This is particularly useful when the PingDirectory server is used to back a multi-tenant application, in which information about many different organizations is maintained in the same server instance, typically with a separate branch for each organization. You can configure password policies on a per-organization basis.

Each password policy must be defined in an entry containing the ds-cfg-password-policy structural object class. The definition of this object class can be found by querying the server schema over LDAP, by retrieving the “cn=schema” entry, or by looking in the config/schema/02-config.ldif schema definition file. The names of the LDAP attribute types which should correspond to names of the password policy configuration properties that are available in dsconfig or the administration console with a “ds-cfg-” prefix.

For example, the following entry represents a minimal password policy that might be defined in user data.

dn: cn=Org X Password Policy,ou=Org X,ou=tenants,dc=example,dc=com
objectClass: top
objectClass: ds-cfg-password-policy
cn: Org X Password Policy
ds-cfg-password-attribute: userPassword
ds-cfg-default-password-storage-scheme: cn=Salted SHA-256,cn=Password Storage

Assign users to password policies contained in the user data in the same way that you assign them to policies in the configuration. Include the ds-pwp-password-policy-dn operational attribute in their entry as either a real or a virtual attribute.


While password policies can reside in user data, any other configuration elements that they reference, including password storage schemes, password validators, password generators, account status notification handlers, and failure lockout actions, must reside within the configuration.

For improved performance, the PingDirectory server maintains a cache of password policy entries that are defined in the user data. This cache holds up to 500 policies by default, but you can tune that through the maximum-user-data-password-policies-to-cache property in the global configuration.