--- title: Creating new password policies description: You can create new password policies that meet your organization's requirements. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_create_password_policies canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_create_password_policies.html revdate: September 13, 2023 section_ids: creating-a-new-password-policy: Creating a new password policy steps: Steps choose-from: Choose from: example: Example: assigning-a-password-policy-to-an-individual-account: Assigning a password policy to an individual account about-this-task: About this task steps-2: Steps example-2: Example: example-3: Example: assigning-a-password-policy-using-a-virtual-attribute: Assigning a password policy using a virtual attribute about-this-task-2: About this task steps-3: Steps example-4: Example: example-5: Example: example-6: Example: example-7: Example: result: Result: --- # Creating new password policies You can create new password policies that meet your organization's requirements. You can create any number of password policies in the PingDirectory server using either the `dsconfig` tool (in interactive or non-interactive mode) or the admin console. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can find best practices for creating password policies in [Password policy tips to improve performance](../pingdirectory_security_guide/pd_sec_password_policy_tips_improve_performance.html). | ## Creating a new password policy ### Steps * To create a new password policy: #### Choose from: * Run `dsconfig` in interactive or non-interactive mode. * Use the admin console. ##### Example: This example demonstrates creating a new policy using `dsconfig` in non-interactive mode. ```shell $ bin/dsconfig create-password-policy \ --policy-name "Demo Password Policy" \ --set "password-attribute:userpassword" \ --set "default-password-storage-scheme:Salted SHA-256" \ --set "force-change-on-add:true" \ --set "force-change-on-reset:true" \ --set "password-expiration-warning-interval:2 weeks" \ --set "max-password-age:90 days" \ --set "lockout-duration:24 hours" \ --set "lockout-failure-count:3" \ --set "password-change-requires-current-password:true" ``` ## Assigning a password policy to an individual account ### About this task Rather than a user automatically inheriting the default password policy, you can assign a user to a particular password policy by including the `ds-pwp-password-policy-dn` operational attribute in that user's entry with a value equal to the distinguished name (DN) of the desired password policy for that user. This operational attribute is explicitly included in a user's entry, or generated by a virtual attribute, which makes it easy to apply a custom password policy to a set of users based on a flexible set of criteria. ### Steps 1. Create an LDIF file that adds the `ds-pwp-password-policy-dn` attribute with the password policy DN you want to assign to that user. #### Example: This example creates the file `assign.ldif` with the following contents. ``` dn: uid=user.1,ou=People,dc=example,dc=com changetype: modify add: ds-pwp-password-policy-dn ds-pwp-password-policy-dn: cn=Demo Password Policy,cn=Password Policies,cn=config ``` 2. To apply the modification to the user's entry, run `ldapmodify`. #### Example: For this example, the file used is `assign.ldif`. ```shell $ bin/ldapmodify --filename assign.ldif ``` ## Assigning a password policy using a virtual attribute ### About this task You can automatically assign a custom password policy for a set of users using a virtual attribute. You can configure the virtual attribute so that it uses a range of criteria for selecting the entries for which the virtual attribute should appear. ### Steps 1. Create an LDIF file, which you can use to add a group to the server. #### Example: ``` dn: ou=Groups,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: Groups dn: cn=Engineering Managers,ou=groups,dc=example,dc=com objectClass: groupOfUniqueNames objectClass: top cn: Engineering Managers uniqueMember: uid=user.0,ou=People,dc=example,dc=com ``` 2. To add the entries to the server, run the `ldapmodify` tool. #### Example: ```shell $ bin/ldapmodify --defaultAdd --filename groups.ldif ``` 3. To create a virtual attribute, run `dsconfig`. #### Example: This virtual attribute adds the `ds-pwp-password-policy-dn` attribute with a value of `cn=Demo Password Policy,cn=Password Policies,cn=config` to the entries for all users that are members of the `cn=Engineering Managers,ou=Groups,dc=example,dc=com` group. ```shell $ bin/dsconfig create-virtual-attribute \ --name "Eng Mgrs Password Policy" \ --type user-defined \ --set "description:Eng Mgrs Grp PWPolicy" \ --set enabled:true \ --set attribute-type:ds-pwp-password-policy-dn \ --set "value:cn=Demo Password Policy,cn=Password Policies,cn=config" \ --set "group-dn:cn=Engineering Managers,ou=Groups,dc=example,dc=com" ``` 4. To verify that a user in the group contains the assigned password policy distinguished name (DN), run the `ldapsearch` tool. #### Example: ```shell $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" \ ds-pwp-password-policy-dn ``` #### Result: ``` dn: uid=user.0,ou=People,dc=example,dc=com ds-pwp-password-policy-dn: cn=Demo Password Policy,cn=Password Policies,cn=config ```