PingDirectory

Enabling Account Information tab content

The Delegated Admin GUI’s Account Information tab provides information about a user account. For Delegated Admin to display the user account information, you must enable the Password Policy State JSON virtual attribute for the users object class. You can then configure the information that displays.

Steps

  1. For each PingDirectory instance that contains users, enable the Password Policy State JSON virtual attribute for the users object class.

    You don’t need to enable this virtual attribute on PingDirectoryProxy instances.

    For example, the following command enables the virtual attribute for users with the person object class, which includes users whose REST resource type structural object class is derived from person, such as inetOrgPerson.

    $ bin/dsconfig set-virtual-attribute-prop \
     --name "Password Policy State JSON" \
     --set enabled:true \
     --set require-explicit-request-by-name:true \
     --set "filter:(objectClass=person)" \
     --no-prompt --applyChangeTo server-group
    shell

    After you enable the virtual attribute, delegated administrative users can access account information for a user in the Delegated Admin GUI.

    The Account Information tab provides account status by default. To display the last login time and the password expiration date, you must set their properties. You configure these items per password policy.

    When not configured, these entries appear as follows:

    LAST LOGIN

    Last login time not available. (This entry also displays when the user hasn’t logged in.)

    PASSWORD EXPIRATION

    Password expiration date has not been enabled.

    You can configure these items in the administrative console or by using the dsconfig tool interactively or non-interactively. The following steps use the non-interactive approach:

  2. Select the password policy for which you want to enable the last login time and password expiration date.

    Learn more about Managing password policies.

    dsconfig list-password-policies

  3. (Optional) Include the last login time.

    To include the last login time, choose which property to set. You can set either of the following properties:

    • maximum-recent-login-history-successful-authentication-count

    • last-login-time-format

      If you use this property, make sure the last-login-time-attribute has its default value ds-pwp-last-login-time.

      Values for last-login-time-format include:

      • yyyyMMddHHmmss'Z' for second-level accuracy

      • yyyyMMdd for day-level accuracy

    Learn more about last login time options.

  4. (Optional) Include the password expiration date.

    To include this information, set the property max-password-age.

  5. Set the desired password policy properties.

    Example:

    $ bin/dsconfig set-password-policy-prop \
     --policy-name "<password_policy_name>" \
     --set maximum-recent-login-history-successful-authentication-count:<count_value>  \
     --set "max-password-age:<password_age_value>" \
     --no-prompt --applyChangeTo server-group
    shell