The proprietary password update behavior request control may be included in an add, modify, or password modify extended request to override certain behaviors that the server would otherwise use when updating a user’s password. The control has an OID of 1.3.6.1.4.1.30221.2.5.51, and it takes a value. The following fields may be present in the value-json representation of the value:
is-self-change: An optional Boolean field that may be used to override the server’s default determination about whether the password update represents a self change or an administrative reset. If this is not specified, the server will determine whether it is a self-change.
allow-pre-encoded-password: An optional Boolean field that may be used to override the server’s default determination about whether to accept a new password that has been pre-encoded rather than provided in the clear. If this is not specified, the server uses the configuration to determine whether pre-encoded passwords should be allowed.
skip-password-validation: An optional Boolean field that may be used to indicate whether the server should skip the normal password validation processing when determining whether to accept the new password. If this is not specified, the server uses the configuration to determine whether to perform password validation.
ignore-password-history: An optional Boolean field that may be used to indicate whether the server should ignore the user’s password history when determining whether to accept the new password. If this is not specified, the server uses the configuration to determine whether to ignore the password history.
ignore-minimum-password-age: An optional Boolean field that may be used to indicate whether the server should ignore any minimum password age constraint in effect for the user. If this is not specified, the server uses the configuration to determine whether to ignore the minimum password age.
password-storage-scheme: An optional string field whose value is the name of the password storage scheme that should be used to encode the new password. If this is not specified, the server uses the configuration to determine which password storage scheme(s) to use.
must-change-password: An optional Boolean field that may be used to override the server’s default determination about whether the user is required to choose a new password the next time they authenticate. If this is not specified, the server uses the configuration to determine whether to force a password change.
The following sample shows the JSON encoding for the control:
{
"oid":"1.3.6.1.4.1.30221.2.5.51",
"control-name":"Password Update Behavior Request Control",
"criticality":false,
"value-json": {
"is-self-change":true,
"must-change-password":false
}
}