PingDirectory

Bypassing password policy evaluation

You can bypass password policy evaluations when performing operations on accounts other than your own.

About this task

The PingDirectory server supports the use of a bypass-pw-policy privilege, which can skip password policy evaluation for operations on a per-user basis. If a user has this privilege, then they are allowed to perform operations on user entries that would normally be rejected by the password policy associated with the target entry.

The bypass-pw-policy privilege does not have any effect for bind operations.

Any user with this privilege will be permitted to perform operations against other users that would otherwise be rejected under the constraints associated with that user’s password policy, such as:

  • Setting a pre-encoded password

  • Setting a new password that wouldn’t be accepted by one or more password validators

  • Setting a new password that already exists in a user’s password history

These restrictions can also be circumvented on a per-operation basis using the password update behavior control.

If you have a set of users that should be subject to lesser or differing constraints than another set of users, you can create a new password policy with the desired constraints, if any, and assign it to the appropriate users. Learn more about assigning password policies to users.

Steps

  • To add the bypass-pw-policy privilege to a user entry, run the ldapmodify tool with the bypass-pw-policy subcommand.

    Example:

    $ bin/ldapmodify
    dn: uid=user.1,ou=People,dc=example,dc=com
    changetype: modify
    add: ds-privilege-name
    ds-privilege-name: bypass-pw-policy