PingDirectory

About the password policy properties

The PingDirectory server provides several configurable properties that you can use to control password policy behavior.

To view a description of each of the password policy properties, see the Ping Identity Directory Server Configuration Reference that is bundled with the PingDirectory server.

Some of the most notable properties include:

allow-user-password-changes

Specifies whether users can change their own passwords. If a user attempts to change their own password, then the server consults this property for the user’s password policy and ensures that the access control handler allows the user to modify the configured password attribute.

default-password-storage-scheme

Specifies the names of the password storage schemes that are used to encode clear-text passwords for this password policy.

enable-debug

When enabled, is used to debug password policy interaction. This property should be used in addition to the server’s debug framework with a relevant debug target.

force-change-on-add

Specifies whether users are required to change their passwords upon first authenticating to the PingDirectory server after their account is created.

force-change-on-reset

Specifies whether users are required to change their passwords after they’re reset by an administrator. An administrator is a user who has the password-reset privilege and the appropriate access control instruction to allow modification of other users’ passwords.

idle-lockout-interval

Specifies the maximum length of time that an account can remain idle (the associated user does not authenticate to the server) before that user is locked out. For accounts that don’t have a last sign-on time value, the password changed time or the account creation time is used. If that information is not available, then the user isn’t allowed to authenticate.

The server should be allowed to run for a period of time with last sign-on time tracking enabled, such as values for both last-login-time-attribute and last-login-time-format properties to ensure that users have a last sign-on time before enabling idle account lockout.

lockout-duration

Specifies the length of time that an account is locked after too many authentication failures. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account must remain locked until an administrator resets the password.

lockout-failure-count

Specifies the maximum number of times that a user can attempt to bind with the wrong password before that user’s account becomes locked either temporarily (in which case the account is automatically unlocked after a configurable length of time) or permanently (in which case an administrator must reset the user’s password before the account is used again). For example, if the value is set to 3, the user is locked out after three failed attempts, even if a fourth attempt is made with the correct password.

max-password-age

Specifies the maximum length of time that a user can continue to use the same password before they must choose a new one. The value can be expressed in seconds (s), minutes (m), hours (h), days (d), or weeks (w). You can specify a minimum length of time before the user can change the password.

password-change-requires-current-password

Specifies whether users must include their current password when changing their password. This applies for both password changes made with the password modify extended operation as well as simple modify operations targeting the password attribute. In the latter case, if the current password is required then the password modification must remove the current value and add the desired new value (providing both the current and new passwords in the clear rather than using encoded representations).

password-expiration-warning-interval

Specifies the length of time before a user’s password expires that they receive notification about the upcoming expiration (either through the password policy or password expiring response controls). The value can be expressed in seconds (s), minutes (m), hours (h), days (d), or weeks (w).

password-retirement-behavior

Specifies the behavior of a password that is allowed a retirement period before becoming invalid. You can use this setting by application service accounts that require a transition period while updating passwords. This is disabled by default.

password-validator

Specifies the names of the password validators that are used with the associated password storage scheme. The password validators are invoked when a user attempts to provide a new password to determine whether the new password is acceptable.

require-secure-authentication

Indicates whether users with the associated password policy are required to authenticate in a secure manner. This can mean either using a secure communication channel between the client and the server, or using a Simple Authentication and Security Layer (SASL) mechanism that doesn’t expose the credentials.

require-secure-password-changes

Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.

As an alternative to account lockout, you can set a failed-bind-response-delay configuration property on the LDAP connection handler to instruct the server to introduce a delay (such as one second) into the process of returning a response to an unsuccessful bind operation.

Delaying the response to a failed bind only affects the connection on which the bind was attempted, and still limits the rate at which a malicious client can try to guess a user’s password. However, it won’t affect other attempts to authenticate as that user on other connections, so the legitimate user can still authenticate with the correct password.