PingDirectory Server supports a proprietary password policy state extended operation that can retrieve and manipulate virtually any kind of password policy state information in a user’s entry.
This includes:
- Retrieving the DN of the password policy that governs the user
- Retrieving a flag that indicates whether the server considers the account usable
- Retrieving a set of error, warning, and notice conditions that can affect the account’s usability
- Determining whether the account has a static password
Retrieving and updating the flag indicating whether an account is disabled
- Retrieving and updating the account’s activation and expiration times
- Retrieving and updating the account’s password changed time
- Determining whether the user’s password is expired
- Retrieving the account’s password expiration time, which is computed from the password changed time
- Retrieving and updating the account’s password expiration warned time
- Retrieving and updating the set of grace login use times
- Retrieving and updating the record of failed authentication attempts
- Retrieving and overriding a failure-based account lockout
- Retrieving the time that an account was failure locked
- Retrieving and updating an account’s last login time
- Retrieving and updating an account’s last login IP address
- Retrieving and clearing an account’s recent login history
- Retrieving the length of time until an upcoming idle lockout
- Retrieving and updating the account’s “must change password” flag
- Determining whether an account is reset locked
- Retrieving the length of time until an password reset lockout
- Retrieving the number of passwords in the user’s history and clearing the history
- Determining whether a user has a retired password and purging the retired password
- Retrieving the set of SASL mechanisms that are available to the user
- Retrieving the set of one-time passcode (OTP) delivery mechanisms that are available to the user
- Determining whether the user has any TOTP shared secrets
- Registering and deregistering TOTP shared secrets
- Determining whether the user has any registered YubiKey OTP devices
- Registering and deregistering YubiKey OTP devices
- Retrieving and updating the time that bind password validation was last performed for the user
- Retrieving and clearing password validation lockout
The server also includes a manage-account tool that provides command-line access to the functionality of the password policy state extended operation.