Can PeopleSoft password controls be used with LDAP authentication?

The answer to this question is not a simple Yes or No. There are a number of reasons why PeopleSoft password controls can and cannot be used with LDAP authentication.

Some PeopleSoft password controls are invoked through signon PeopleCode. Max logon (Account lockout) and Age (password expire) and some are written into the C code like special characters, Minimum length, match OPRID, etc.

1) The age (password expire) WILL NOT work for LDAP authenticated users and will require the need to setup your directory to have password expiration for your directory user base.

NOTE: There is an issue with this when it comes to Single Sign On (SSO) between applications. A warning will appear or you will get the logon page and expire message due to a password being expired, or needing to be changed, in the receiving database. This issue is addressed by incident 1567626000 - LDAP Users receiving password control errors when using SSO.

WORKAROUND for this issue: 

In the record called FUNCLIB_PWDCNTL.PWDCNTL.FieldChange PeopleCode you need to make the following addition:

Local string &ps_token_value;

&ps_token_value = %Request.GetCookieValue("PS_TOKEN");

Save and test.

If &ps_token_value is not reference anywhere in the function or the database you might have to put an
If none(&ps_token_value) prior to the If &days >= &EXPIRE statement.

If token exist, then we know it is coming from an SSO source and should not trigger password control peoplecode.


2) The ONLY part of the password controls that will work with LDAP authentication is the MAX LOGON ATTEMPTS. But this will not always work either, and here are the situations where it will or will not work.

A) If you are on PeopleTools versions prior to 8.17 then the MAX LOGON ATTEMPTS in password controls was not working correctly. See incident 143708000. This issue is fixed in PeopleTools 8.17 & 8.4. However you will also want to make sure to switch the order of the signon peoplecode, so that the LDAP Authentication executes first otherwise the failed logons will execute first and lock out the account one time earlier than you may have designated.

B) If you are ONLY using LDAP Authentication and not using the User Profile Synch signon PeopleCode function (Option # 5 on the signon PeopleCode page), the MAX LOGON ATTEMPTS will not work. This issue is being tracked by incident 586425000 and is fixed in PeopleTools 8.20 and 8.44. Prior to this fix the FAILDLOGONS field on PSOPRDEFN was not being reset to zero with a successful LDAP authenticated user.

3) The delivered PeopleSoft logon is cases sensitive. LDAP authentication is not case sensitive for the Signon OPRID. When using LDAP authentication and the "Invoke as" radio button on the signon PeopleCode page, the User Profile component Interface will create the LDAP users in the PSOPRDEFN table in upper case. For example, if the user is logging on with a lower case id and using LDAP authentication, and their OPRID on PSOPRDEFN is in UPPER CASE, the signon code will not find the lower case user in the PSOPRDEFN table, and so the PeopleSoft signon PeopleCode for password controls will not update ANY OPRID. 

4) Max Logon Attempt with LDAP users will be one less than the setting and here is why. When using a Max Logon Attempt of 3, LDAP will lock the account after two failed attempts because the third attempt although correct, is initially considered a failed attempt because the PeopleSoft password does not match. Therefore just remember that whatever you are using as the max logon attempt, for LDAP is one number less. We suggest you set this value to a minimum of 5.

The LDAP authentication signon PeopleCode will then execute and find the user in the directory and then search the PSOPRDEFN table for whatever LDAP attribute was chosen to be the directory setup pages. In this case the user could be using their email address, sAMAccountName, uid, cn, or name to logon with on the PeopleSoft logon page. Since the password controls code cannot find the user, and the signon PeopleCode is not linked between LDAP authentication and password controls, the password control code will not affect anyone.

The only way this WILL work would be if the user were typing in the exact case of the OPRID on the PSOPRDEFN table. In this case, if the user failed to logon with an incorrect password, the FAILDLOGINS field on PSOPRDEFN would get updated through the password control signon PeopleCode for that user. However the account would ONLY get locked out if the user failed, with the exact case OPRID the max number of times you have set on your password controls page. There has been an incident created to address this issue to link the failed logon attempt with the string for the OPRID passed back from the LDAP directory. This is tracked by incident 1120212000 and developers have responded with this statement:

“If customers turn on their directory level password controls for failed logon attempts and account lockout, then when a user attempts to logon to PeopleSoft, with their directory user account, and they fail due to an invalid password, the directory will track this as a failed logon, and eventually lock the user's directory account. Thus doing the same thing that PeopleSoft would do to a user account.”

4) Another reason PeopleSoft password controls cannot be used with LDAP authentication is because the PeopleSoft application does not update the user profile at the directory level. Your password controls, for your directory users, need to be maintained at the directory level and not through PeopleSoft. Please refer to your directory provider and documentation for support information on how to set that up. There is an enhancement request on this issue. Incident 133217000 - The "Change my Password" feature does not work for users using LDAP authentication. This is being considered by developers in a future tools release. There are customers who have created a customization to get this to work by redirecting their users to a directory logon page, from within PeopleSoft, so that the user can change their directory password. However this is a customization and the support center does not have information on how to do this.