1. For each PingDirectory instance that contains users, enable the Password Policy State JSON virtual attribute for the users object class.
    Note:

    You don't need to enable this virtual attribute on PingDirectoryProxy instances.

    For example, the following command enables the virtual attribute for users with the person object class, which includes users whose REST resource type structural object class is derived from person, such as inetOrgPerson.

    $ bin/dsconfig set-virtual-attribute-prop \
         --name "Password Policy State JSON" \
         --set enabled:true \
         --set require-explicit-request-by-name:true \
         --set "filter:(objectClass=person)" \
         --no-prompt --applyChangeTo server-group

    After you enable the virtual attribute, delegated administrative users can access account information for a user in the Delegated Admin GUI.

    The Account Information tab provides account status by default. To display the last login time and the password expiration date, you must set their properties. You configure these items per password policy.

    When not configured, these entries appear as follows:

    LAST LOGIN
    Last login time not available. However, that entry is also given when the user has not logged in)
    PASSWORD EXPIRATION
    Password expiration date has not been enabled

    You can configure these items in the Administrative Console or by using the dsconfig tool interactively or non-interactively. The following steps use the non-interactive approach.

  2. Decide the password policy for which you want to enable the last login time and password expiration date.

    For more information, see Managing password policies.

    dsconfig list-password-policies
  3. Decide whether to include the last login time.

    To include the last login time, decide which property to set. You can set either of the following properties:

    • maximum-recent-login-history-successful-authentication-count
    • last-login-time-format

      If you use this property, make sure the last-login-time-attribute has its default value ds-pwp-last-login-time.

      Values for last-login-time-format include:

      • yyyyMMddHHmmss'Z' for second-level accuracy
      • yyyyMMdd for day-level accuracy
  4. Decide whether to include the password expiration date.

    To include this information, set the property max-password-age

  5. Set the desired password policy properties.
    $bin/dsconfig set-password-policy-prop \
         --policy-name "<password_policy_name>" \
         --set maximum-recent-login-history-successful-authentication-count:<count_value> \
         --set "max-password-age:<password_age_value>" \
         --no-prompt --applyChangeTo server-group