For security reasons, PingDirectory provides vague responses to bind requests. If an authentication attempt is unsuccessful, the server doesn't communicate the reason for the failure. Additionally, for both security and performance reasons, the server doesn't attempt to verify the provided credentials if it can determine that the target account is not in a usable state (for example, if it has been administratively disabled, or if it has been locked as a result of too many previous authentication failures).

The verify-password extended operation enables you to differentiate the authentication response to the client with respect to certain kinds of failures. For example, if you can determine that a user’s account has been locked as a result of too many failed authentication attempts, you can present the user with a means of resetting the password if and only if you can verify that the provided password was correct.

Warning:

Enabling the verify-password extended operation circumvents server security functionality.

An attacker could use this extended operation to get unlimited attempts to guess a user’s password, circumventing the security benefit of an account lockout. We strongly discourage designing applications in a way that could provide a malicious client with information that might help them better craft an attack against user accounts.

This extended operation is not a standalone alternative to authenticating clients. Only use it to augment the existing authentication process, if at all.

The verify-password extended operation determines if a provided password is correct for a specified user without performing any other password policy processing for that user. This verification is available even if the target account isn’t currently allowed to authenticate, and it won’t cause any updates to the user’s entry as a result of the determination.

Because of the security risks associated with using verify-password, there are a number of restrictions in place to ensure that it can only be used by authorized clients, including:

  • The extended operation handler isn’t defined or enabled by default.
  • The server’s access control configuration doesn't permit the use of the extended operation by default. If a client without the bypass-acl privilege has a legitimate need to use this extended operation, you must to create a global ACI that grants the client permission to use the extended request with OID 1.3.6.1.4.1.30221.2.6.72.
  • Requesters must also have the permit-verify-password-request privilege, which isn’t granted to users (even root users) by default.
  • Clients must issue verify-password requests over a secure connection so that anyone able to view network messages can’t access the content of that communication.
    Note:

    You can disable this safeguard if necessary, but the server still requires secure communication protocol if either the target user’s password policy or operational attributes in the user’s entry require secure authentication.

  • The extended operation supports clients submitting password verification requests directly to PingDirectory or forwarded through a PingDirectoryProxy server (in both simple-proxy and entry-balanced configurations). When requests are forwarded from PingDirectoryProxy to PingDirectory, you must configure both server instances to enable the extended operation.

Learn more about Enabling the verify password extended operation.