The password policy state extended operation and the manage-account tool
PingDirectory server supports a proprietary password policy state extended operation that can retrieve and manipulate virtually any kind of password policy state information in a user’s entry.
This includes:
-
Retrieving the DN of the password policy that governs the user
-
Retrieving a flag that indicates whether the server considers the account usable
-
Retrieving a set of error, warning, and notice conditions that can affect the account’s usability
-
Determining whether the account has a static password
Retrieving and updating the flag indicating whether an account is disabled
-
Retrieving and updating the account’s activation and expiration times
-
Retrieving and updating the account’s password changed time
-
Determining whether the user’s password is expired
-
Retrieving the account’s password expiration time, which is computed from the password changed time
-
Retrieving and updating the account’s password expiration warned time
-
Retrieving and updating the set of grace login use times
-
Retrieving and updating the record of failed authentication attempts
-
Retrieving and overriding a failure-based account lockout
-
Retrieving the time that an account was failure locked
-
Retrieving and updating an account’s last login time
-
Retrieving and updating an account’s last login IP address
-
Retrieving and clearing an account’s recent login history
-
Retrieving the length of time until an upcoming idle lockout
-
Retrieving and updating the account’s “must change password” flag
-
Determining whether an account is reset locked
-
Retrieving the length of time until an password reset lockout
-
Retrieving the number of passwords in the user’s history and clearing the history
-
Determining whether a user has a retired password and purging the retired password
-
Retrieving the set of SASL mechanisms that are available to the user
-
Retrieving the set of one-time passcode (OTP) delivery mechanisms that are available to the user
-
Determining whether the user has any TOTP shared secrets
-
Registering and deregistering TOTP shared secrets
-
Determining whether the user has any registered YubiKey OTP devices
-
Registering and deregistering YubiKey OTP devices
-
Retrieving and updating the time that bind password validation was last performed for the user
-
Retrieving and clearing password validation lockout
The server also includes a manage-account tool that provides command-line access to the functionality of the password policy state extended operation.