PingDirectory server supports the password policy request control, as described in draft-behera-ldap-password-policy-10.
This control can be included in add, bind, compare, modify, and password modify extended requests to obtain information about the associated user’s password policy state. This includes:
- The length of time until the user’s password expires
- The number of remaining grace logins
- Whether the password is expired
- Whether the account is locked
- Whether the user must change their password
- Whether an update attempt failed because the user is not allowed to change their password
- Whether an update attempt failed because the user is required to provide their current password
- Whether an operation failed because the password is considered too weak
- Whether the proposed password is too short
- Whether the proposed password already exists in the user’s password history
- Whether a user cannot change their password because there has not been enough time since the previous password change
Because this control is based on a public specification, its format is fixed and it is not updated to support additional features.