support ticket in Backstage.forgerock.com.
    Here is the link:

    If you can go through the above link, you will know the scenario we are dealing with. As we couldn’t get a feasible solution which fits our case I am trying to find out if there is any possible solution or workaround. We would be glad to hear from you if there’s any way to get this done.

    This is a high priority issue and we are unable to move.

    For others to summarize:

    – Default password policy resides under <cn=config>
    – We have a Base DN
    – A realm named callidus under Base DN
    – All organizations are placed under callidus—–>organizations and password policies for respective organizations under Base DN.
    – The Object class within the password policy created for an organization is inherited.
    – we need the following attributes defined within organization specific password policy
    – idle-lockout-interval : 100 seconds
    – last-login-time-format : yyyyMMdd
    – previous-last-login-time-format : yyyyMMdd
    – last-login-time-attribute : ds-pwp-last-login-time
    – If defined under default password policy it applies to all users across all organizations which is undesirable.


Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?