Page created: 22 Jul 2020 |
Page updated: 12 Dec 2022
The Directory Server provides a number of configurable properties that can be used to control password policy behavior.
Note: To view a description of each of the password policy properties, see the Ping Identity Directory Server Configuration Reference that is bundled with the PingDirectory Server.
Some of the most notable properties include:
- allow-user-password-changes. Specifies whether users can change their own passwords. If a user attempts to change his/her own password, then the server will consult this property for the user’s password policy, and will also ensure that the access control handler allows the user to modify the configured password attribute.
- default-password-storage-scheme. Specifies the names of the password storage schemes that are used to encode clear-text passwords for this password policy.
- enable-debug. When enabled, is used to debug password policy interaction. This property should be used in addition to the server's debug framework with a relevant debug target.
- force-change-on-add. Specifies whether users are required to change their passwords upon first authenticating to the Directory Server after their account has been created.
force-change-on-reset. Specifies whether users are required to change their
passwords after they have been reset by an administrator. An administrator is a user who
password-resetprivilege and the appropriate access control instruction to allow modification of other users’ passwords.
idle-lockout-interval. Specifies the maximum length of time that an account may
remain idle (the associated user does not authenticate to the server) before that
user is locked out. For accounts that do not have a last login time value, the password
changed time or the account creation time will be used. If that information is not
available, then the user will not be allowed to authenticate. It is strongly recommended
that the server be allowed to run for a period of time with last login time tracking
enabled (i.e., values for both
last-login-time-formatproperties) to ensure that users have a last login time before enabling idle account lockout.
- lockout-duration. Specifies the length of time that an account is locked after too many authentication failures. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account must remain locked until an administrator resets the password.
lockout-failure-count. Specifies the maximum number of times that a user may be
allowed to attempt to bind with the wrong password before that user’s account becomes
locked either temporarily (in which case the account will automatically be unlocked after
a configurable length of time) or permanently (in which case an administrator must reset
the user’s password before the account may be used again). For example, if the value is
3, the user is locked out after three failed attempts, even if a fourth attempt is made with the correct password.
- max-password-age. Specifies the maximum length of time that a user can continue to use the same password before he or she is required to choose a new password. The value can be expressed in seconds (s), minutes (m), hours (h), days (d), or weeks (w). A minimum length of time can also be specified before the user is allowed to change the password.
- password-change-requires-current-password. Specifies whether users must include their current password when changing their password. This applies for both password changes made with the password modify extended operation as well as simple modify operations targeting the password attribute. In the latter case, if the current password is required then the password modification must remove the current value and add the desired new value (providing both the current and new passwords in the clear rather than using encoded representations).
- password-expiration-warning-interval. Specifies the length of time before a user’s password expires that he or she receives notification about the upcoming expiration (either through the password policy or password expiring response controls). The value can be expressed in seconds (s), minutes (m), hours (h), days (d), or weeks (w).
- password-retirement-behavior. Specifies the behavior of a password that is allowed a retirement period before becoming invalid. This setting may be used by application service accounts that require a transition period while updating passwords. This is disabled by default.
- password-validator. Specifies the names of the password validators that are used with the associated password storage scheme. The password validators are invoked when a user attempts to provide a new password, to determine whether the new password is acceptable.
- require-secure-authentication. Indicates whether users with the associated password policy are required to authenticate in a secure manner. This might mean either using a secure communication channel between the client and the server, or using a SASL mechanism that does not expose the credentials.
- require-secure-password-changes. Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.
Note: As an alternative to account lockout, a failed-bind-response-delay configuration property can be set on the LDAP Connection handler to instruct the server to introduce a delay (such as one second) into the process of returning a response to an unsuccessful bind operation. Delaying the response to a failed bind only affects the connection on which the bind was attempted, and still limits the rate at which a malicious client can try to guess a user's password. However, it will not affect other attempts to authenticate as that user on other connections, so the legitimate user can still authenticate with the correct password.