Configuring the password validation details request control ACI
When connecting to PingDirectory, configure the password validation details request control Access Control Instruction (ACI) to provide user-friendly messages when users fail to change or reset their passwords through the self-service account management capabilities in any HTML Form Adapter instances that use the datastore.
About this task
For self-service password management, where the user knows the current password and wants to update it, the service account of the datastore must have the password validation details request control ACI. For self-service account recovery, where the user wants to define a new password after forgetting the current password, the user account needs the same ACI.
Steps
-
Create LDIF files to capture the following ACI information.
- OID
-
Step 1.3.6.1.4.1.30221.2.5.40
- Name
-
Password Validation Details Requerst Control
- Permission
-
read
The following examples show the example file contents for change password and password reset.
Example:
aci_toSvcAccount_forChangePassword.ldif
# ACI to service account for change password dn: uid=ssoDataStore,ou=ServiceAccounts,dc=example,dc=local changetype: modify add: aci aci: (targetcontrol="1.3.6.1.4.1.30221.2.5.40")(version 3.0; acl "Access to the Password Validation Details Request Control"; allow (read) userdn="ldap:///uid=ssoDataStore,ou=ServiceAccounts,dc=example,dc=local";)
Example:
aci_toUsrAccount_forPasswordReset.ldif
# ACI to a user account for password reset dn: uid=user.7,ou=People,dc=example,dc=local changetype: modify add: aci aci: (targetcontrol="1.3.6.1.4.1.30221.2.5.40")(version 3.0; acl "Access to the Password Validation Details Request Control"; allow (read) userdn="ldap:///uid=user.7,ou=People,,dc=example,dc=local";)
For demonstration purposes, this sample LDIF file only targets one user. You can use other LDIF syntax to widen its coverage to include multiple users.
-
Use the
ldapmodify
command to configure the required ACI.Example:
$ ldapmodify -f <path>/aci_toSvcAccount_forChangePassword.ldif -h <host name> -p <LDAP port> -D <LDAP bind username> -w <LDAP bind password>
$ ldapmodify -f <path>/aci_toUsrAccount_forPasswordReset.ldif -h <host name> -p <LDAP port> -D <LDAP bind username> -w <LDAP bind password>
Line breaks are inserted for readability only.