Bypassing password policy evaluation
You can bypass password policy evaluations when performing operations on accounts other than your own.
About this task
The PingDirectory server supports the use of a bypass-pw-policy
privilege, which can skip password policy evaluation for operations on a per-user basis. If a user has this privilege, then they are allowed to perform operations on user entries that would normally be rejected by the password policy associated with the target entry.
The |
Any user with this privilege will be permitted to perform operations against other users that would otherwise be rejected under the constraints associated with that user’s password policy, such as:
-
Setting a pre-encoded password
-
Setting a new password that wouldn’t be accepted by one or more password validators
-
Setting a new password that already exists in a user’s password history
These restrictions can also be circumvented on a per-operation basis using the password update behavior control. If you have a set of users that should be subject to lesser or differing constraints than another set of users, you can create a new password policy with the desired constraints, if any, and assign it to the appropriate users. Learn more about assigning password policies to users. |
Steps
-
To add the
bypass-pw-policy
privilege to a user entry, run theldapmodify
tool with thebypass-pw-policy
subcommand.Example:
$ bin/ldapmodify dn: uid=user.1,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: bypass-pw-policy