PingDirectory

Externally modifiable user attributes

A limited set of operational attributes can be directly manipulated (for example, through LDAP add or modify operations) to manage certain aspects of a user’s password policy state.

They include:

ds-pwp-password-policy-dn

The distinguished name (DN) of the password policy that governs the user. If this is not present in the user’s entry (as either a real or virtual attribute), then the user is subject to the server’s default password policy.

ds-pwp-account-disabled

Indicates whether a user’s account should be administratively disabled. If this attribute is present with a value of true, then the account is disabled. If this attribute is present with a value of false, or if the attribute is absent, then the account is enabled.

ds-pwp-account-activation-time

Specifies the time at which a user’s account becomes active. Attempts to authenticate as the user (or use the account as an alternate authorization identity) fails before this time.

ds-pwp-account-expiration-time

Specifies the time at which a user’s account will expire. Attempts to authenticate as the user (or use the account as an alternate authorization identity) fails after this time.

ds-auth-totp-shared-secret

A shared secret that can be used to generate time-based one-time passwords in conjunction with the UNBOUNDID-TOTP SASL mechanism. Although this attribute can be manually updated, we recommend using the generate Time-based One-time Password (TOTP) shared secret extended operation for generating a shared secret and storing it in the user’s entry.

ds-auth-preferred-otp-delivery-mechanism

The public identifier of a YubiKey device that can be used to generate one-time passwords for use in conjunction with the UNBOUNDID-YUBIKEY-OTP SASL mechanism. Although this attribute can be manually updated, we recommend using the registered YubiKey OTP device extended operation.