The Delegated Admin GUI's Account Information tab provides information about a user account. For Delegated Admin to display the user account information, you must enable the Password Policy State JSON virtual attribute for the users object class. You can then configure the information that appears.
For each PingDirectory instance that contains
users, enable the
Password Policy State JSONvirtual attribute for the users object class.Note:
You don't need to enable this virtual attribute on PingDirectoryProxy instances.
For example, the following command enables the virtual attribute for users with the person object class, which includes users whose REST resource type structural object class is derived from person, such as
$ bin/dsconfig set-virtual-attribute-prop \ --name "Password Policy State JSON" \ --set enabled:true \ --set require-explicit-request-by-name:true \ --set "filter:(objectClass=person)" \ --no-prompt --applyChangeTo server-group
After you enable the virtual attribute, delegated administrative users can access account information for a user in the Delegated Admin GUI.
The Account Information tab provides account status by default. To display the last login time and the password expiration date, you must set their properties. You configure these items per password policy.
When not configured, these entries appear as follows:
- LAST LOGIN
- Last login time not available. However, that entry is also given when the user has not logged in)
- PASSWORD EXPIRATION
- Password expiration date has not been enabled
You can configure these items in the Administrative Console or by using the dsconfig tool interactively or non-interactively. The following steps use the non-interactive approach.
Decide the password policy for which you want to enable the last login time and
password expiration date.
For more information, see Managing password policies.
Decide whether to include the last login time.
To include the last login time, decide which property to set. You can set either of the following properties:
If you use this property, make sure the
last-login-time-attributehas its default value
yyyyMMddHHmmss'Z'for second-level accuracy
yyyyMMddfor day-level accuracy
Decide whether to include the password expiration date.
To include this information, set the property
Set the desired password policy properties.
$bin/dsconfig set-password-policy-prop \ --policy-name "<password_policy_name>" \ --set maximum-recent-login-history-successful-authentication-count:<count_value> \ --set "max-password-age:<password_age_value>" \ --no-prompt --applyChangeTo server-group