Viewing password policies
Password policies enforce rules that ensure that access to data is not compromised through negligent password practices.
The PingDirectory server provides mechanisms to create and maintain password policies that determine:
-
Whether passwords should expire
-
Whether users are allowed to modify their own passwords
-
Whether too many failed authentication attempts should result in an account lockout
Many other options are available to fully configure a password policy for your PingData Platform system.
The PingDirectory server provides three out-of-the-box password policies that you can apply to your entries or as templates for configuring customized policies:
- Default password policy
-
The default password policy is automatically applied to all users although it is possible to use an alternate password policy on a per-user basis.
- Root password policy
-
The root password policy is enforced for the default root user, which uses a stronger password storage scheme (PBKDF2 instead of the salted 256-bit SHA-2 scheme) and requires that a root user provide their current password to select a new password.
- Secure password policy
-
The secure password policy provides a more secure option than the default policy that makes use of several features, including password expiration, account lockout, last sign-on time and last sign-on IP address tracking, password history, and several password validators.
Using the Secure password policy as-is might notably increase write load in the server by requiring updates to password policy state attributes in user entries and by requiring users to change passwords more frequently. In environments where write throughput is a concern (including environments spread across multiple data centers requiring replication over a WAN), it might be useful to consider whether the policy should be updated to reduce the number of required entry updates. |
Viewing password policies
About this task
To view the list of password policies configured on the PingDirectory server:
Steps
-
Do one of the following:
Choose from:
-
Run the
dsconfig
tool in either interactive or non-interactive mode. -
Use the Administrative Console.
Example:
The following example demonstrates the process for obtaining a list of defined password policies in non-interactive mode.
$ bin/dsconfig list-password-policies
Result:
Password Policy : Type : password-attribute : default-password-storage-scheme ------------------------:---------:--------------------:-------------------------------- Default Password Policy : generic : userPassword : Salted SHA-256 Root Password Policy : generic : userPassword : PBKDF2 Secure Password Policy : generic : userPassword : PBKDF2
-
Viewing a specific password policy
About this task
To view a specific password policy:
Steps
-
Do one of the following:
Choose from:
-
Run the
dsconfig
tool. -
Use the Administrative Console.
Example:
This example uses
dsconfig
to view the default password policy that applies to all uses for which no specific policy is configured.$ bin/dsconfig get-password-policy-prop \ --policy-name "Default Password Policy"
Result:
Property : Value(s) ------------------------------------------:-------------------------- description : - password-attribute : userpassword default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - password-validator : - account-status-notification-handler : - allow-user-password-changes : true password-change-requires-current-password : false force-change-on-add : false force-change-on-reset : false password-generator : Random Password Generator require-secure-authentication : false require-secure-password-changes : false min-password-age : 0s max-password-age : 0s max-password-reset-age : 0s password-expiration-warning-interval : 5d expire-passwords-without-warning : false allow-expired-password-changes : false grace-login-count : 0s lockout-failure-count : 0s lockout-duration : 0s lockout-failure-expiration-interval : 0s require-change-by-time : - last-login-time-attribute : ds-pwp-last-login-time last-login-time-format : - previous-last-login-time-format : - idle-lockout-interval : 0s password-history-count : 0s password-history-duration : 0s
-