This includes:

  • The distinguished name (DN) of the password policy that governs the user
  • Whether the account is usable, and information about any usability errors, warnings, and notices
  • Whether the account has a static password
  • The password changed time
  • Whether the account is disabled
  • Whether the account has an activation time or expiration time, and their relation to the current time
  • Whether the user’s password is expired and when it expires
  • Whether the user has been warned about an upcoming password expiration
  • Whether the account is locked as a result of too many failed authentication attempts
  • The last login time, last login IP address, and recent login history
  • Whether the account is locked because it has been too long since they last authenticated
  • Whether the user must change their password
  • Whether the user’s account is locked because they failed to choose a new password after an administrative reset
  • The number of passwords in the user’s password history
  • Whether the user is within the minimum password age
  • Information about grace login uses
  • Information about whether the user has a retired password and how long it will be valid
  • Whether the server will require secure authentication or secure password changes
  • A list of SASL mechanisms available to the user
  • A list of onte-time passcode (OTP) delivery mechanisms available to the user
  • Whether the account is locked as a result of bind validation failure

It also provides a ds-pwp-modifiable-state-json operational attribute that can be used to manipulate a limited set of password policy state information, including:

  • The user’s password changed time
  • Whether the user’s account is disabled
  • The user’s account activation time
  • The user’s account expiration time
  • Whether the user’s account is locked as a result of too many failed authentication attempts
  • The time the user was warned about an upcoming password expiration
  • Whether the user must change their password

The value of the ds-pwp-modifiable-state-json attribute is a JSON object, and it can be updated in a replace modification. Any of the fields that it contains can be included in the replace modification to manipulate the corresponding portions of the user’s password policy state. Any fields omitted from the JSON object are not updated.