PingDirectory

Creating new password policies

You can create new password policies that meet your organization’s requirements.

You can create any number of password policies in the PingDirectory server using either the dsconfig tool (in interactive or non-interactive mode) or the Administrative Console.

Creating a new password policy

Steps

  • To create a new password policy:

    Choose from:

    • Run dsconfig in interactive or non-interactive mode.

    • Use the administrative console.

      Example:

      This example demonstrates creating a new policy using dsconfig in non-interactive mode.

      $ bin/dsconfig create-password-policy \
        --policy-name "Demo Password Policy" \
        --set "password-attribute:userpassword" \
        --set "default-password-storage-scheme:Salted SHA-256" \
        --set "force-change-on-add:true" \
        --set "force-change-on-reset:true" \
        --set "password-expiration-warning-interval:2 weeks" \
        --set "max-password-age:90 days" \
        --set "lockout-duration:24 hours" \
        --set "lockout-failure-count:3" \
        --set "password-change-requires-current-password:true"

Assigning a password policy to an individual account

About this task

Rather than a user automatically inheriting the default password policy, you can assign a user to a particular password policy by including the ds-pwp-password-policy-dn operational attribute in that user’s entry with a value equal to the distinguished name (DN) of the desired password policy for that user. This operational attribute is explicitly included in a user’s entry, or generated by a virtual attribute, which makes it easy to apply a custom password policy to a set of users based on a flexible set of criteria.

Steps

  1. Create an LDIF file that adds the ds-pwp-password-policy-dn attribute with the password policy DN you want to assign to that user.

    Example:

    This example creates the file assign.ldif with the following contents.

    dn: uid=user.1,ou=People,dc=example,dc=com
    changetype: modify
    add: ds-pwp-password-policy-dn
    ds-pwp-password-policy-dn: cn=Demo Password Policy,cn=Password Policies,cn=config
  2. To apply the modification to the user’s entry, run ldapmodify.

    Example:

    For this example, the file used is assign.ldif.

    $ bin/ldapmodify --filename assign.ldif

Assigning a password policy using a virtual attribute

About this task

You can automatically assign a custom password policy for a set of users using a virtual attribute. You can configure the virtual attribute so that it uses a range of criteria for selecting the entries for which the virtual attribute should appear.

Steps

  1. Create an LDIF file, which you can use to add a group to the server.

    Example:

    dn: ou=Groups,dc=example,dc=com
    objectClass: organizationalunit
    objectClass: top
    ou: Groups
    
    dn: cn=Engineering Managers,ou=groups,dc=example,dc=com
    objectClass: groupOfUniqueNames
    objectClass: top
    cn: Engineering Managers
    uniqueMember: uid=user.0,ou=People,dc=example,dc=com
  2. To add the entries to the server, run the ldapmodify tool.

    Example:

    $ bin/ldapmodify --defaultAdd --filename groups.ldif
  3. To create a virtual attribute, run dsconfig.

    Example:

    This virtual attribute adds the ds-pwp-password-policy-dn attribute with a value of cn=Demo Password Policy,cn=Password Policies,cn=config to the entries for all users that are members of the cn=Engineering Managers,ou=Groups,dc=example,dc=com group.

    $ bin/dsconfig create-virtual-attribute \
      --name "Eng Mgrs Password Policy" \
      --type user-defined \
      --set "description:Eng Mgrs Grp PWPolicy" \
      --set enabled:true \
      --set attribute-type:ds-pwp-password-policy-dn \
      --set "value:cn=Demo Password Policy,cn=Password Policies,cn=config" \
      --set "group-dn:cn=Engineering Managers,ou=Groups,dc=example,dc=com"
  4. To verify that a user in the group contains the assigned password policy distinguished name (DN), run the ldapsearch tool.

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" \
    ds-pwp-password-policy-dn

    Result:

    dn: uid=user.0,ou=People,dc=example,dc=com
    ds-pwp-password-policy-dn: cn=Demo Password Policy,cn=Password Policies,cn=config