When connecting to PingDirectory, configure the password validation details request
control Access Control Instruction (ACI) to provide user-friendly messages when users fail
to change or reset their passwords through the self-service account management capabilities
in any HTML Form Adapter instances that use the datastore.
For self-service password management, where the user
knows the current password and wants to update it, the service account of the datastore
must have the password validation details request control ACI. For self-service account
recovery, where the user wants to define a new password after forgetting the current
password, the user account needs the same ACI.
-
Create LDIF files to capture the following ACI information.
- OID
- 1.3.6.1.4.1.30221.2.5.40
- Name
- Password Validation Details Requerst Control
- Permission
- read
The following examples show the example file contents for change password and password
reset.
aci_toSvcAccount_forChangePassword.ldif# ACI to service account for change password
dn: uid=ssoDataStore,ou=ServiceAccounts,dc=example,dc=local
changetype: modify
add: aci
aci: (targetcontrol="1.3.6.1.4.1.30221.2.5.40")(version 3.0; acl "Access to the Password Validation Details Request Control"; allow (read) userdn="ldap:///uid=ssoDataStore,ou=ServiceAccounts,dc=example,dc=local";)
aci_toUsrAccount_forPasswordReset.ldif# ACI to a user account for password reset
dn: uid=user.7,ou=People,dc=example,dc=local
changetype: modify
add: aci
aci: (targetcontrol="1.3.6.1.4.1.30221.2.5.40")(version 3.0; acl "Access to the Password Validation Details Request Control"; allow (read) userdn="ldap:///uid=user.7,ou=People,,dc=example,dc=local";)
Note:
For demonstration purposes, this sample LDIF file only targets one user.
You can use other LDIF syntax to widen its coverage to include multiple
users.
-
Use the ldapmodify command to configure the required ACI.
$ ldapmodify -f <path>/aci_toSvcAccount_forChangePassword.ldif
-h <host name>
-p <LDAP port>
-D <LDAP bind username>
-w <LDAP bind password>
$ ldapmodify -f <path>/aci_toUsrAccount_forPasswordReset.ldif
-h <host name>
-p <LDAP port>
-D <LDAP bind username>
-w <LDAP bind password>
Note:
Line breaks are inserted for readability only.