Creating new password policies
You can create new password policies that meet your organization’s requirements.
You can create any number of password policies in the PingDirectory server using either the dsconfig tool (in interactive or non-interactive mode) or the Administrative Console.
|
You can find best practices for creating password policies in Password policy tips to improve performance. |
Creating a new password policy
Steps
-
To create a new password policy:
Choose from:
-
Run
dsconfigin interactive or non-interactive mode. -
Use the administrative console.
Example:
This example demonstrates creating a new policy using
dsconfigin non-interactive mode.$ bin/dsconfig create-password-policy \ --policy-name "Demo Password Policy" \ --set "password-attribute:userpassword" \ --set "default-password-storage-scheme:Salted SHA-256" \ --set "force-change-on-add:true" \ --set "force-change-on-reset:true" \ --set "password-expiration-warning-interval:2 weeks" \ --set "max-password-age:90 days" \ --set "lockout-duration:24 hours" \ --set "lockout-failure-count:3" \ --set "password-change-requires-current-password:true"
-
Assigning a password policy to an individual account
About this task
Rather than a user automatically inheriting the default password policy, you can assign a user to a particular password policy by including the ds-pwp-password-policy-dn operational attribute in that user’s entry with a value equal to the distinguished name (DN) of the desired password policy for that user. This operational attribute is explicitly included in a user’s entry, or generated by a virtual attribute, which makes it easy to apply a custom password policy to a set of users based on a flexible set of criteria.
Steps
-
Create an LDIF file that adds the
ds-pwp-password-policy-dnattribute with the password policy DN you want to assign to that user.Example:
This example creates the file
assign.ldifwith the following contents.dn: uid=user.1,ou=People,dc=example,dc=com changetype: modify add: ds-pwp-password-policy-dn ds-pwp-password-policy-dn: cn=Demo Password Policy,cn=Password Policies,cn=config
-
To apply the modification to the user’s entry, run
ldapmodify.Example:
For this example, the file used is
assign.ldif.$ bin/ldapmodify --filename assign.ldif
Assigning a password policy using a virtual attribute
About this task
You can automatically assign a custom password policy for a set of users using a virtual attribute. You can configure the virtual attribute so that it uses a range of criteria for selecting the entries for which the virtual attribute should appear.
Steps
-
Create an LDIF file, which you can use to add a group to the server.
Example:
dn: ou=Groups,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: Groups dn: cn=Engineering Managers,ou=groups,dc=example,dc=com objectClass: groupOfUniqueNames objectClass: top cn: Engineering Managers uniqueMember: uid=user.0,ou=People,dc=example,dc=com
-
To add the entries to the server, run the
ldapmodifytool.Example:
$ bin/ldapmodify --defaultAdd --filename groups.ldif -
To create a virtual attribute, run
dsconfig.Example:
This virtual attribute adds the
ds-pwp-password-policy-dnattribute with a value ofcn=Demo Password Policy,cn=Password Policies,cn=configto the entries for all users that are members of thecn=Engineering Managers,ou=Groups,dc=example,dc=comgroup.$ bin/dsconfig create-virtual-attribute \ --name "Eng Mgrs Password Policy" \ --type user-defined \ --set "description:Eng Mgrs Grp PWPolicy" \ --set enabled:true \ --set attribute-type:ds-pwp-password-policy-dn \ --set "value:cn=Demo Password Policy,cn=Password Policies,cn=config" \ --set "group-dn:cn=Engineering Managers,ou=Groups,dc=example,dc=com" -
To verify that a user in the group contains the assigned password policy distinguished name (DN), run the
ldapsearchtool.Example:
$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" \ ds-pwp-password-policy-dnResult:
dn: uid=user.0,ou=People,dc=example,dc=com ds-pwp-password-policy-dn: cn=Demo Password Policy,cn=Password Policies,cn=config