PingDirectory

The get password policy state issues control

By default, PingDirectory server returns a minimal amount of information in the response to a failed bind attempt. This is intentional because revealing too much can give an attacker useful information that could allow them to improve their tactics.

Nevertheless, it is useful in some circumstances to provide an application with a way to obtain information about the reason for a failed authentication attempt. As such, PingDirectory server offers a get password policy state issues request control that can be included in a bind request to indicate that the server should include a control in the bind response with information about any error, warning, or notice conditions in the user’s password policy state that might currently or soon interfere with their ability to authenticate. If the bind attempt fails, then it might also include specific information about the reason for that failure.

To prevent this control from being misused, PingDirectory server only allows it to be requested under a limited set of circumstances:

  • The bind request must be issued on a connection that is currently authenticated as a user with the permit-get-password-policy-state-issues privilege.

  • The requester must have access control permission to use the get password policy state issues request control.

The bind request must also include the retain identity request control in the bind request.