
Once the change is made, only DS6-mode is available.
The server state can move only towards stricter compliance with the new password policy
specications. Compatibility with the old password policy will not be supported indenitely.
You should therefore migrate to the new password policy as soon as is feasible for your
When you consider migrating to the new password policy, note that the pwdChangedTime
attribute did not exist in Directory Server 5.2. This attribute is required by the new password
policy. When the attribute is not present in the user entry, its value is calculated from the entry's
passwordExpirationTime attribute. However, writing the calculated pwdChangedTime attribute
to the user entry would have a large performance impact directly after migration, because the
rst bind for every entry would require a write to the directory.
The calculated pwdChangedTime is therefore not written to the user entry during the
DS5-compatible mode. You should leave your topology in DS5-compatible-mode until you
have been through an entire password expiration cycle (90 days, for example, depending on the
value of passwordMaxAge). In this way, the pwdChangedTime is added gradually across the
directory (at the password change of each user entry).
Changes to Plug-Ins
This section lists the new and deprecated plug-ins in Directory Server 6.0. The section also
describes what you need to do if you have custom plug-ins created with the old plug-in API.
New Plug-Ins in Directory Server 6.0
The following plug-ins have been added in Directory Server 6.0:
cn=example,cn=ldbm database,cn=plugins,cn=config
cn=MemberOf Plugin,cn=plugins,cn=config
cn=Monitoring Plugin,cn=plugins,cn=config
cn=Replication Repair,cn=plugins,cn=config
cn=RMCE,cn=Password Storage Schemes,cn=plugins,cn=config
cn=Strong Password Check,cn=plugins,cn=config
For information about these plug-ins see the plugin(5dsconf) man page.
Chapter5 • ArchitecturalChanges inDirectory Server6.0 77