The verify password extended operation
There is an extended operation to verify a user’s password. Read carefully before enabling this operation.
For security reasons, PingDirectory provides vague responses to bind requests. If an authentication attempt is unsuccessful, the server doesn’t communicate the reason for the failure. Additionally, for both security and performance reasons, the server doesn’t attempt to verify the provided credentials if it can determine that the target account is not in a usable state (for example, if it has been administratively disabled, or if it has been locked as a result of too many previous authentication failures).
The verify-password
extended operation enables you to differentiate the authentication response to the client with respect to certain kinds of failures. For example, if you can determine that a user’s account has been locked as a result of too many failed authentication attempts, you can present the user with a means of resetting the password if and only if you can verify that the provided password was correct.
Enabling the An attacker could use this extended operation to get unlimited attempts to guess a user’s password, circumventing the security benefit of an account lockout. We strongly discourage designing applications in a way that could provide a malicious client with information that might help them better craft an attack against user accounts. This extended operation is not a standalone alternative to authenticating clients. Only use it to augment the existing authentication process, if at all. |
The verify-password
extended operation determines if a provided password is correct for a specified user without performing any other password policy processing for that user. This verification is available even if the target account isn’t currently allowed to authenticate, and it won’t cause any updates to the user’s entry as a result of the determination.
Because of the security risks associated with using verify-password
, there are a number of restrictions in place to ensure that it can only be used by authorized clients, including:
-
The extended operation handler isn’t defined or enabled by default.
-
The server’s access control configuration doesn’t permit the use of the extended operation by default. If a client without the
bypass-acl
privilege has a legitimate need to use this extended operation, you must to create a global ACI that grants the client permission to use the extended request with OID 1.3.6.1.4.1.30221.2.6.72. -
Requesters must also have the
permit-verify-password-request
privilege, which isn’t granted to users (even root users) by default. -
Clients must issue
verify-password
requests over a secure connection so that anyone able to view network messages can’t access the content of that communication.You can disable this safeguard if necessary, but the server still requires secure communication protocol if either the target user’s password policy or operational attributes in the user’s entry require secure authentication.
-
The extended operation supports clients submitting password verification requests directly to PingDirectory or forwarded through a PingDirectoryProxy server (in both simple-proxy and entry-balanced configurations). When requests are forwarded from PingDirectoryProxy to PingDirectory, you must configure both server instances to enable the extended operation.
Learn more about Enabling the verify password extended operation.
Enabling the verify password extended operation
Before you begin
You must enable the required access privileges detailed in The verify password extended operation.
About this task
To verify a password using the verify-password
extended operation, enable the extended operation and then send a client request with the required information.
The client request must be a JavaScript Object Notation (JSON) object containing the following required fields:
dn
-
The distinguished name (DN) of the user account whose password the server should verify.
password
-
The password to verify for that user.
The server response contains a result code that explains the outcome of the verify-password
operation. The following table describes the result codes that the server can return:
Server response code | Description |
---|---|
|
The extended request is malformed. |
|
The provided password isn’t correct for the target user. |
|
The provided password is correct for the target user. |
|
The server is required to only permit the extended operation over a secure connection, or the server is configured to require secure authentication for the target user, but the client is using an insecure connection. |
|
The target user account does not exist. |
|
The provided DN is malformed. |
|
The target user account doesn’t have a password. |
|
The client doesn’t have sufficient permission to use the extended operation. |
|
The server encountered an internal error while attempting to verify the password. |
Steps
-
Enable the
verify-password
extended operation.Example:
$ bin/dsconfig create-extended-operation-handler \ --handler-name "Verify Password" \ --type verify-password \ --set enabled:true
-
Send a properly formed client request.
Learn more about formulating a request using the extended operation.
-
Use the result code in the response to determine how the client responds to the user.