PingDirectory

Viewing password policies

Password policies enforce rules that ensure that access to data is not compromised through negligent password practices.

The PingDirectory server provides mechanisms to create and maintain password policies that determine:

  • Whether passwords should expire

  • Whether users are allowed to modify their own passwords

  • Whether too many failed authentication attempts should result in an account lockout

Many other options are available to fully configure a password policy for your PingData Platform system.

The PingDirectory server provides three out-of-the-box password policies that you can apply to your entries or as templates for configuring customized policies:

Default password policy

The default password policy is automatically applied to all users although it is possible to use an alternate password policy on a per-user basis.

Root password policy

The root password policy is enforced for the default root user, which uses a stronger password storage scheme (PBKDF2 instead of the salted 256-bit SHA-2 scheme) and requires that a root user provide their current password to select a new password.

Secure password policy

The secure password policy provides a more secure option than the default policy that makes use of several features, including password expiration, account lockout, last sign-on time and last sign-on IP address tracking, password history, and several password validators.

Using the Secure password policy as-is might notably increase write load in the server by requiring updates to password policy state attributes in user entries and by requiring users to change passwords more frequently. In environments where write throughput is a concern (including environments spread across multiple data centers requiring replication over a WAN), it might be useful to consider whether the policy should be updated to reduce the number of required entry updates.

Viewing password policies

About this task

To view the list of password policies configured on the PingDirectory server:

Steps

  • Do one of the following:

    Choose from:

    • Run the dsconfig tool in either interactive or non-interactive mode.

    • Use the Administrative Console.

      Example:

      The following example demonstrates the process for obtaining a list of defined password policies in non-interactive mode.

      $ bin/dsconfig list-password-policies

      Result:

      Password Policy         : Type    : password-attribute : default-password-storage-scheme
------------------------:---------:--------------------:--------------------------------
Default Password Policy : generic : userPassword       : Salted SHA-256
Root Password Policy    : generic : userPassword       : PBKDF2
Secure Password Policy  : generic : userPassword       : PBKDF2

Viewing a specific password policy

About this task

To view a specific password policy:

Steps

  • Do one of the following:

    Choose from:

    • Run the dsconfig tool.

    • Use the Administrative Console.

      Example:

      This example uses dsconfig to view the default password policy that applies to all uses for which no specific policy is configured.

      $ bin/dsconfig get-password-policy-prop \
  --policy-name "Default Password Policy"

      Result:

      Property	                                 : Value(s)
------------------------------------------:--------------------------
description                               : -
password-attribute                        : userpassword
default-password-storage-scheme           : Salted SHA-1
deprecated-password-storage-scheme        : -
password-validator                        : -
account-status-notification-handler       : -
allow-user-password-changes               : true
password-change-requires-current-password : false
force-change-on-add                       : false
force-change-on-reset                     : false
password-generator                        : Random Password Generator
require-secure-authentication             : false
require-secure-password-changes           : false
min-password-age                          : 0s
max-password-age                          : 0s
max-password-reset-age                    : 0s
password-expiration-warning-interval      : 5d
expire-passwords-without-warning          : false
allow-expired-password-changes            : false
grace-login-count                         : 0s
lockout-failure-count                     : 0s
lockout-duration                          : 0s
lockout-failure-expiration-interval       : 0s
require-change-by-time                    : -
last-login-time-attribute                 : ds-pwp-last-login-time
last-login-time-format                    : -
previous-last-login-time-format           : -
idle-lockout-interval                     : 0s
password-history-count                    : 0s
password-history-duration                 : 0s