Nevertheless, it is useful in some circumstances to provide an application with a way to obtain information about the reason for a failed authentication attempt. As such, PingDirectory Server offers a get password policy state issues request control that can be included in a bind request to indicate that the server should include a control in the bind response with information about any error, warning, or notice conditions in the user’s password policy state that might currently or soon interfere with their ability to authenticate. If the bind attempt fails, then it might also include specific information about the reason for that failure.

To prevent this control from being misused, PingDirectory Server only allows it to be requested under a limited set of circumstances:

  • The bind request must be issued on a connection that is currently authenticated as a user with the permit-get-password-policy-state-issues privilege.
  • The requester must have access control permission to use the get password policy state issues request control.

The bind request must also include the retain identity request control in the bind request.