PingDirectory

The password policy state extended operation and the manage-account tool

PingDirectory server supports a proprietary password policy state extended operation that can retrieve and manipulate virtually any kind of password policy state information in a user’s entry.

This includes:

  • Retrieving the DN of the password policy that governs the user

  • Retrieving a flag that indicates whether the server considers the account usable

  • Retrieving a set of error, warning, and notice conditions that can affect the account’s usability

  • Determining whether the account has a static password

    Retrieving and updating the flag indicating whether an account is disabled

  • Retrieving and updating the account’s activation and expiration times

  • Retrieving and updating the account’s password changed time

  • Determining whether the user’s password is expired

  • Retrieving the account’s password expiration time, which is computed from the password changed time

  • Retrieving and updating the account’s password expiration warned time

  • Retrieving and updating the set of grace login use times

  • Retrieving and updating the record of failed authentication attempts

  • Retrieving and overriding a failure-based account lockout

  • Retrieving the time that an account was failure locked

  • Retrieving and updating an account’s last login time

  • Retrieving and updating an account’s last login IP address

  • Retrieving and clearing an account’s recent login history

  • Retrieving the length of time until an upcoming idle lockout

  • Retrieving and updating the account’s “must change password” flag

  • Determining whether an account is reset locked

  • Retrieving the length of time until an password reset lockout

  • Retrieving the number of passwords in the user’s history and clearing the history

  • Determining whether a user has a retired password and purging the retired password

  • Retrieving the set of SASL mechanisms that are available to the user

  • Retrieving the set of one-time passcode (OTP) delivery mechanisms that are available to the user

  • Determining whether the user has any TOTP shared secrets

  • Registering and deregistering TOTP shared secrets

  • Determining whether the user has any registered YubiKey OTP devices

  • Registering and deregistering YubiKey OTP devices

  • Retrieving and updating the time that bind password validation was last performed for the user

  • Retrieving and clearing password validation lockout

The server also includes a manage-account tool that provides command-line access to the functionality of the password policy state extended operation.