PingDirectory

The password policy control

PingDirectory server supports the password policy request control, as described in draft-behera-ldap-password-policy-10.

This control can be included in add, bind, compare, modify, and password modify extended requests to obtain information about the associated user’s password policy state. This includes:

  • The length of time until the user’s password expires

  • The number of remaining grace logins

  • Whether the password is expired

  • Whether the account is locked

  • Whether the user must change their password

  • Whether an update attempt failed because the user is not allowed to change their password

  • Whether an update attempt failed because the user is required to provide their current password

  • Whether an operation failed because the password is considered too weak

  • Whether the proposed password is too short

  • Whether the proposed password already exists in the user’s password history

  • Whether a user cannot change their password because there has not been enough time since the previous password change

Because this control is based on a public specification, its format is fixed and it is not updated to support additional features.