--- title: Externally modifiable user attributes description: A limited set of operational attributes can be directly manipulated (for example, through LDAP add or modify operations) to manage certain aspects of a user's password policy state. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_security_guide:pd_sec_ext_modif_user_attrs canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_security_guide/pd_sec_ext_modif_user_attrs.html revdate: September 13, 2023 --- # Externally modifiable user attributes A limited set of operational attributes can be directly manipulated (for example, through LDAP add or modify operations) to manage certain aspects of a user's password policy state. They include: * `ds-pwp-password-policy-dn` The distinguished name (DN) of the password policy that governs the user. If this is not present in the user's entry (as either a real or virtual attribute), then the user is subject to the server's default password policy. * `ds-pwp-account-disabled` Indicates whether a user's account should be administratively disabled. If this attribute is present with a value of true, then the account is disabled. If this attribute is present with a value of false, or if the attribute is absent, then the account is enabled. * `ds-pwp-account-activation-time` Specifies the time at which a user's account becomes active. Attempts to authenticate as the user (or use the account as an alternate authorization identity) fails before this time. * `ds-pwp-account-expiration-time` Specifies the time at which a user's account will expire. Attempts to authenticate as the user (or use the account as an alternate authorization identity) fails after this time. * `ds-auth-totp-shared-secret` A shared secret that can be used to generate time-based one-time passwords in conjunction with the UNBOUNDID-TOTP SASL mechanism. Although this attribute can be manually updated, we recommend using the generate Time-based One-time Password (TOTP) shared secret extended operation for generating a shared secret and storing it in the user's entry. * `ds-auth-preferred-otp-delivery-mechanism` The public identifier of a YubiKey device that can be used to generate one-time passwords for use in conjunction with the UNBOUNDID-YUBIKEY-OTP SASL mechanism. Although this attribute can be manually updated, we recommend using the registered YubiKey OTP device extended operation.