PingFederate Server

Configuring the password validation details request control ACI

When connecting to PingDirectory, configure the password validation details request control Access Control Instruction (ACI) to provide user-friendly messages when users fail to change or reset their passwords through the self-service account management capabilities in any HTML Form Adapter instances that use the datastore.

About this task

For self-service password management, where the user knows the current password and wants to update it, the service account of the datastore must have the password validation details request control ACI. For self-service account recovery, where the user wants to define a new password after forgetting the current password, the user account needs the same ACI.

Steps

  1. Create LDIF files to capture the following ACI information.

    OID

    Step 1.3.6.1.4.1.30221.2.5.40

    Name

    Password Validation Details Requerst Control

    Permission

    read

    The following examples show the example file contents for change password and password reset.

    Example:

    aci_toSvcAccount_forChangePassword.ldif

    # ACI to service account for change password
    dn: uid=ssoDataStore,ou=ServiceAccounts,dc=example,dc=local
    changetype: modify
    add: aci
    aci: (targetcontrol="1.3.6.1.4.1.30221.2.5.40")(version 3.0; acl "Access to the Password Validation Details Request Control"; allow (read) userdn="ldap:///uid=ssoDataStore,ou=ServiceAccounts,dc=example,dc=local";)

    Example:

    aci_toUsrAccount_forPasswordReset.ldif

    # ACI to a user account for password reset
    dn: uid=user.7,ou=People,dc=example,dc=local
    changetype: modify
    add: aci
    aci: (targetcontrol="1.3.6.1.4.1.30221.2.5.40")(version 3.0; acl "Access to the Password Validation Details Request Control"; allow (read) userdn="ldap:///uid=user.7,ou=People,,dc=example,dc=local";)

    For demonstration purposes, this sample LDIF file only targets one user. You can use other LDIF syntax to widen its coverage to include multiple users.

  2. Use the ldapmodify command to configure the required ACI.

    Example:

    $ ldapmodify -f  <path>/aci_toSvcAccount_forChangePassword.ldif
    -h  <host name>
    -p  <LDAP port>
    -D  <LDAP bind username>
    -w  <LDAP bind password>
    $ ldapmodify -f  <path>/aci_toUsrAccount_forPasswordReset.ldif
    -h  <host name>
    -p  <LDAP port>
    -D  <LDAP bind username>
    -w  <LDAP bind password>

    Line breaks are inserted for readability only.