Creating new password policies
You can create new password policies that meet your organization’s requirements.
You can create any number of password policies in the PingDirectory server using either the dsconfig
tool (in interactive or non-interactive mode) or the Administrative Console.
Creating a new password policy
Steps
-
To create a new password policy:
Choose from:
-
Run
dsconfig
in interactive or non-interactive mode. -
Use the administrative console.
Example:
This example demonstrates creating a new policy using
dsconfig
in non-interactive mode.$ bin/dsconfig create-password-policy \ --policy-name "Demo Password Policy" \ --set "password-attribute:userpassword" \ --set "default-password-storage-scheme:Salted SHA-256" \ --set "force-change-on-add:true" \ --set "force-change-on-reset:true" \ --set "password-expiration-warning-interval:2 weeks" \ --set "max-password-age:90 days" \ --set "lockout-duration:24 hours" \ --set "lockout-failure-count:3" \ --set "password-change-requires-current-password:true"
-
Assigning a password policy to an individual account
About this task
Rather than a user automatically inheriting the default password policy, you can assign a user to a particular password policy by including the ds-pwp-password-policy-dn
operational attribute in that user’s entry with a value equal to the distinguished name (DN) of the desired password policy for that user. This operational attribute is explicitly included in a user’s entry, or generated by a virtual attribute, which makes it easy to apply a custom password policy to a set of users based on a flexible set of criteria.
Steps
-
Create an LDIF file that adds the
ds-pwp-password-policy-dn
attribute with the password policy DN you want to assign to that user.Example:
This example creates the file
assign.ldif
with the following contents.dn: uid=user.1,ou=People,dc=example,dc=com changetype: modify add: ds-pwp-password-policy-dn ds-pwp-password-policy-dn: cn=Demo Password Policy,cn=Password Policies,cn=config
-
To apply the modification to the user’s entry, run
ldapmodify
.Example:
For this example, the file used is
assign.ldif
.$ bin/ldapmodify --filename assign.ldif
Assigning a password policy using a virtual attribute
About this task
You can automatically assign a custom password policy for a set of users using a virtual attribute. You can configure the virtual attribute so that it uses a range of criteria for selecting the entries for which the virtual attribute should appear.
Steps
-
Create an LDIF file, which you can use to add a group to the server.
Example:
dn: ou=Groups,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: Groups dn: cn=Engineering Managers,ou=groups,dc=example,dc=com objectClass: groupOfUniqueNames objectClass: top cn: Engineering Managers uniqueMember: uid=user.0,ou=People,dc=example,dc=com ou: groups
-
To add the entries to the server, run the
ldapmodify
tool.Example:
$ bin/ldapmodify --defaultAdd --filename groups.ldif
-
To create a virtual attribute, run
dsconfig
.Example:
This virtual attribute adds the
ds-pwp-password-policy-dn
attribute with a value ofcn=Demo Password Policy,cn=Password Policies,cn=config
to the entries for all users that are members of thecn=Engineering Managers,ou=Groups,dc=example,dc=com
group.$ bin/dsconfig create-virtual-attribute \ --name "Eng Mgrs Password Policy" \ --type user-defined \ --set "description:Eng Mgrs Grp PWPolicy" \ --set enabled:true \ --set attribute-type:ds-pwp-password-policy-dn \ --set "value:cn=Demo Password Policy,cn=Password Policies,cn=config" \ --set "group-dn:cn=Engineering Managers,ou=Groups,dc=example,dc=com"
-
To verify that a user in the group contains the assigned password policy distinguished name (DN), run the
ldapsearch
tool.Example:
$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" \ ds-pwp-password-policy-dn
Result:
dn: uid=user.0,ou=People,dc=example,dc=com ds-pwp-password-policy-dn: cn=Demo Password Policy,cn=Password Policies,cn=config