While password policies are typically defined in the server configuration, it is also possible to define them in user data.
This is particularly useful when the PingDirectory server is used to back a multi-tenant application, in which information about many different organizations is maintained in the same server instance, typically with a separate branch for each organization. You can configure password policies on a per-organization basis.
Each password policy must be defined in an entry containing the
ds-cfg-password-policy
structural object class. The definition of
this object class can be found by querying the server schema over LDAP, by retrieving
the “cn=schema
” entry, or by looking in the
config/schema/02-config.ldif schema definition file. The names
of the LDAP attribute types which should correspond to names of the password policy
configuration properties that are available in dsconfig or the administration console
with a “ds-cfg-
” prefix.
For example, the following entry represents a minimal password policy that might be defined in user data.
dn: cn=Org X Password Policy,ou=Org X,ou=tenants,dc=example,dc=com
objectClass: top
objectClass: ds-cfg-password-policy
cn: Org X Password Policy
ds-cfg-password-attribute: userPassword
ds-cfg-default-password-storage-scheme: cn=Salted SHA-256,cn=Password Storage
Schemes,cn=config
Assign users to password policies contained in the user data in the same way
that you assign them to policies in the configuration. Include the
ds-pwp-password-policy-dn
operational attribute in their entry as
either a real or a virtual attribute.
While password policies can reside in user data, any other configuration elements that they reference, including password storage schemes, password validators, password generators, account status notification handlers, and failure lockout actions, must reside within the configuration.
For improved performance, the PingDirectory server maintains a
cache of password policy entries that are defined in the user data. This cache holds up
to 500 policies by default, but you can tune that through the
maximum-user-data-password-policies-to-cache
property in the global
configuration.