The Directory Server provides a number of configurable properties that you can use to control password policy behavior.
To view a description of each of the password policy properties, see the Ping Identity Directory Server Configuration Reference that is bundled with the PingDirectory Server.
Some of the most notable properties include:
- Specifies whether users can change their own passwords. If a user attempts to change their own password, then the server consults this property for the user’s password policy and ensures that the access control handler allows the user to modify the configured password attribute.
- Specifies the names of the password storage schemes that are used to encode clear-text passwords for this password policy.
- When enabled, is used to debug password policy interaction. This property should be used in addition to the server's debug framework with a relevant debug target.
- Specifies whether users are required to change their passwords upon first authenticating to the Directory Server after their account is created.
- Specifies whether users are required to change their passwords after they're reset by an
administrator. An administrator is a user who has the
password-resetprivilege and the appropriate access control instruction to allow modification of other users’ passwords.
- Specifies the maximum length of time that an account can remain idle (the associated
user does not authenticate to the server) before that user is locked out. For accounts
that don't have a last sign-on time value, the password changed time or the account
creation time is used. If that information is not available, then the user isn't allowed
to authenticate. Note:
The server should be allowed to run for a period of time with last sign-on time tracking enabled, such as values for both
last-login-time-formatproperties to ensure that users have a last sign-on time before enabling idle account lockout.
- Specifies the length of time that an account is locked after too many authentication
failures. The value of this attribute is an integer followed by a unit of seconds,
minutes, hours, days, or weeks. A value of
0seconds indicates that the account must remain locked until an administrator resets the password.
- Specifies the maximum number of times that a user can attempt to bind with the wrong
password before that user’s account becomes locked either temporarily (in which case the
account is automatically unlocked after a configurable length of time) or permanently (in
which case an administrator must reset the user’s password before the account is used
again). For example, if the value is set to
3, the user is locked out after three failed attempts, even if a fourth attempt is made with the correct password.
- Specifies the maximum length of time that a user can continue to use the same password before they must choose a new one. The value can be expressed in seconds (s), minutes (m), hours (h), days (d), or weeks (w). You can specify a minimum length of time before the user can change the password.
- Specifies whether users must include their current password when changing their password. This applies for both password changes made with the password modify extended operation as well as simple modify operations targeting the password attribute. In the latter case, if the current password is required then the password modification must remove the current value and add the desired new value (providing both the current and new passwords in the clear rather than using encoded representations).
- Specifies the length of time before a user’s password expires that they receive notification about the upcoming expiration (either through the password policy or password expiring response controls). The value can be expressed in seconds (s), minutes (m), hours (h), days (d), or weeks (w).
- Specifies the behavior of a password that is allowed a retirement period before becoming invalid. You can use this setting by application service accounts that require a transition period while updating passwords. This is disabled by default.
- Specifies the names of the password validators that are used with the associated password storage scheme. The password validators are invoked when a user attempts to provide a new password to determine whether the new password is acceptable.
- Indicates whether users with the associated password policy are required to authenticate in a secure manner. This can mean either using a secure communication channel between the client and the server, or using a Simple Authentication and Security Layer (SASL) mechanism that doesn't expose the credentials.
- Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.
As an alternative to account lockout, you can set a failed-bind-response-delay configuration property on the LDAP connection handler to instruct the server to introduce a delay (such as one second) into the process of returning a response to an unsuccessful bind operation.
Delaying the response to a failed bind only affects the connection on which the bind was attempted, and still limits the rate at which a malicious client can try to guess a user's password. However, it won't affect other attempts to authenticate as that user on other connections, so the legitimate user can still authenticate with the correct password.