Reference Library
  1. Configuration Notes
  2. Default Settings
  3. Domains
  4. LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection
  5. LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Login Setup
  6. LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes
  7. LDAP ⇨ LDAP Settings ⇨ Global
  8. LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory
  9. LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Challenge Sets
  10. LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Settings
  11. LDAP ⇨ LDAP Settings ⇨ Oracle DS
  12. Modules ⇨ Authenticated ⇨ Account Information ⇨ Profiles ⇨ [profile]
  13. Modules ⇨ Authenticated ⇨ Account Information ⇨ Settings
  14. Modules ⇨ Authenticated ⇨ Administration
  15. Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile]
  16. Modules ⇨ Authenticated ⇨ Change Password ⇨ Settings
  17. Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile]
  18. Modules ⇨ Authenticated ⇨ Delete Account ⇨ Settings
  19. Modules ⇨ Authenticated ⇨ Guest Registration
  20. Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details
  21. Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options
  22. Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Verification
  23. Modules ⇨ Authenticated ⇨ Help Desk ⇨ Settings
  24. Modules ⇨ Authenticated ⇨ People Search
  25. Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile]
  26. Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Settings
  27. Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Profile ⇨ [profile]
  28. Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings
  29. Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Profiles ⇨ [profile]
  30. Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Settings
  31. Modules ⇨ Authenticated ⇨ Shortcut Menu
  32. Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile]
  33. Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Settings
  34. Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition
  35. Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth
  36. Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options
  37. Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings
  38. Modules ⇨ Public ⇨ Forgotten User Name
  39. Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile]
  40. Modules ⇨ Public ⇨ New User Registration ⇨ New User Settings
  41. Modules ⇨ Public ⇨ User Activation ⇨ Settings
  42. Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile]
  43. Policies ⇨ Challenge Policies ⇨ [profile]
  44. Policies ⇨ Password Policies ⇨ [profile]
  45. Settings ⇨ Application
  46. Settings ⇨ Auditing ⇨ Audit Configuration
  47. Settings ⇨ Auditing ⇨ Audit Forwarding
  48. Settings ⇨ Captcha
  49. Settings ⇨ Database (Remote) ⇨ Advanced
  50. Settings ⇨ Database (Remote) ⇨ Connection
  51. Settings ⇨ Email ⇨ Email Servers ⇨ [profile]
  52. Settings ⇨ Email ⇨ Email Settings
  53. Settings ⇨ Email ⇨ Email Templates
  54. Settings ⇨ HTTP Client
  55. Settings ⇨ HTTPS Server
  56. Settings ⇨ Intruder Detection ⇨ Intruder Settings
  57. Settings ⇨ Intruder Detection ⇨ Intruder System Settings
  58. Settings ⇨ Intruder Detection ⇨ Intruder Timeouts
  59. Settings ⇨ Localization
  60. Settings ⇨ Logging
  61. Settings ⇨ Password Expiration Notification
  62. Settings ⇨ Password Settings
  63. Settings ⇨ Reporting
  64. Settings ⇨ SMS ⇨ SMS Gateway
  65. Settings ⇨ SMS ⇨ SMS Messages
  66. Settings ⇨ Security ⇨ Application Security
  67. Settings ⇨ Security ⇨ Web Security
  68. Settings ⇨ Single Sign On (SSO) Client ⇨ Basic Authentication
  69. Settings ⇨ Single Sign On (SSO) Client ⇨ CAS SSO
  70. Settings ⇨ Single Sign On (SSO) Client ⇨ HTTP SSO
  71. Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth
  72. Settings ⇨ System ⇨ Session Management
  73. Settings ⇨ Telemetry
  74. Settings ⇨ Tokens
  75. Settings ⇨ URL Settings
  76. Settings ⇨ User History
  77. Settings ⇨ User Interface ⇨ Look & Feel
  78. Settings ⇨ User Interface ⇨ UI Features
  79. Settings ⇨ Web Services ⇨ REST Clients
  80. Settings ⇨ Web Services ⇨ REST Services
  81. Settings ⇨ Word Lists

Configuration Notes

Configuration Notes

Label Configuration Notes
Key notes.noteText
Navigation Configuration Notes ⇨ Configuration Notes
Syntax TEXT_AREA
Level 0 (Normal)
Required False
Confidential False
Scope DOMAIN
Default

Specify any configuration notes about your system. This option allows you to keep notes about any specific configuration options you have made with the system.

Default Settings

Label LDAP Vendor Default Settings
Key template.ldap
Navigation Default Settings ⇨ LDAP Vendor Default Settings
Syntax SELECT
Level 0 (Normal)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
DIRECTORY_SERVER_389 389 Directory Server
AD Microsoft Active Directory
NOVL NetIQ eDirectory
NOVL_IDM NetIQ IDM / OAuth Integration
OPEN_LDAP OpenLDAP
ORACLE_DS Oracle Directory Server
DEFAULT Others
Default
DEFAULT

This setting changes the default values throughout this configuration to reasonable values based on this value. Only default (non-modified) settings are affected. Any settings that have been modified from the default are unaffected.

You can change this setting at any time but use caution when doing so as the overall behavior of the application might change. After changing this setting, review and test PWM to ensure the desired behavior occurs.


Label Storage Default Settings
Key template.storage
Navigation Default Settings ⇨ Storage Default Settings
Syntax SELECT
Level 0 (Normal)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
LDAP LDAP
DB Remote Database
LOCALDB LocalDB (Testing Only)
Default
LDAP

This setting changes the default values throughout this configuration to reasonable values based on this value. Only default (non-modified) settings are affected. Any settings that have been modified from the default are unaffected.

You can change this setting at any time but use caution when doing so as the overall behavior of the application might change. After changing this setting review and test PWM to ensure the desired behavior occurs.


Domains

Domains

Label Domains
Key domain.list
Navigation Domains ⇨ Domains
Syntax DOMAIN
Level 0 (Normal)
Required True
Confidential False
Scope SYSTEM
Default
default
List of domains supported by this application instance. Domain order is unimportant. The value of the domain(s) may be used in public URLs and parameters.

Domains provide a way for multiple systems/sites/tenants/customers to use a single instance of this PWM application. Typically only a single instance is required. If multiple domains are listed, the configuration editor will allow per-domain configuration of many settings. Other settings are system-level and apply to the entire application instance.

Saving the configuration after increasing or decreasing the number of domains beyond a single domain may cause application URLs to change, and this configuration editor will change to allow editing of multiple domain configurations


Label Administrative Domain
Key domain.system.adminDomain
Navigation Domains ⇨ Administrative Domain
Syntax STRING
Level 0 (Normal)
Required False
Confidential False
Scope SYSTEM
Default
default
Administrative Domain

Label Enable Domain Paths
Key domain.system.domainPathsEnabled
Navigation Domains ⇨ Enable Domain Paths
Syntax BOOLEAN
Level 0 (Normal)
Required False
Confidential False
Scope SYSTEM
Default
False

If enabled, domain IDs will be added to the URL path used to access this application, and URL paths will require the inclusion of the domain ID in the path. Example: "/pwm/private/login" will become "/pwm/default/private/login" or "/pwm/acme/private/login".

Regardless of this setting, the domain is always accessible if the host header (the browser url) is matched by the setting in Settings ⇨ URL Settings ⇨ Domain Hostnames.


Connection

Connection

Label LDAP URLs
Key ldap.serverUrls
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP URLs
Syntax STRING_ARRAY
Level 0 (Normal)
Required False
Confidential False
Scope DOMAIN
Default

Add a list of LDAP servers in URL format that PWM uses for a fail-over configuration. PWM uses the servers in order of appearance in this list. If the first server is unavailable PWM uses the next available server in the list. PWM periodically checks the first server to see if it has become available.
  • For secure SSL, use the "ldaps://servername:636" format
  • For plain-text servers, use "ldap://serverame:389" format (not recommended)

When using secure connections, the Java virtual machine must trust the directory server, either because you have manually added the public key certificate from the tree to the Java keystore or you imported the certificate into the setting LDAP Server Certificates.

  • Do not use a non-secure connection for anything but the most basic testing purposes (Many LDAP servers reject password operations on non-secure connections)
  • Do not use a load-balancing device for LDAP high availability, instead use the built in LDAP server fail-over functionality
  • Do not use a DNS round-robin address
  • Avoid using the network address, use the proper fully-qualified domain name address for the server

Label LDAP Certificates
Key ldap.serverCerts
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Certificates
Syntax X509CERT
Level 0 (Normal)
Required True
Confidential False
Scope DOMAIN
Default

Import the LDAP Server Certificates. PWM stores these certificates in the configuration file and it uses them to validate the identity of your LDAP server.

Label LDAP Proxy User
Key ldap.proxy.username
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Proxy User
Syntax STRING
Level 0 (Normal)
Required False
Confidential False
Scope DOMAIN
Default

Specify the LDAP Proxy User PWM uses to access the LDAP directory. This user must have rights to browse users, and manage password attributes on the user object.

This value must be in LDAP distinguished name format, even if your LDAP directory accepts other types of values for the bind DN. An example of this format is cn=admin,o=example or cn=administrator,cn=users,dc=subdomain,dc=domain,dc=net.

Generally, the proxy user needs read/browse object rights to all user objects it manages, as well as create object rights in the new user container (if enabled).

Label LDAP Proxy Password
Key ldap.proxy.password
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Proxy Password
Syntax PASSWORD
Level 0 (Normal)
Required False
Confidential True
Scope DOMAIN
Default
*hidden*
Specify the password of the LDAP Proxy User.

Label LDAP Contextless Login Roots
Key ldap.rootContexts
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Contextless Login Roots
Syntax STRING_ARRAY
Level 0 (Normal)
Required False
Confidential False
Scope DOMAIN
Default

Specify the base context(s) to search for user names during authentication and other operations. During authentication, PWM will perform a subtree search in each context listed. In cases where more than a single user is found during a search, the process configured in setting LDAP ⇨ LDAP Settings ⇨ Global ⇨ LDAP Duplicate Mode is used to handle the duplicates.

Authentication to PWM is permitted only for users that are contained within the configured context values.

Label LDAP Test User
Key ldap.testuser.username
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Test User
Syntax STRING
Level 0 (Normal)
Required False
Confidential False
Scope DOMAIN
Default

Specify the fully qualified DN of an LDAP test user that PWM uses to test functionality and for access to the LDAP directory. Configure this user similar to a normal user account with normal access privileges. PWM periodically uses this account to perform a health check, including changing the password of the account.

Using a test user account greatly increases the system's ability to detect and alert configuration and health issues.

PWM tests the following functionality (if enabled) using the test user account.
  • Authentication
  • Password policy reading
  • Set password
  • Set Challenge/Responses
  • Load Challenge/Responses

Label Auto Add GUID Value
Key ldap.guid.autoAddValue
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ Auto Add GUID Value
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default False
ORACLE_DS True
Enable this option PWM creates and assigns a unique GUID value for any user attempting to authenticate that does not have a value. PWM writes the value to the attribute named in the LDAP GUID Attribute setting.

Label LDAP Search Timeout
Key ldap.search.timeoutSeconds
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Search Timeout
Syntax DURATION
Level 2
Required False
Confidential False
Scope DOMAIN
Default
30
Specify the maximum amount of seconds to wait for an LDAP search to complete.

Label LDAP Profile Enabled
Key ldap.profile.enabled
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Profile Enabled
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope DOMAIN
Default
True
Enable this option to indicate if this LDAP profile is in use. For maintenance reasons, it might be helpful to remove an LDAP Profile from use instead of deleting the profile's configuration entirely.

Login Setup

Login Setup

Label User Name Search Filter
Key ldap.usernameSearchFilter
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Login Setup ⇨ User Name Search Filter
Syntax STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default (&(objectClass=person)(cn=%USERNAME%))
ORACLE_DS (&(objectClass=person)(uid=%USERNAME%))
AD (&(objectClass=person)(|(sAMAccountName=%USERNAME%)(cn=%USERNAME%)(mail=%USERNAME%)))
Specify an LDAP search filter PWM uses for contextless login and other functions to find users in LDAP using user names. Replace the value %USERNAME% with the actual user name value.

Label User Selectable Login Contexts
Key ldap.selectableContexts
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Login Setup ⇨ User Selectable Login Contexts
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope DOMAIN
Default

(Optional) Add another field to the form-based login screen and other user search screens. The field allows the user to select a specific context. This is for situations where the LDAP directory does not have unique user names throughout the entire directory.

Values can further be set with both a display value and a context, separated by three colons.

For example:

ou=sf,ou=ca,o=example:::San Francisco
ou=lon,ou=uk,o=example:::London
ou=nyc,ou=ny,o=example:::New York


Label LDAP Profile Display Name
Key ldap.profile.displayName
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Login Setup ⇨ LDAP Profile Display Name
Syntax LOCALIZED_STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the display name for this LDAP Profile.

User Attributes

Attributes

Label Attribute to use for User Name
Key ldap.username.attr
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Attribute to use for User Name
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default
TemplateValue
default cn
AD sAMAccountName
Specify the attribute PWM uses for the user name. If blank, PWM uses the LDAP Naming Attribute. This option allows fields that display or store the User Name or User ID of a user to show something other then the LDAP Naming Attribute if appropriate. This value must be unique for this system.

Label LDAP GUID Attribute
Key ldap.guidAttribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ LDAP GUID Attribute
Syntax STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
ORACLE_DS pwmGUID
default VENDORGUID
OPEN_LDAP entryuuid
DIRECTORY_SERVER_389 uidNumber
Specify an attribute PWM uses to identify and reference unique users in the LDAP directory. If set to the default value of VENDORGUID, the system attempts to read the vendor specific LDAP GUID. Alternatively, you can set any string readable attribute as the GUID as long as the directory enforces the uniqueness. Lastly, you can use a custom attribute and configure the "Auto Add GUID Value" option to true. The application-defined schema includes the attribute pwmGUID for this usage.

Label LDAP Naming Attribute
Key ldap.namingAttribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ LDAP Naming Attribute
Syntax STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default cn
ORACLE_DS uid
Specify the attribute name PWM uses as the naming attribute on LDAP user entries. This value is also the first part of the distinguished name of a user. This name is constant depending on directory vendor type, even if you use a different attribute for the login search filter. Typically, the naming attribute is cn or uid.

Label Last Password Update Attribute
Key passwordLastUpdateAttribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Last Password Update Attribute
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default
TemplateValue
ORACLE_DS
default
LDAP pwmLastPwdUpdate
AD
Specify the attribute that PWM uses to mark when the user updates password. Plus PWM uses it during replication checks and other processes.

Label User Group Attribute
Key ldap.user.group.attribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ User Group Attribute
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default
TemplateValue
ORACLE_DS isMemberOf
OPEN_LDAP memberof
default groupMembership
DIRECTORY_SERVER_389 memberof
AD memberOf
Specify an attribute on the user entry that references group entries. The value of this attribute in the directory must be a LDAP DN.


Label User Email Attribute
Key email.userMailAttribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ User Email Attribute
Syntax STRING
Level 2
Required True
Confidential False
Scope DOMAIN
Default
mail
Specify the LDAP attribute that contains the users' email address.

Label Secondary User Email Attribute
Key email.userMailAttribute2
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Secondary User Email Attribute
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the secondary LDAP attribute that contains the users' email address.

Label Tertiary User Email Attribute
Key email.userMailAttribute3
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Tertiary User Email Attribute
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the tertiary LDAP attribute that contains the users' email address.

Label SMS Destination Address LDAP Attribute
Key sms.userSmsAttribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ SMS Destination Address LDAP Attribute
Syntax STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
personalMobile
Specify the LDAP attribute containing the users' mobile phone numbers for SMS.

Label Secondary SMS Destination Address LDAP Attribute
Key sms.userSmsAttribute2
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Secondary SMS Destination Address LDAP Attribute
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the secondary LDAP attribute containing the users' mobile phone numbers for SMS.

Label Tertiary SMS Destination Address LDAP Attribute
Key sms.userSmsAttribute3
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Tertiary SMS Destination Address LDAP Attribute
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the tertiary LDAP attribute containing the users' mobile phone numbers for SMS.

Label Response Storage Attribute
Key challenge.userAttribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Response Storage Attribute
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
pwmResponseSet
Specify the attribute to use for response storage when storing responses in an LDAP directory.

Label User History LDAP Attribute
Key events.ldap.attribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ User History LDAP Attribute
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default
pwmEventLog
Specify the attribute PWM uses to write a user event attribute in LDAP. The user event log attribute holds an XML document with the users' event history. Leave blank to disable logging event history in LDAP.

Label Web Service User Attributes
Key webservice.userAttributes
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Web Service User Attributes
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Add the user attributes that the various web services use and PWM presents as part of the users' data sets.

Label OTP Secret LDAP Attribute
Key otp.secret.ldap.attribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ OTP Secret LDAP Attribute
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default
pwmOtpSecret
Specify the LDAP attribute for storing the OTP secret. PWM only uses this setting when the storage method is set to LDAP.

Label LDAP Photo Attribute
Key peopleSearch.photo.ldapAttribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ LDAP Photo Attribute
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default
photo
Specify the LDAP Attribute to use for a photo. Leave this option blank, if you do not want to display a photo.

Label Photo URL Override
Key peopleSearch.photo.urlOverride
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Photo URL Override
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify a URL to override the photo. If the LDAP directory does not store the users' photos, this setting can show photos from an external system. If you specify this setting, PWM does not load the the photo from the LDAP directory.

Example:http://photos.example.com/employee/@LDAP:[email protected]

Label Organizational Chart Parent Attribute
Key peopleSearch.orgChart.parentAttribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Organizational Chart Parent Attribute
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
manager
Specify the attribute that contains the LDAP DN of the manager. If this setting is blank, PWM does not show the organizational chart view.

Label Organizational Chart Child Attribute
Key peopleSearch.orgChart.childAttribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Organizational Chart Child Attribute
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
directReports
Specify the attribute that contains the LDAP DN of the direct reports for a user. If this setting is blank, PWM does not show the organizational chart view.

Label Organizational Assistant Attribute
Key peopleSearch.orgChart.assistantAttribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Organizational Assistant Attribute
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
assistant
Specify the attribute that contains the LDAP DN of the assistant for a user. If this setting is blank, PWM will not show the assistant on the organizational chart view.

Label Organizational Chart Workforce ID Attribute
Key peopleSearch.orgChart.workforceIdAttribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Organizational Chart Workforce ID Attribute
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
workforceID
Specify the attribute that contains the workforce ID of the user. If this setting is blank, PWM data exports will not contain the workforce ID.

Label User Language Attribute
Key ldap.user.language.attribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ User Language Attribute
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Attribute that contains the language of the user in RFC1766 format. (The same format used by web browsers and the HTTP Accept-Language header.) This value is used only for user interactions when the user does not have an active web session such as an email notification.

Label Application Data Attribute
Key ldap.user.appData.attribute
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Application Data Attribute
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
pwmData
Specify an attribute that is used by PWM to store data for the various application data including ldap node services and password password expiration notification service.

Label Auto Set User Language Attribute
Key ldap.user.language.autoSet
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Auto Set User Language Attribute
Syntax SELECT
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
disabled Disabled
enabled Enabled - Write to LDAP attribute during authentication.
Default
disabled
When enabled, the user's effective locale for a web session will be written to the LDAP language attribute.

Label Auto Add Object Classes
Key ldap.addObjectClasses
Navigation LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Auto Add Object Classes
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope DOMAIN
Default
TemplateValue
default pwmUser
DB
Specify the object classes to automatically add to users who authenticate to the password servlet. Typically, this is an auxiliary LDAP class that contains attributes used by PWM to store password self-service data.

Global

Global settings that control the interaction with an LDAP directory. PWM applies these settings regardless of the user's LDAP profile. For profile-specific settings, see Profiles -> LDAP Directory Profiles.

Label LDAP Idle Timeout
Key ldap.idleTimeout
Navigation LDAP ⇨ LDAP Settings ⇨ Global ⇨ LDAP Idle Timeout
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
30
Specify a number of seconds the LDAP connection for a given session can remain idle before closing. If zero, then PWM maintains an LDAP connection throughout the lifetime of the HTTP session.

Label User Object Class
Key ldap.defaultObjectClasses
Navigation LDAP ⇨ LDAP Settings ⇨ Global ⇨ User Object Class
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope DOMAIN
Default
TemplateValue
default inetOrgPerson
AD User
Specify the object classes of user entries in your LDAP directory.

Label Follow LDAP Referrals
Key ldap.followReferrals
Navigation LDAP ⇨ LDAP Settings ⇨ Global ⇨ Follow LDAP Referrals
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default False
AD True
Eanble this option to have PWM follow LDAP Referrals.

Label LDAP Duplicate Mode
Key ldap.duplicateMode
Navigation LDAP ⇨ LDAP Settings ⇨ Global ⇨ LDAP Duplicate Mode
Syntax SELECT
Level 2
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
FIRST_ALL Match first user - Use first user discovered in any context or profile, ignore any duplicates
FIRST_PROFILE Match first ldap profile - Use the first user discovered in the first profile that has only a single match
NONE No duplicates Permitted - Fail whenever duplicate users are found in any context or profile
Default
NONE
Select how PWM handles the situation when it finds multiple users matches for a search, such as during authentication.

Label User Selectable LDAP Context/Profile
Key ldap.selectableContextMode
Navigation LDAP ⇨ LDAP Settings ⇨ Global ⇨ User Selectable LDAP Context/Profile
Syntax SELECT
Level 2
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
SHOW_PROFILE Show the ldap profile
SHOW_CONTEXTS Show the ldap profile and ldap contexts
NONE Do not show
Default
NONE
Control if the ldap context or profile is shown to the user as an option during user identification (login, forgotten password, etc).

Label Ignore Unreachable LDAP Profiles
Key ldap.ignoreUnreachableProfiles
Navigation LDAP ⇨ LDAP Settings ⇨ Global ⇨ Ignore Unreachable LDAP Profiles
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope DOMAIN
Default
True
Enable this option to have PWM ignore unreachable profiles when multiple LDAP profiles exist. PWM only shows a Directory Unavailable error during a user search when there is only a single LDAP Profile configured or all LDAP Profiles are unreachable.

Label Enable LDAP Wire Trace
Key ldap.wireTrace.enable
Navigation LDAP ⇨ LDAP Settings ⇨ Global ⇨ Enable LDAP Wire Trace
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to have PWM output all LDAP traffic to the TRACE logging level.

WARNING: enabling this option might allow PWM to write user passwords and other sensitive data to the log files.

Label Password Sync Enable Replication Checking
Key passwordSync.enableReplicaCheck
Navigation LDAP ⇨ LDAP Settings ⇨ Global ⇨ Password Sync Enable Replication Checking
Syntax SELECT
Level 2
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
DISABLED DISABLED - Do not perform replica sync checking
ENABLED ENABLED - Enabled, but do not display individual progress to user
ENABLED_SHOW ENABLED and Display - Enable replica sync checking and display progress to user
Default
ENABLED
Enable this option to check for the password to be updated on all configured replicas (for a user's LDAP Profile). When enabled, replica sync checking polls all of the configured replicas on the user's LDAP Profile to determine if the password change time has been updated. The particular method to determine the last password change time varies per LDAP vendor type.

Microsoft Active Directory

Active Directory specific settings

Label Use Proxy When Password Forgotten
Key ldap.ad.proxyForgotten
Navigation LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory ⇨ Use Proxy When Password Forgotten
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default False
AD True
Enable this option to have PWM use the LDAP proxy account for LDAP work when the users' forget their passwords. This is because an LDAP connection is not possible to Active Directory without the users' passwords. When authenticated in this condition, Active Directory forces the users to change their passwords immediately.

Label Allow Authentication When "Must Change Password On Next Login" Is Set
Key ldap.ad.allowAuth.requireNewPassword
Navigation LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory ⇨ Allow Authentication When "Must Change Password On Next Login" Is Set
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to have Active Directory fail an LDAP login attempt when the users "must change password on next login" flag is set. If you enable this option, the system allows a login even though the LDAP bind failed. The user only can set a new password when this condition occurs. No other functions are available until the password has been set (and the system clears this flag).

Label Allow Authentication When Password Expired
Key ldap.ad.allowAuth.expired
Navigation LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory ⇨ Allow Authentication When Password Expired
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to have Active Directory fail an LDAP login attempt when the current date is after the user's password expiration date. If you enabled this option, the system allows login even though the LDAP bind failed. The user only can set a new password when this condition occurs. No other functions are available until the user sets the password (and the system clears this flag).

Label Enforce Password Policy During Forgotten Password
Key ldap.ad.enforcePwHistoryOnSet
Navigation LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory ⇨ Enforce Password Policy During Forgotten Password
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to enforce the password policy during forgotten password when Use Proxy When Password Forgotten is also set to true. This setting requires that the Active Directory servers be at Windows 2008 Server R2 SP1 or later. More specifically, it requires that the Active Directory servers support the LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2066) LDAP modification control.

eDirectory Challenge Sets

NetIQ eDirectory CR specific settings.

Label Read eDirectory Challenge Sets
Key ldap.edirectory.readChallengeSets
Navigation LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Challenge Sets ⇨ Read eDirectory Challenge Sets
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default False
NOVL_IDM True
NOVL True
Enable this option to have PWM read and apply the challenge set configuration from eDirectory Universal Password policy to users. If PWM applies an eDirectory challenge set to the user, PWM uses that policy, otherwise PWM uses the policy that is a part of this configuration. To require only NMAS configured challenge sets, ensure that you blank out the required and forgotten questions as part of this configuration, or else PWM uses those in cases where you have not defined eDirectory policy.

Label eDirectory Challenge Set Minimum Randoms During Setup
Key ldap.edirectory.cr.minRandomDuringSetup
Navigation LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Challenge Sets ⇨ eDirectory Challenge Set Minimum Randoms During Setup
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the number of random questions you require the users to complete at the time of saving their Challenge/Response answers.

Label eDirectory Challenge Set Apply Word List
Key ldap.edirectory.cr.applyWordlist
Navigation LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Challenge Sets ⇨ eDirectory Challenge Set Apply Word List
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to prohibit users from using answers in the word list dictionary in answers when the users save the Challenge/Response answers.

Label eDirectory Challenge Set Maximum Question Characters In Answer
Key ldap.edirectory.cr.maxQuestionCharsInAnswer
Navigation LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Challenge Sets ⇨ eDirectory Challenge Set Maximum Question Characters In Answer
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the maximum number of characters of the question text PWM permits in answers when saving the Challenge/Response answers.

eDirectory Settings

NetIQ eDirectory specific settings.

Label Save NMAS Responses
Key ldap.edirectory.storeNmasResponses
Navigation LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Settings ⇨ Save NMAS Responses
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default False
NOVL_IDM True
NOVL True
Enable this option to have PWM save user responses to the NMAS response storage container on the user. This storage is in addition to any other configured response storage methods.

Label Enable NMAS Responses for Forgotten Password
Key ldap.edirectory.useNmasResponses
Navigation LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Settings ⇨ Enable NMAS Responses for Forgotten Password
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default False
NOVL_IDM True
NOVL False
Enable this option to have PWM use NMAS stored responses for the forgotten password recovery. PWM tries all other configured storage methods before it evaluates the NMAS stored responses.

Label Read User Passwords
Key ldap.edirectory.readUserPwd
Navigation LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Settings ⇨ Read User Passwords
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope DOMAIN
Default
TemplateValue
default False
NOVL_IDM True
NOVL True
Enable this option to have PWM read the user's password from eDirectory before changing it. This prevents PWM from setting an extra password change to a temporary random password during the forgotten password sequence. If the proxy user does not have rights to read the password, then PWM generates a temporary random password for the user anyway.

Oracle DS

Oracle Directory Server-specific settings

Label Allow Manipulation of PasswordAllowChangeTime
Key ldap.oracleDS.enable.manipAllowChangeTime
Navigation LDAP ⇨ LDAP Settings ⇨ Oracle DS ⇨ Allow Manipulation of PasswordAllowChangeTime
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to have PWM, during the forgotten password recovery sequence, allow manipulation of the allowPasswordChangeTime attribute. This allows forgotten password functionality with expected behavior when PWM enforces a policy of minimum time between password changes.

Label Allow Authentication When "Require Password Change at First Login and After Reset" Is Set
Key ldap.oracleDS.allowAuth.requireNewPassword
Navigation LDAP ⇨ LDAP Settings ⇨ Oracle DS ⇨ Allow Authentication When "Require Password Change at First Login and After Reset" Is Set
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to have PWM allow a login even though the LDAP bind failed. The Oracle Directory Server normally fails an LDAP login attempt when the user's pwdReset attribute is set due to an administrator password set. The user only can set a new password when this condition occurs. No other functions are available until the system sets the password (and clears this flag).

Profiles

Profiles for account information.

Label Account Information Profile Match
Key accountInfo.queryMatch
Navigation Modules ⇨ Authenticated ⇨ Account Information ⇨ Profiles ⇨ [profile] ⇨ Account Information Profile Match
Syntax USER_PERMISSION
Level 2
Required True
Confidential False
Scope DOMAIN
Default
UserPermission: All Users: [Profile: 'all']
Account Information Profile Match

Label Show Password Event History
Key display.passwordHistory
Navigation Modules ⇨ Authenticated ⇨ Account Information ⇨ Profiles ⇨ [profile] ⇨ Show Password Event History
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to show logged in users their password event history. The password event history appears as a tab on the account information page.

Label Viewable Status Fields
Key accountInfo.viewStatusValues
Navigation Modules ⇨ Authenticated ⇨ Account Information ⇨ Profiles ⇨ [profile] ⇨ Viewable Status Fields
Syntax OPTIONLIST
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
AccountExpirationTime Account Expiration Time
GUID GUID
ForwardURL Forward URL
LogoutURL Logout URL
NetworkAddress Network Address
NetworkHost Network Host
PasswordExpired Password Expired
PasswordExpireTime Password Expire Time
PasswordPreExpired Password Pre-Expired
PasswordSetTime Password Set Time
PasswordSetTimeDelta Password Set Time Delta
PasswordWarnPeriod Password Warn Period
PasswordViolatesPolicy Password Violates Policy
ResponsesStored Responses Stored
ResponsesNeeded Responses Needed
ResponsesTimestamp Responses Timestamp
OTPStored OTP Stored
OTPTimestamp OTP Timestamp
Username Username
UserDN User DN
UserEmail User Email
UserSMS User SMS
Default
ForwardURL
LogoutURL
NetworkAddress
NetworkHost
OTPStored
OTPTimestamp
PasswordExpireTime
PasswordExpired
PasswordPreExpired
PasswordSetTime
PasswordSetTimeDelta
PasswordViolatesPolicy
PasswordWarnPeriod
ResponsesNeeded
ResponsesStored
ResponsesTimestamp
UserEmail
UserSMS
Username
Select the fields that are available for the users to view about their own account.

Label LDAP Display Attributes
Key accountInfo.view.form
Navigation Modules ⇨ Authenticated ⇨ Account Information ⇨ Profiles ⇨ [profile] ⇨ LDAP Display Attributes
Syntax FORM
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the LDAP attributes to show to users on the account information page.

Settings

Settings for the account information module.

Label Enable Account Information
Key display.accountInformation
Navigation Modules ⇨ Authenticated ⇨ Account Information ⇨ Settings ⇨ Enable Account Information
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to show the User Account Information menu on the main menu.

Administration

Administration

Label Administrator Permission
Key pwmAdmin.queryMatch
Navigation Modules ⇨ Authenticated ⇨ Administration ⇨ Administrator Permission
Syntax USER_PERMISSION
Level 0 (Normal)
Required True
Confidential False
Scope DOMAIN
Default

Specify the permissions PWM uses to determine if it grants a user administrator rights.

Label Allow Admin to Skip Forced Activities
Key pwmAdmin.allowSkipForcedActivities
Navigation Modules ⇨ Authenticated ⇨ Administration ⇨ Allow Admin to Skip Forced Activities
Syntax BOOLEAN
Level 0 (Normal)
Required True
Confidential False
Scope DOMAIN
Default
True
Allow administrators to skip otherwise forced activities such as setup of challenge/response answers.

Profiles

The change password module is the core functionality of the application. Use these settings to control the behavior and functionality of the change password functionality that all users see.

Label Change Password Profile Match
Key password.allowChange.queryMatch
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Change Password Profile Match
Syntax USER_PERMISSION
Level 2
Required True
Confidential False
Scope DOMAIN
Default
UserPermission: All Users: [Profile: 'all']
Specify the permissions used to detect if PWM permits users to change their passwords.

Label Logout After Password Change
Key logoutAfterPasswordChange
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Logout After Password Change
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to force users to log out (and send them to the logoutURL) after a password change.

In most cases, leave this option enabled (default), especially if you are using some type of single sign-on service.

Label Change Password Required Values Form
Key password.require.form
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Change Password Required Values Form
Syntax FORM
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the values the users are required to enter prior to a password change.

Label Require Current Password During Change
Key password.change.requireCurrent
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Require Current Password During Change
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
TRUE True
FALSE False
NOTEXPIRED Only when not expired
Default
FALSE
Enable this option to require users to provide their current passwords on the Change Password page. You must enable this option if users are using a single sign-on service. In most cases, this is not required because the single sign-on service authenticates the users prior to accessing the Change Password page.

Label Password Change Agreement Message
Key display.password.changeAgreement
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Change Agreement Message
Syntax LOCALIZED_TEXT_AREA
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default

Specify a message to display to users before allowing them to change their passwords. If blank, PWM does not display the change password agreement page to the users. This message can include HTML tags.

This setting can use macros. For more information about macros, see the "View" menu "Show Macro Help".


Label Password Change Completion Message
Key display.password.completeMessage
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Change Completion Message
Syntax LOCALIZED_TEXT_AREA
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default

Specify a message to display to users when they complete a password change. If blank, PWM does not display the change password completion page to the user. This message can include HTML tags.

This setting can use macros. For more information, see the "View" menu "Show Macro Help".


Label Password Guide Text
Key display.password.guideText
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Guide Text
Syntax LOCALIZED_TEXT_AREA
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the text (with HTML tags/formatting) to show users on password guide page. This appears as a "password guide" link and pop-up dialog. Leave blank to not show the password guide link.

This setting allows macros. For more information, see the "View" menu "Show Macro Help".


Label Password Change Minimum Wait Time
Key passwordSyncMinWaitTime
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Change Minimum Wait Time
Syntax DURATION
Level 2
Required True
Confidential False
Scope DOMAIN
Default
15
Specify how long, during a password change, the system waits before forwarding the user. This gives any background synchronization processes time to execute before the user executes the next operation.

Specify the value in seconds.

Label Password Change Maximum Wait Time
Key passwordSyncMaxWaitTime
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Change Maximum Wait Time
Syntax DURATION
Level 2
Required True
Confidential False
Scope DOMAIN
Default
90
Specify how long, during a password change, the system waits for the password to be synchronized to all configured LDAP servers. In cases where the synchronization might take an extraordinary amount of time, this setting prevents the page from timing out.

Specify the value in seconds.

Label Password Pre-Expire Time
Key expirePreTime
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Pre-Expire Time
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
86400
Specify the number of seconds before the users' passwords expire in which to force the users to change their passwords. If the users' passwords expire within this time frame, the system behaves as if the users' passwords have already expired.

Setting this value to a day prevents most cases of users' passwords expiring while they are logged in. The recommend setting for this value is 86400 (1 day).

Label Password Expire Warn Time
Key expireWarnTime
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Expire Warn Time
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
432000
Specify the number of seconds before users' passwords expire in which to warn the users to change their passwords. If the users' passwords expire within this time frame, the system warns the user during a CommandServlet checkExpire or checkAll operation.

If this time is zero or less than the expirePreTime, they system disables this feature. The recommended setting for this value is 432000 (5 days).

Label Check Expire During Authentication
Key expireCheckDuringAuth
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Check Expire During Authentication
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to check to see if authenticated users' passwords are expired (or about to expire based on the expirePreTime). If this is set to true, and the users' passwords are expired, PWM forces the users to the expire password page.

Label Post Password Change Actions
Key changePassword.writeAttributes
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Post Password Change Actions
Syntax ACTION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Add actions to take after a user change password event occurs. PWM invokes these actions just after writing the password. You can use macros within the action and are expanded based on the logged in user.

Label Show Auto Generate Randoms
Key password.showAutoGen
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Show Auto Generate Randoms
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to display a link to users during the change password process that displays a list of auto-generated sample passwords that the system allows through the configured password policies. The users have the option to select and use one of the values in the list. If this option does not force the user to choose a password from the list.

Settings

The change password module is the core functionality of the application. Use these settings to control the behavior and functionality of the change password functionality that all users see.

Label Enable Change Password Module
Key changePassword.enable
Navigation Modules ⇨ Authenticated ⇨ Change Password ⇨ Settings ⇨ Enable Change Password Module
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Enable or Disable the change password module.

Profiles

Profiles

Label Delete Account Profile Match
Key deleteAccount.permission
Navigation Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile] ⇨ Delete Account Profile Match
Syntax USER_PERMISSION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the permissions to define the set of users for which this profile applies.

Label Delete Account Agreement
Key deleteAccount.agreement
Navigation Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile] ⇨ Delete Account Agreement
Syntax LOCALIZED_TEXT_AREA
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default

Specify a message to display to the users before allowing them to delete their accounts. If blank, PWM does not display the delete account user agreement page to the users. This message can include HTML tags.


Label Delete LDAP Entry
Key deleteAccount.deleteEntry
Navigation Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile] ⇨ Delete LDAP Entry
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to control if PWM deletes the users' LDAP entry in the LDAP directory. In many cases, it is desirable to not actually delete the LDAP entry, but instead, disable the account and take other actions via the Pre-Delete Actions.

Label Pre-Delete Actions
Key deleteAccount.actions
Navigation Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile] ⇨ Pre-Delete Actions
Syntax ACTION
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default

Add actions to execute during the user deletion process. PWM executes these actions prior to the actual LDAP entry deletion (if so configured). Typically, you use these actions to disable the LDAP account and trigger some type of process that results in an eventual deletion.

Label Next URL
Key deleteAccount.nextUrl
Navigation Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile] ⇨ Next URL
Syntax STRING
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default

Specify the URL of where to send the user to after deletion. If blank, the normal logout handling occurs.

Settings

Settings

Label Enable Delete Account
Key deleteAccount.enable
Navigation Modules ⇨ Authenticated ⇨ Delete Account ⇨ Settings ⇨ Enable Delete Account
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable the option to enable the delete account module for the users.

Guest Registration

Note: The guest user registration module requires that the logged in user has sufficient permissions to create users and if so configured, to check for duplicate values.

Label Enable Guest Registration
Key guest.enable
Navigation Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Enable Guest Registration
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to enable guest registration.

Label Creation Context
Key guest.createContext
Navigation Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Creation Context
Syntax STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
ou=guests,o=example
Specify the LDAP context where PWM creates the new guest accounts.

Label Guest Admin Permission
Key guest.adminGroup
Navigation Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Guest Admin Permission
Syntax USER_PERMISSION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default

Specify the query string PWM uses to detect if a user is a guest administrator. PWM performs an LDAP query during the login process against the logged in user to determine if the user is a guest administrator. If the user matches the query, then the system considers the user a guest administrator.

Label New Guest Form
Key guest.form
Navigation Modules ⇨ Authenticated ⇨ Guest Registration ⇨ New Guest Form
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
FormItem Name:cn
 Type:text Min:2 Max:32 ReadOnly:false Required:true Confirm:false Unique:true Multi-Value:false Source:ldap
 Label:{"":"Username"}
 Description:{"":""}
FormItem Name:givenName
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"First\n                Name"}
 Description:{"":""}
FormItem Name:sn
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Last\n                Name"}
 Description:{"":""}
FormItem Name:mail
 Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:true Multi-Value:false Source:ldap
 Label:{"":"Email\n                Address"}
 Description:{"":""}
FormItem Name:telephoneNumber
 Type:tel Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Telephone\n                Number"}
 Description:{"":""}
Specify the New Guest form creation attributes and fields.

Label Update Guest Form
Key guest.update.form
Navigation Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Update Guest Form
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
FormItem Name:cn
 Type:text Min:2 Max:32 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Username"}
 Description:{"":""}
FormItem Name:givenName
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"First\n                Name"}
 Description:{"":""}
FormItem Name:sn
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Last\n                Name"}
 Description:{"":""}
FormItem Name:mail
 Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:true Multi-Value:false Source:ldap
 Label:{"":"Email\n                Address"}
 Description:{"":""}
FormItem Name:telephoneNumber
 Type:tel Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Telephone\n                Number"}
 Description:{"":""}
Specify the attributes and fields to update the New Guest form creation.

Label Guest Creation Actions
Key guest.writeAttributes
Navigation Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Guest Creation Actions
Syntax ACTION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Add actions PWM performs after it creates a guest user. You can use macros.

Label Administrator DN Attribute
Key guest.adminAttribute
Navigation Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Administrator DN Attribute
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
manager
Specify the attribute in which PWM writes the DN of the logged in user in LDAP when it creates a guest user. PWM writes this attribute to the user object just after it creates the object.

Label Edit Guest By Original Administrator Only
Key guest.editOriginalAdminOnly
Navigation Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Edit Guest By Original Administrator Only
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to only allow the guest administrator who created the guest account to update the guest account details.

Label Maximum Duration of Account Validity
Key guest.maxValidDays
Navigation Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Maximum Duration of Account Validity
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
30
Specify the maximum number of days before the system disables the account. The guest administrator can use a calendar widget to select an expiration date, which must be within the account validity window. If this value is zero, PWM does not prompt the guest administrator for an expiration date and it does not record an expiration date on the user.

Label Attribute Used To Store Account Expiration Date
Key guest.expirationAttribute
Navigation Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Attribute Used To Store Account Expiration Date
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
loginExpirationTime
Specify the attribute PWM uses to store the account expiration date. If this value is blank, PWM does not prompt the guest administrator for an expiration date and it does not record an expiration date on the user.

Details

Help Desk Base

Label Help Desk Profile Match
Key helpdesk.queryMatch
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Profile Match
Syntax USER_PERMISSION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default

Specify the users that this help desk profile definition will apply to.

Label Help Desk Search Attributes
Key helpdesk.search.form
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Search Attributes
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default FormItem Name:cn Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Username"} Description:{"":""} FormItem Name:givenName Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"First Name"} Description:{"":""} FormItem Name:sn Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Last Name"} Description:{"":""} FormItem Name:mail Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Email"} Description:{"":""} FormItem Name:workforceID Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Workforce ID"} Description:{"":""}
AD FormItem Name:sAMAccountName Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Username"} Description:{"":""} FormItem Name:givenName Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"First Name"} Description:{"":""} FormItem Name:sn Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Last Name"} Description:{"":""} FormItem Name:mail Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Email"} Description:{"":""} FormItem Name:userPrincipalName Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"UPN"} Description:{"":""}
Specify the attributes used in searching.

Label Help Desk Search Results
Key helpdesk.result.form
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Search Results
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default FormItem Name:cn Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Username"} Description:{"":""} FormItem Name:givenName Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"First Name"} Description:{"":""} FormItem Name:sn Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Last Name"} Description:{"":""} FormItem Name:mail Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Email"} Description:{"":""} FormItem Name:workforceID Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Workforce ID"} Description:{"":""}
AD FormItem Name:sAMAccountName Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Username"} Description:{"":""} FormItem Name:givenName Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"First Name"} Description:{"":""} FormItem Name:sn Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Last Name"} Description:{"":""} FormItem Name:mail Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Email"} Description:{"":""} FormItem Name:userPrincipalName Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"UPN"} Description:{"":""}
Add the fields PWM shows as a result of help desk searches.


Label Help Desk Search Filter
Key helpdesk.filter
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Search Filter
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the LDAP search filter to query the directory. Substitute %USERNAME% for user supplied user name. If not specified, PWM auto calculates a search filter based on the Help Desk Search Attributes.

Examples

  • Edirectory: (&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*))))
  • Active Directory: (&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(sAMAccountName=*%USERNAME%*)(userprincipalname=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*))))

Label LDAP Search Base
Key helpdesk.searchBase
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ LDAP Search Base
Syntax STRING_ARRAY
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify one or more LDAP search bases. If empty, PWM uses the default LDAP search base.

Label Help Desk Detail Form
Key helpdesk.detail.form
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Detail Form
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
FormItem Name:cn
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"CN"}
 Description:{"":""}
FormItem Name:uid
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"uid"}
 Description:{"":""}
FormItem Name:givenName
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"First Name"}
 Description:{"":""}
FormItem Name:initials
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Initials"}
 Description:{"":""}
FormItem Name:sn
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Last Name"}
 Description:{"":""}
FormItem Name:fullName
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Full Name"}
 Description:{"":""}
FormItem Name:preferredName
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Preferred Name"}
 Description:{"":""}
FormItem Name:mail
 Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Email Address"}
 Description:{"":""}
FormItem Name:telephoneNumber
 Type:tel Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Telephone Number"}
 Description:{"":""}
FormItem Name:title
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Title"}
 Description:{"":""}
FormItem Name:ou
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Department"}
 Description:{"":""}
FormItem Name:businessCategory
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Business Category"}
 Description:{"":""}
FormItem Name:company
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Company"}
 Description:{"":""}
FormItem Name:street
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Street"}
 Description:{"":""}
FormItem Name:physicalDeliveryOfficeName
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"City"}
 Description:{"":""}
FormItem Name:st
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"State"}
 Description:{"":""}
FormItem Name:l
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Location"}
 Description:{"":""}
FormItem Name:employeeType
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Employee Type"}
 Description:{"":""}
FormItem Name:employeeStatus
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Employee Status"}
 Description:{"":""}
FormItem Name:workforceID
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Workforce ID"}
 Description:{"":""}
Specify the fields PWM shows during the detail view of an individual.

Label Help Desk Search Result Limit
Key helpdesk.result.limit
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Search Result Limit
Syntax NUMERIC
Level 2
Required True
Confidential False
Scope DOMAIN
Default
200
Specify a limit of the results of help desk searches.

Label Send Password to User
Key helpdesk.sendPassword
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Send Password to User
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to send the password to the user using the method selected under Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ New Password Send Method.

Label Post Set Password Actions
Key helpdesk.setPassword.writeAttributes
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Post Set Password Actions
Syntax ACTION
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Add actions the system executes after a Help Desk actor modifies the user's password. You can use macros.

Label Help Desk Actor Actions
Key helpdesk.actions
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Actor Actions
Syntax ACTION
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Add actions available to the Help Desk actor. You can use macros.

Label Idle Timeout Seconds for Help Desk Users
Key helpdesk.idleTimeout
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Idle Timeout Seconds for Help Desk Users
Syntax DURATION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
3600
Specify the number of seconds after which PWM unauthenticates an authenticated session. PWM sets the session idle timeout to this value after a user successfully accesses the Help Desk module.

Label Enforce User Password Policy
Key helpdesk.enforcePasswordPolicy
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Enforce User Password Policy
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Enable this option to require that the passwords set by Help Desk must meet the same password policy that normally constrains the user.

Label Clear Responses on Password Set
Key helpdesk.clearResponses
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Clear Responses on Password Set
Syntax SELECT
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
yes True
ask Ask
no False
Default
ask
Enable this option to allow the Help Desk operator to clear out a user's stored responses after changing the user's password.

Label Force Password Expiration On Password Set
Key helpdesk.forcePwExpiration
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Force Password Expiration On Password Set
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to force the system to expire the password for the users when the help desk operator sets a user's password.

Label Use Proxy Connection
Key helpdesk.useProxy
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Use Proxy Connection
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to use the application proxy connection for all actions initiated in the Help Desk module. When disabled, PWM initiates actions using the logged in user's LDAP connection, requiring that the user has appropriate privileges in the LDAP directory.

Label Person Detail Display Labels
Key helpdesk.displayName.cardLabels
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Person Detail Display Labels
Syntax STRING_ARRAY
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
@LDAP:givenName@ @LDAP:sn@
@LDAP:title@
@LDAP:mail@
@LDAP:telephoneNumber@
Specify the display labels for the user panel in the Help Desk Search detail. You can use LDAP attribute value such as @LDAP:givenName@ macros.

Label Token Send Method
Key helpdesk.token.sendMethod
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Token Send Method
Syntax SELECT
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
NONE None - Token verification will not be available
EMAILONLY Email - Send to email address
SMSONLY SMS - Send via SMS
CHOICE_SMS_EMAIL Operator Choice - If both SMS and email address is available, helpdesk operator decides
Default
NONE
Select the methods the system uses for sending the token code to the user.



Options

Help Desk Options

Label Viewable Status Fields
Key helpdesk.viewStatusValues
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Viewable Status Fields
Syntax OPTIONLIST
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
AccountEnabled Account Enabled
AccountExpired Account Expired
AccountExpirationTime Account Expiration Time
GUID GUID
IntruderDetect Intruder Detect
LastLoginTime Last Login Time
LastLoginTimeDelta Last Login Time Delta
PasswordExpired Password Expired
PasswordExpireTime Password Expire Time
PasswordPreExpired Password Pre-Expired
PasswordSetTime Password Set Time
PasswordSetTimeDelta Password Set Time Delta
PasswordWarnPeriod Password Warn Period
ResponsesStored Responses Stored
ResponsesNeeded Responses Needed
ResponsesTimestamp Responses Timestamp
OTPStored OTP Stored
OTPTimestamp OTP Timestamp
Username Username
UserDN User DN
UserEmail User Email
UserSMS User SMS
Default
AccountEnabled
IntruderDetect
LastLoginTime
LastLoginTimeDelta
OTPStored
OTPTimestamp
PasswordExpireTime
PasswordExpired
PasswordPreExpired
PasswordSetTime
PasswordSetTimeDelta
PasswordWarnPeriod
ResponsesNeeded
ResponsesStored
ResponsesTimestamp
UserDN
UserEmail
UserSMS
Username
Select the fields that are available to help desk administrators to view the status of the users.

Label Set Password UI Mode
Key helpdesk.setPassword.mode
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Set Password UI Mode
Syntax SELECT
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
none None
type Type new password
autogen Auto generate a list of random passwords to choose from
both Auto generate a list of random passwords and allow typing of new password
random Set the password to a random value unknown to the helpdesk operator
Default
autogen
Select the mode to allow Help Desk administrators to set passwords. (Note the logged-in user must have the proper LDAP permissions.)

Label Enable Unlock
Key helpdesk.enableUnlock
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Unlock
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to enable the Help Desk module users to unlock an LDAP intruder locked account.

Label Enable Clear Responses Button
Key helpdesk.clearResponses.button
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Clear Responses Button
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to allow the Help Desk operator to clear out a user's stored responses by clicking a button.

Label Enable Clear One Time Password Settings Button
Key helpdesk.clearOtp.button
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Clear One Time Password Settings Button
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope DOMAIN
Default
False
Eanble this option to allow the Help Desk operator to clear out a user's stored one-time password settings by clicking a button.

Label Enable Delete User Button
Key helpdesk.deleteUser.button
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Delete User Button
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to allow the Help Desk operator to delete the user.

Label Mask Password Value
Key helpdesk.setPassword.maskValue
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Mask Password Value
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to have PWM mask the password for a user when they are entering it.

Label Enable Photos
Key helpdesk.enablePhotos
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Photos
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Enable photos in helpdesk search screen

Label Enable Advanced Search
Key helpdesk.advancedSearch.enable
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Advanced Search
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Enable advanced searching user interface. Allows operators to specify individual attributes for searching.

Verification

Help Desk Verification

Label Verification Methods
Key helpdesk.verificationMethods
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Verification ⇨ Verification Methods
Syntax VERIFICATION_METHOD
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
optional methods: n/a, required methods: n/a
Select the verification methods that the Help Desk operators use to confirm the identity of a user. Any method you set to required or optional is available to the Help Desk operator. If one or more methods are set to required, at least one of the required methods must be successfully completed before the Help Desk operator can view the user's details.

Label Verification Attributes
Key helpdesk.verification.form
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Verification ⇨ Verification Attributes
Syntax FORM
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
FormItem Name:postalCode
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Postal Code"}
 Description:{"":""}
Specify the attributes used for LDAP Attributes on the setting Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Verification ⇨ Verification Methods.

Settings

System-wide settings for Help Desk module.

Label Enable Help Desk Module
Key helpdesk.enable
Navigation Modules ⇨ Authenticated ⇨ Help Desk ⇨ Settings ⇨ Enable Help Desk Module
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to enable the Help Desk module.

People Search

The people search module provides basic white pages or directory lookup functionality to your users. Customizations allow easy searching and display quick detailed information about your users' colleagues.


People Search Profiles

People Search Profiles

Label Permitted Users
Key peopleSearch.queryMatch
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Permitted Users
Syntax USER_PERMISSION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
UserPermission: All Users: [Profile: 'all']
Define an LDAP directory filter that contains the users permitted to access the People Search module.

Label Search Attributes
Key peopleSearch.search.form
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Search Attributes
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
FormItem Name:givenName
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"First Name"}
 Description:{"":""}
FormItem Name:sn
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Last Name"}
 Description:{"":""}
FormItem Name:title
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Title"}
 Description:{"":""}
FormItem Name:mail
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Email"}
 Description:{"":""}
Add a list of LDAP attributes to search when generating an automatic search filter for the setting Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ People Search LDAP Filter. PWM also uses it to determine which fields in the user detail form it shows in the "Like" search option.

Label Search Result Attributes
Key peopleSearch.result.form
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Search Result Attributes
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
FormItem Name:givenName
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"First Name"}
 Description:{"":""}
FormItem Name:sn
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Last Name"}
 Description:{"":""}
FormItem Name:title
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Title"}
 Description:{"":""}
FormItem Name:mail
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Email"}
 Description:{"":""}
FormItem Name:telephoneNumber
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Telephone"}
 Description:{"":""}
Specify the attributes the People Search module shows in the search results table during searches.

Label Search Detail Attributes
Key peopleSearch.detail.form
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Search Detail Attributes
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
FormItem Name:givenName
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"First Name"}
 Description:{"":""}
FormItem Name:sn
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Last Name"}
 Description:{"":""}
FormItem Name:fullName
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Full Name"}
 Description:{"":""}
FormItem Name:mail
 Type:email Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Email Address"}
 Description:{"":""}
FormItem Name:telephoneNumber
 Type:tel Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Telephone Number"}
 Description:{"":""}
FormItem Name:title
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Title"}
 Description:{"":""}
FormItem Name:ou
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Department"}
 Description:{"":""}
FormItem Name:businessCategory
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Business Category"}
 Description:{"":""}
FormItem Name:company
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Company"}
 Description:{"":""}
FormItem Name:street
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Street"}
 Description:{"":""}
FormItem Name:physicalDeliveryOfficeName
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"City"}
 Description:{"":""}
FormItem Name:st
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"State"}
 Description:{"":""}
FormItem Name:l
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Location"}
 Description:{"":""}
FormItem Name:employeeType
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Employee Type"}
 Description:{"":""}
FormItem Name:employeeStatus
 Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Employee Status"}
 Description:{"":""}
FormItem Name:assistant
 Type:userDN Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Assistant"}
 Description:{"":""}
FormItem Name:manager
 Type:userDN Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Manager"}
 Description:{"":""}
FormItem Name:directReports
 Type:userDN Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Direct Reports"}
 Description:{"":""}
Specify attributes to show in the detail view of an individual person's record.

Label Search Result Limit
Key peopleSearch.result.limit
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Search Result Limit
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
200
Specify the maximum number of records PWM returns while searching.

Label Use Proxy LDAP Account
Key peopleSearch.useProxy
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Use Proxy LDAP Account
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to use the LDAP proxy account to perform searches. For proper security in most environments, do not enable this setting.

Label Person Detail Display Labels
Key peopleSearch.displayName.cardLabels
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Person Detail Display Labels
Syntax STRING_ARRAY
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
@LDAP:givenName@ @LDAP:sn@
@LDAP:title@
@LDAP:mail@
@LDAP:telephoneNumber@
Specify the display labels for the user panel in the People Search detail and on the organizational chart views. You can use LDAP attribute value such as @LDAP:givenName@ macros.

Label Maximum Cache Seconds
Key peopleSearch.maxCacheSeconds
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Maximum Cache Seconds
Syntax DURATION
Level 2
Required False
Confidential False
Scope DOMAIN
Default
600
Specify the number of seconds that PWM caches the results of searches and record details that it reads from eDirectory. Use this setting to control the maximum amount of time PWM can use cached data. Setting to zero disables the cache entirely, but this might negatively impact the scalability of the application and the LDAP directory.

Label Enable Photos
Key peopleSearch.enablePhoto
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Photos
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Enable this option to show photos of people in the organizational chart and detail used view.

Label Photo Display Permission
Key peopleSearch.photo.queryFilter
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Photo Display Permission
Syntax USER_PERMISSION
Level 2
Required False
Confidential False
Scope DOMAIN
Default
UserPermission: All Users: [Profile: 'all']
Specify an LDAP permission filter to control photo visibility when displaying an organizational chart or detail record view. If a user does not match this permission, PWM does not display the user's photo.

Label People Search LDAP Filter
Key peopleSearch.searchFilter
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ People Search LDAP Filter
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the LDAP search filter the People Search module uses to query the directory. Substitute %USERNAME% for user-supplied user names. If blank, PWM auto-generates the search filter based on the values in the setting Modules ⇨ Authenticated ⇨ People Search ⇨ Search Attributes.

Example: (&(objectClass=Person)(|(givenName=*%USERNAME%*)(sn=*%USERNAME%*)(mail=*%USERNAME%*)(telephoneNumber=*%USERNAME%*)))

Label LDAP Search base
Key peopleSearch.searchBase
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ LDAP Search base
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the LDAP search bases for the People Search module. If empty, PWM uses the default LDAP search bases.

Label Enable Organizational Chart
Key peopleSearch.enableOrgChart
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Organizational Chart
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Enable this option to show an organizational chart of users.

Label Enable Export
Key peopleSearch.enableExport
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Export
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to allow download of organizational chart data.

Label Enable Team Mailto
Key peopleSearch.enableTeamMailto
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Team Mailto
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to allow to show a link that will email a team of users in the orgchart view.

Label Enable Printing
Key peopleSearch.enablePrinting
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Printing
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to show a print option in the org chart view.

Label Idle Timeout Seconds
Key peopleSearch.idleTimeout
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Idle Timeout Seconds
Syntax DURATION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
0
Specify the number of seconds after which an authenticated session becomes unauthenticated. If the value is set to 0, then PWM uses then the system-wide idle timeout value. If a user is using the People Search module without authenticating, then the system does not apply a timeout.

Label Enable Advanced Search
Key peopleSearch.advancedSearch.enable
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Advanced Search
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable advanced searching user interface. Allows users to specify individual attributes for searching.


People Search Settings

People Search Settings

Label Enable People Search
Key peopleSearch.enable
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Settings ⇨ Enable People Search
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to enable the People Search module.

Label Enable People Search Public (Non-Authenticated) Access
Key peopleSearch.enablePublic
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Settings ⇨ Enable People Search Public (Non-Authenticated) Access
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to allow access to the People Search module for unauthenticated users.

Label People Search Public Profile
Key peopleSearch.public.profile
Navigation Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Settings ⇨ People Search Public Profile
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
default
Name of the People Search profile to be used by public users.

OTP Profile

Options for time-based one time passwords.

Label One Time Password Profile Match
Key otp.secret.allowSetup.queryMatch
Navigation Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Profile ⇨ [profile] ⇨ One Time Password Profile Match
Syntax USER_PERMISSION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
UserPermission: All Users: [Profile: 'all']
Specify the set of users that this OTP Setup profile will include.

Label Force Setup of One Time Passwords
Key otp.forceSetup
Navigation Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Profile ⇨ [profile] ⇨ Force Setup of One Time Passwords
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
FORCE Force Setup
FORCE_ALLOW_SKIP Force Setup - but allow user to skip
SKIP Do not force setup
Default
SKIP
Enable this option and enabled one-time passwords to have PWM direct the user to configure a one-time password secret when logging in. PWM forces the user to configure one-time password if they do not have a current valid secret stored.

Label OTP Secret Identifier
Key otp.secret.identifier
Navigation Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Profile ⇨ [profile] ⇨ OTP Secret Identifier
Syntax STRING
Level 2
Required True
Confidential False
Scope DOMAIN
Default
@User:Email@
Specify the User Identifier for OTP. Macros are available.

Label OTP Recovery Codes
Key otp.secret.recoveryCodes
Navigation Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Profile ⇨ [profile] ⇨ OTP Recovery Codes
Syntax NUMERIC
Level 2
Required True
Confidential False
Scope DOMAIN
Default
5
Specify the number of OTP recovery codes to supply to the users. Recovery codes can be used one time each to authenticate and are intended for occasions when the users lose access to their OTP devices. Set to zero to disable recovery codes. Not all storage formats support recovery codes.

OTP Settings

Options for time-based one time passwords.

Label Allow Saving One Time Passwords
Key otp.enabled
Navigation Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings ⇨ Allow Saving One Time Passwords
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to allow the user to configure and save an one time password.

Label OTP Secret Read Location
Key otp.secret.readPreference
Navigation Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings ⇨ OTP Secret Read Location
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
LDAP LDAP
LDAP-DB LDAP, Database
LDAP-DB-LOCALDB LDAP, Database, LocalDB
LDAP-LOCALDB LDAP, LocalDB
LDAP-LOCALDB-DB LDAP, LocalDB, Database
DB Database
DB-LDAP Database, LDAP
DB-LDAP-LOCALDB Database, LDAP, LocalDB
DB-LOCALDB Database, LocalDB
DB-LOCALDB-LDAP Database, LocalDB, LDAP
LOCALDB LocalDB
LOCALDB-DB LocalDB, Database
LOCALDB-DB-LDAP LocalDB, Database, LDAP
LOCALDB-LDAP LocalDB, LDAP
LOCALDB-LDAP-DB LocalDB, LDAP, Database
Default
TemplateValue
default LDAP
DB DB
LOCALDB LOCALDB
Select the location where to read the OTP secret. If you select an option with multiple values, PWM reads each location in turn until it finds a stored response.

Label OTP Secret Write Location
Key otp.secret.writePreference
Navigation Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings ⇨ OTP Secret Write Location
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
LDAP LDAP
LDAP-DB LDAP, Database
LDAP-LOCALDB LDAP, LocalDB
LDAP-DB-LOCALDB LDAP, Database, LocalDB
DB Database
DB-LOCALDB Database, LocalDB
LOCALDB LocalDB
Default
TemplateValue
default LDAP
DB DB
LOCALDB LOCALDB
Select the location where to write the OTP secret. PWM writes to all storage methods when the users configures their response answers.

Label Token Storage Method
Key otp.secret.storageFormat
Navigation Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings ⇨ Token Storage Method
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
PWM JSON
BASE32SECRET Base32 secret
OTPURL OTP URL
PAM PAM text
Default
PWM
Select the storage format used to save one time password secrets.
FormatDescription
PWM JSONStore the secret, descriptions, and recovery codes in PWM native (json) format.
Base32 secretStore only the TOTP-secret as a base32 encoded string. This format does not support recovery codes or counter based tokens.
OTP URLStore the secret and description as an otpauth:// url, used for generating the QR-code. This format does not support recovery codes.
PAM textStore the secret, description, and recovery codes in the text file format, used by the Google Authenticator PAM module.

Label Encrypt OTP secret
Key otp.secret.encrypt
Navigation Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings ⇨ Encrypt OTP secret
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to have PWM use the Security Key to encrypt and decrypt token information, to make sure it is not readable as plain text. Multiple application instances must use the same Security Key. If you change the Security Key, stored OTP passwords are no longer usable.

Setup Security Profiles

Settings that control the Challenge/Response features. These global settings apply regardless of the challenge policy. For profile-specific challenge settings, see Profiles --> Challenge Profiles.

Label Force Response Setup
Key challenge.forceSetup
Navigation Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Profiles ⇨ [profile] ⇨ Force Response Setup
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to direct the users to configure Challenge/Response when they log in. PWM forces the users to enter responses if they do not have current valid responses stored.


Label Show Response Confirmation
Key challenge.showConfirmation
Navigation Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Profiles ⇨ [profile] ⇨ Show Response Confirmation
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to show the responses to the user after they configure them. This gives your users an opportunity to read and review their responses before submitting, however, it shows the responses on the screen and makes them visible to anyone else watching the users' screen.

Label Save Challenge Permission
Key challenge.allowSetup.queryMatch
Navigation Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Profiles ⇨ [profile] ⇨ Save Challenge Permission
Syntax USER_PERMISSION
Level 2
Required True
Confidential False
Scope DOMAIN
Default
UserPermission: All Users: [Profile: 'all']
Specify the permissions used to determine if you permits the users to configure challenges. This LDAP query must return the user or else PWM does not permit the user to configure challenges.

Label Check Responses Match
Key command.checkResponses.queryMatch
Navigation Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Profiles ⇨ [profile] ⇨ Check Responses Match
Syntax USER_PERMISSION
Level 2
Required True
Confidential False
Scope DOMAIN
Default
UserPermission: All Users: [Profile: 'all']
Controls which users are forced to setup responses. Users that match this permission will be forced to setup responses.

Setup Security Settings

Settings that control the Challenge/Response features. These global settings apply regardless of the challenge policy. For profile-specific challenge settings, see Profiles --> Challenge Profiles.

Label Enable Setup Responses
Key challenge.enable
Navigation Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Settings ⇨ Enable Setup Responses
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Enable this option to have the save responses page available to users. (Default enabled)

Label Case Insensitive Responses
Key challenge.caseInsensitive
Navigation Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Settings ⇨ Case Insensitive Responses
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
True
Enable to control the case sensitivity of responses. If enabled, then PWM deems the responses correct even if the case is wrong. Changing this value does not change existing stored responses -- PWM saves the case sensitive flag on each users' stored responses.

Label Allow Duplicate Responses
Key challenge.allowDuplicateResponses
Navigation Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Settings ⇨ Allow Duplicate Responses
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this to allow duplicate responses in setup security responses

Shortcut Menu

The shortcut menu displays a list of click-able links to users. This functionality might be useful as a basic landing page for users.

Label Enable Shortcuts
Key shortcut.enable
Navigation Modules ⇨ Authenticated ⇨ Shortcut Menu ⇨ Enable Shortcuts
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to enable the shortcuts module.

Label Shortcut Items
Key shortcut.items
Navigation Modules ⇨ Authenticated ⇨ Shortcut Menu ⇨ Shortcut Items
Syntax LOCALIZED_STRING_ARRAY
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
Locale: default
  Google::http://www.google.com::(objectClass=person)::Google Search
  Example::http://www.Example.com::(&(objectClass=person)(cn=n*))::Example Page
  Yahoo::http://www.yahoo.com::(objectClass=person)::Yahoo Home Page
Specify the list of available shortcuts.

Format: label::url::ldapQuery::description
labelLabel to show to users
ldapQueryValid LDAP syntax style query, if the user matches this query, then PWM shows the shortcut to the users.
urlhttp shortcut to direct the user to
descriptionLong description of the shortcut

Label Shortcut Headers
Key shortcut.httpHeaders
Navigation Modules ⇨ Authenticated ⇨ Shortcut Menu ⇨ Shortcut Headers
Syntax STRING_ARRAY
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the HTTP Headers to use to control the visible list of shortcuts. If this header is present, PWM uses these values to determine which of the configured shortcuts are available to a user. The values must correspond to the label values specified as part of the shortcut items. When this header is present, PWM does not use the ldapQuery portion of the shortcut items and instead displays the shortcuts only if the label is present in the header.

Values can be set in multiple headers, or by comma separating the values.

A blank value disables this feature.

Warning:Only enable this feature if an upstream proxy/gateway server controls this header value. Otherwise it may be possible for a client to inject this value and view shortcuts not otherwise visible.


Label Launch Shortcuts in New Window
Key shortcut.newWindow
Navigation Modules ⇨ Authenticated ⇨ Shortcut Menu ⇨ Launch Shortcuts in New Window
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to launch shortcuts in a new window (or tab).

Update Profile Profiles

.

Label Update Profile Match
Key updateAttributes.queryMatch
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile Match
Syntax USER_PERMISSION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
UserPermission: All Users: [Profile: 'all']
Add an LDAP query that only allows users who match this query to update their profiles.

Label Update Profile Actions
Key updateAttributes.writeAttributes
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile Actions
Syntax ACTION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Add actions to execute after PWM populates a user's attributes.

Label Force Update Profile
Key updateAttributes.forceSetup
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Force Update Profile
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to present the Update Profile module to the users upon login if the users do not satisfy the form configuration conditions. Specifically, PWM checks the Required and Regular Expression conditions against the current LDAP form values. The users cannot perform other functions until they update the form values to values that match the form configuration.

Label Update Profile Agreement Message
Key display.updateAttributes.agreement
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile Agreement Message
Syntax LOCALIZED_TEXT_AREA
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default

Specify a message to display to the users before allowing them to update their profiles. If blank, PWM does not display the update profile agreement page to the users. This message can include HTML tags.


Label Update Profile Form
Key updateAttributes.form
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile Form
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
FormItem Name:mail
 Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:true Multi-Value:false Source:ldap
 Label:{"":"Email\n                Address"}
 Description:{"":""}
FormItem Name:title
 Type:text Min:1 Max:64 ReadOnly:false Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Title"}
 Description:{"":""}
FormItem Name:telephoneNumber
 Type:tel Min:1 Max:64 ReadOnly:false Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Telephone\n                Number"}
 Description:{"":""}
Update Profile Form values.

Label Show Update Profile Confirmation
Key updateAttributes.showConfirmation
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Show Update Profile Confirmation
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to show the update attributes to the users after they configure them. This gives your users an opportunity to read and review their attributes before submitting, however, it shows the responses on the screen and makes them visible to anyone else watching the users' screens.

Label Enable Email Verification
Key updateAttributes.email.verification
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Enable Email Verification
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to send an email to the user's email address before PWM updates the account. The user's email must change to cause this verification email to be sent. The user must verify receipt of the email before PWM updates the account.

Label Enable SMS Verification
Key updateAttributes.sms.verification
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Enable SMS Verification
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to send an SMS to the users' mobile phone numbers before updating the account. The user must verify receipt of the SMS before PWM updates the account.

Label Update Profile Email Token Maximum Lifetime
Key updateAttributes.token.lifetime
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile Email Token Maximum Lifetime
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the lifetime a update profile email token is valid (in seconds). The default is 0. When set to 0, the effective value is inherited from the setting Settings ⇨ Tokens ⇨ Token Maximum Lifetime

Label Update Profile SMS Token Maximum Lifetime
Key updateAttributes.token.lifetime.sms
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile SMS Token Maximum Lifetime
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the lifetime a new user update profile SMS token is valid (in seconds). The default is 0. When set to 0, the effective value is inherited from the setting Settings ⇨ Tokens ⇨ Token Maximum Lifetime

Label Custom Links
Key updateAttributes.customLinks
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Custom Links
Syntax CUSTOMLINKS
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Create custom links for users to navigate to while updating their profile data.


Update Profile Settings

.

Label Enable Update Profile
Key updateAttributes.enable
Navigation Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Settings ⇨ Enable Update Profile
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable the option to Update Profile Attributes. If true, this setting enables the Update Profile module.

Definition

Definition

Label Forgotten Password Profile Match
Key recovery.queryMatch
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Forgotten Password Profile Match
Syntax USER_PERMISSION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default UserPermission: All Users: [Profile: 'all']
ORACLE_DS UserPermission: All Users: [Profile: 'all']
AD UserPermission: All Users: [Profile: 'all']
Add an LDAP filter that defines the set of users that PWM assigns to this profile.

Label Verification Methods
Key recovery.verificationMethods
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Verification Methods
Syntax VERIFICATION_METHOD
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
optional methods: n/a, required methods: ["Secret Questions and Answers"]
Select the verification methods PWM uses during the forgotten password process. The users must satisfy each option set to required. The users can then select any of the remaining optional methods until they complete the minimum number of optional methods.

You can modify tthe names and a description shown to users for these methods by editing the display text keys for Field_VerificationMethod[Method] and Description_VerificationMethod[Method] where [Method] is the method type.

Label Token Send Method
Key challenge.token.sendMethod
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Token Send Method
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
EMAILONLY Email - Send to email address
SMSONLY SMS - Send via SMS
CHOICE_SMS_EMAIL User Choice - If both SMS and email address is available, user decides
Default
EMAILONLY
Select the methods you want to use for sending the token code or new password to the user.

Label Forgotten Password Recovery Mode
Key recovery.action
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Forgotten Password Recovery Mode
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
RESETPW Allow user to set new password
SENDNEWPW Send new password
SENDNEWPW_AND_EXPIRE Send new password and mark as expired
Default
RESETPW
Add actions to take when the user completes the forgotten password process.

Label New Password Send Method
Key recovery.sendNewPassword.sendMethod
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ New Password Send Method
Syntax SELECT
Level 2
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
EMAILONLY Email - Send to email address
SMSONLY SMS - Send via SMS
Default
EMAILONLY
Select the method to send new password to users when the Forgotten Password Success Action is set to Send new password.

Label Required LDAP Attributes
Key challenge.requiredAttributes
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Required LDAP Attributes
Syntax FORM
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Add the required LDAP attributes for forgotten password authentication. The users must supply these attributes as part of the forgotten password authentication process. The LDAP Proxy User requires the LDAP compare permission to these attributes.

OAuth

OAuth

Label OAuth Login URL
Key recovery.oauth.idserver.loginUrl
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Login URL
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the OAuth server login URL. PWM uses this is the URL to redirect the user to for authentication.

Label OAuth Code Resolve Service URL
Key recovery.oauth.idserver.codeResolveUrl
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Code Resolve Service URL
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the OAuth Token / Code Resolve Service URL. PWM uses this web service URL to resolve the artifact returned by the OAuth identity server.

Label OAuth Profile Service URL
Key recovery.oauth.idserver.attributesUrl
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Profile Service URL
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the web service URL provided by the identity server to return attribute data about the user.

Label OAuth Web Service Server Certificate
Key recovery.oauth.idserver.serverCerts
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Web Service Server Certificate
Syntax X509CERT
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Import the certificate for the OAuth web service server.

Label OAuth Client ID
Key recovery.oauth.idserver.clientName
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Client ID
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the OAuth client ID. The OAuth identity service provider gives you this value.

Label OAuth Shared Secret
Key recovery.oauth.idserver.secret
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Shared Secret
Syntax PASSWORD
Level 2
Required False
Confidential True
Scope DOMAIN
Default
*hidden*
Specify the OAuth shared secret. The OAuth identity service provider gives you this value.

Label OAuth User Name/DN Login Attribute
Key recovery.oauth.idserver.dnAttributeName
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth User Name/DN Login Attribute
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the attribute to request from the OAuth server that PWM uses as the user name for local authentication. PWM then resolves this value the same as if the user had typed the password at the local authentication page.

Label OAuth Inject User Name Value
Key recovery.oauth.idserver.usernameSendValue
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Inject User Name Value
Syntax STRING
Level 2
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default

Specify the user name value to send as part of the /grant redirect request. The remote OAuth server must support the /sign endpoint for this to work.

Options

Options for forgotten password configuration.

Label Allow Intruder Unlock
Key challenge.allowUnlock
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Allow Intruder Unlock
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to allow users to intruder unlock their account during forgotten password. If true, and if the users' accounts are intruder locked due to too many invalid login attempts, and the users' passwords are not expired, then PWM gives the users a chance to unlock their accounts instead of resetting their passwords.

Label Allow Forgotten Password when Locked
Key recovery.allowWhenLocked
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Allow Forgotten Password when Locked
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to allow users to use the forgotten password feature when the account is intruder locked in LDAP. This feature is not available when a user is using NMAS stored responses.

Label Allow Token Resend
Key recovery.token.resend.enable
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Allow Token Resend
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Allow the user to resend a token in case they did not receive it.

Label Minimum Password Lifetime Options
Key recovery.minimumPasswordLifetimeOptions
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Minimum Password Lifetime Options
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
ALLOW Allow - Allow normal action (ignore minimum lifetime)
UNLOCKONLY UnlockOnly - Allow only intruder password unlock
NONE None - Prohibit usage of the forgotten password module
Default
ALLOW
Options to control behavior when a user attempts to use the forgotten password module while their password is within the minimum password policy lifetime window of their effective password policy. These options are only relevant if the user has an effective minimum password lifetime as part of their password policy.

Label Forgotten Password Post Actions
Key recovery.postActions
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Forgotten Password Post Actions
Syntax ACTION
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Actions to execute after a user has successfully completed the forgotten password sequence and the user's password has been modified. You can use macros.

Label Agreement Message
Key recovery.changeAgreement
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Agreement Message
Syntax LOCALIZED_TEXT_AREA
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default

Specify a message to display to users before allowing them to recover their forgotten passwords. If blank, PWM does not display the agreement page to the users. This message can include HTML tags.

This setting can use macros. For more information about macros, see the "View" menu "Show Macro Help".



Settings

Settings for forgotten password configuration.

Label Enable Forgotten Password
Key recovery.enable
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Enable Forgotten Password
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Enable this option to have the forgotten password recovery available to users.

Label Forgotten Password User Search Form
Key recovery.form
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Forgotten Password User Search Form
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default FormItem Name:cn Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Username"} Description:{"":""}
ORACLE_DS FormItem Name:uid Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Username"} Description:{"":""}
AD FormItem Name:sAMAccountName Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Username"} Description:{"":""}
Specify the form fields for the activate user module. PWM requires the users to enter each attribute. Ideally, PWM requires the users to enter some personal data that is not publicly known.

Label Forgotten Password User Search Filter
Key recovery.searchFilter
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Forgotten Password User Search Filter
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Add an LDAP search filter PWM uses to search for users during forgotten password recovery. The LDAP search filter must include each attribute in the Forgotten Password User Search Form. PWM replaces tokens made of a form item name (such as cn) enclosed with a percent sign %cn% with values supplied by the user.

For example, if the Activate User Form included the attributes cn and sn, then this filter might be appropriate:

(&(objectClass=person)(cn=%cn%)(sn=%sn%))

If this setting is left blank, PWM automatically generates a search filter based on the required items in the Forgotten Password User Search Form.

Label Response Read Location
Key recovery.response.readPreference
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Response Read Location
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
LDAP LDAP
LDAP-DB LDAP, Database
LDAP-DB-LOCALDB LDAP, Database, LocalDB
LDAP-LOCALDB LDAP, LocalDB
LDAP-LOCALDB-DB LDAP, LocalDB, Database
DB Database
DB-LDAP Database, LDAP
DB-LDAP-LOCALDB Database, LDAP, LocalDB
DB-LOCALDB Database, LocalDB
DB-LOCALDB-LDAP Database, LocalDB, LDAP
LOCALDB LocalDB
LOCALDB-DB LocalDB, Database
LOCALDB-DB-LDAP LocalDB, Database, LDAP
LOCALDB-LDAP LocalDB, LDAP
LOCALDB-LDAP-DB LocalDB, LDAP, Database
Default
TemplateValue
default LDAP
DB DB
LOCALDB LOCALDB
Select the location where PWM reads the responses. If you select an option with multiple values, PWM reads each location in turn until it finds a stored response.

Label Response Write Location
Key recovery.response.writePreference
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Response Write Location
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
LDAP LDAP
LDAP-DB LDAP, Database
LDAP-LOCALDB LDAP, LocalDB
LDAP-DB-LOCALDB LDAP, Database, LocalDB
DB Database
DB-LOCALDB Database, LocalDB
LOCALDB LocalDB
Default
TemplateValue
default LDAP
DB DB
LOCALDB LOCALDB

Select the location where PWM writes the responses. PWM writes to all storage methods when the user configures their response answers.

WARNING: Never use the LocalDB to store responses in a production system as there are no methods to make the LocalDB storage redundant, nor are optimal backup methods available for the LocalDB.


Label Responses Storage Hashing Method
Key response.hashMethod
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Responses Storage Hashing Method
Syntax SELECT
Level 2
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
TEXT None (Plaintext)
MD5 MD5
SHA1 SHA1
SHA1_SALT SHA-1 with Salt
SHA256_SALT SHA-256 with Salt
SHA512_SALT SHA-512 with Salt
PBKDF2 PBKDF2WithHmacSHA1
PBKDF2_SHA256 PBKDF2WithHmacSHA256
PBKDF2_SHA512 PBKDF2WithHmacSHA512
BCRYPT BCrypt
SCRYPT SCrypt
Default
PBKDF2_SHA512

Select the method of hashing PWM uses to store responses. Storing the responses as plaintext might facilitate synchronization or migration to other systems but is not secure.

This setting only controls how PWM writes the responses. PWM can always read stored responses in other formats. PWM cannot convert existing responses until a user re-saves their responses. You can use the reporting engine to identify and count the hash types in use.


Label Enable Bogus User Policy
Key recovery.bogus.user.enable
Navigation Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Enable Bogus User Policy
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to have forgotten password act as though invalid user searches are valid, and present such users with a bogus forgotten password policy. This can help prevent username discovery.



Forgotten User Name

Allows a user to search for a forgotten user name using a configurable search filter and attributes.

Label Enable Forgotten User Name
Key forgottenUsername.enable
Navigation Modules ⇨ Public ⇨ Forgotten User Name ⇨ Enable Forgotten User Name
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to enable forgotten user name registration.

Label Forgotten User Name Form
Key forgottenUsername.form
Navigation Modules ⇨ Public ⇨ Forgotten User Name ⇨ Forgotten User Name Form
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
FormItem Name:mail
 Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Email\n                Address"}
 Description:{"":""}
FormItem Name:sn
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Last\n                Name"}
 Description:{"":""}
Add fields PWM uses to search for the user name.

Label Forgotten User Name Search Filter
Key forgottenUsername.searchFilter
Navigation Modules ⇨ Public ⇨ Forgotten User Name ⇨ Forgotten User Name Search Filter
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify an LDAP search filter PWM uses to search for users during forgotten user name recovery. The LDAP search filter must include each attribute in the Forgotten User Name Form. PWM replaces the tokens made of a form item name (such as cn) enclosed with a percent sign %cn% with values supplied by the user.

For example, if the Forgotten User Name Form included the attributes cn and sn, then this filter might be appropriate:

(&(objectClass=person)(cn=%cn%)(sn=%sn%))

If this setting is left blank, PWM automatically generates a search filter based on the required items in the Forgotten User Name Form at the time of the search.

Label Forgotten User Name Message
Key forgottenUsername.message
Navigation Modules ⇨ Public ⇨ Forgotten User Name ⇨ Forgotten User Name Message
Syntax LOCALIZED_TEXT_AREA
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
Locale: default
 Your username is @User:ID@. Please record your username for future use.
Locale: zh
 您的用户名是 @User:ID@。请记录你的用户名以供将来使用。
Locale: zh-TW
 您的使用者名稱為 @User:ID@。請記錄您的使用者名稱以供日後使用。
Locale: cs
 Vaše přihlašovací jméno je @User:ID@. Prosíme zapamatujte si své přihlašovací jméno.
Locale: nl
 Uw gebruikersnaam is @User:ID@. Onthoud uw gebruikersnaam voor later gebruik.
Locale: fi
 Käyttäjätunnuksesi on @User:ID@. Tallenna se myöhempää käyttöä varten.
Locale: fr
 Votre nom d'utilisateur est @User:ID@. Enregistrez-le pour pouvoir l'utiliser ultérieurement.
Locale: de
 Ihr Benutzername ist @User:ID@. Notieren Sie sich den Benutzernamen für den späteren Gebrauch.
Locale: he
 שם המשתמש שלך הינו @User:ID@. אנא זכור מידע זה לשימוש עתידי.
Locale: hu
 Az Ön felhasználóneve %field%. Kérem jegyezze föl, hogy a jövőben használni tudja.
Locale: it
 Il tuo nome utente è @User:ID@. Per favore annotati il tuo nome utente per uso futuro.
Locale: ja
 ユーザ名は @User:ID@ です。将来の使用に備えてユーザ名を記録しておいてください。
Locale: no
 Brukernavnet ditt er @User:ID@. Vennligst ta vare p� ditt brukernavn for fremtidig bruk.
Locale: nn
 Brukarnamnet ditt er %field%. Ver venleg � ta vare p� brukarnamnet ditt for framtidig bruk.
Locale: pl
 Twoja nazwa użytkownika to @User:ID@. Należy zapisać swoją nazwę użytkownika na przyszłość.
Locale: pt
 Seu nome de utilizador é @User:ID@. Por favor, registe seu nome de utilizador para uso futuro.
Locale: pt-BR
 Seu nome de usuário é @User:ID@. Registre seu nome de usuário para uso futuro.
Locale: sk
 Vaše používateľské meno je @User:ID@. Uložte si toto meno pre ďalšie použitie.
Locale: es
 Su nombre de usuario es @User:ID@. Guarde el nombre de usuario para tener una referencia en el futuro.
Locale: sv
 Ditt användarnamn är @User:ID@. Anteckna ditt användarnamn för framtida bruk.
Locale: th
 ชื้อผู้ใช้ของคุณคือ @User:ID@ กรุณาใส่ชื่อผู้ใช้ของคุณสำหรับการใช้งานในอนาคต
Locale: tr
 Kullanıcı adınız @User:ID@ . Kullanıcı adınızı unutmayın.
Edit the message to show to a user upon a successful forgotten user name action.

Label User Name Send Method
Key forgottenUsername.sendUsername.sendMethod
Navigation Modules ⇨ Public ⇨ Forgotten User Name ⇨ User Name Send Method
Syntax SELECT
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
NONE None - Do not send email
EMAILONLY Email - Send to email address
SMSONLY SMS - Send via SMS
Default
NONE
Select the method of how to send user name to user. In the content of the message, you can use a macro as appropriate.

New User Profiles

New user self-registration settings. The new user registration module requires that the proxy user has sufficient permissions to create users and, if so configured, to check for duplicate values. PWM creates new users in the default LDAP directory profile.

Label New User Form
Key newUser.form
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User Form
Syntax FORM
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
FormItem Name:mail
 Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:true Multi-Value:false Source:ldap
 Label:{"":"Email\n                Address"}
 Description:{"":""}
 Regex:^[a-zA-Z0-9 .,'@]*$ Regex Error:{"":"Email Address has invalid\n                characters"}FormItem Name:givenName
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"First\n                Name"}
 Description:{"":""}
 Regex:^[a-zA-Z0-9 .,'@]*$ Regex Error:{"":""}FormItem Name:sn
 Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
 Label:{"":"Last\n                Name"}
 Description:{"":""}
 Regex:^[a-zA-Z0-9 .,'@]*$ Regex Error:{"":""}
Specify the New User form creation attributes and fields. This is used to determine what information will need to be filled in before submitting the new user form to create the new user.

Label LDAP Profile
Key newUser.ldapProfile
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ LDAP Profile
Syntax STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default

Specify the LDAP profile where you would like PWM to create new users. If blank, the default LDAP profile will be used when creating new user.

Label Creation Context
Key newUser.createContext
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Creation Context
Syntax STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
ou=users,o=example
Specify the LDAP context where you would like PWM to create new users. You can use macros in this setting.

Label New User Agreement Message
Key display.newuser.agreement
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User Agreement Message
Syntax LOCALIZED_TEXT_AREA
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default

Specify a message to display to users before allowing them to register as a new user. If blank, PWM will not display the new user agreement page to the user trying to register. This New User Agreement Message can also include HTML tags.


Label Profile Display Name
Key newUser.profile.displayName
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Profile Display Name
Syntax LOCALIZED_STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the publicly viewable display name of this profile. This value will only be seen if the profile was enabled to be shown publicly.

Label Profile Visible on Menu
Key newUser.profile.visible
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Profile Visible on Menu
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Show this New User profile to users when they select New User registration. If disabled, this profile is still available by direct URL but is not shown as a selectable profile.

Label New User Actions
Key newUser.writeAttributes
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User Actions
Syntax ACTION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the actions the system takes when it creates a user. The actions will be executed just after the user is created in the LDAP directory. You can use macros in this setting.

Label Delete On Creation Failure
Key newUser.deleteOnFail
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Delete On Creation Failure
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope DOMAIN
Default
True
Enable this option to have PWM delete the new user account if the creation fails for some reason. It deletes the (potentially partially-created) "broken" account in LDAP.

Label Logout After Creation
Key newUser.logoutAfterCreation
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Logout After Creation
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to force the new user to log out (and send him to the logoutURL) after the account has been created.

Leave this option disabled (default) to make PWM automatically login the new user.

Label LDAP Entry ID Definition
Key newUser.username.definition
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ LDAP Entry ID Definition
Syntax STRING_ARRAY
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
@RandomChar:16:ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@

Specify the display name, or entry ID that is included in the LDAP naming attribute for the new registered users. Some directories use an LDAP entry instead of a user name.

When you enable this setting, the system generates an entryID or an LDAP entry that includes random characters by default.You must specify macros for this setting. For more information about macros, see Configuring Macros for Messages and Actions.

If you leave this field blank, the system does not generate a random user name or entry ID.

For example, in the LDAP directory, specify the value as @User:Email@ to display the display name or entry ID for the new registered user as their email address.

When multiple values are entered, if the first value already exists, each value will be tried in order until an unused value is found.


Label Enable New User Email Verification
Key newUser.email.verification
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Enable New User Email Verification
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Enable this option to have PWM send an email to the new user's email address before it creates the account. The new user must verify receipt of the email before PWM creates the account. All of your email settings must also be filled out before this will work. Testing the email settings should take place to verify that this email will be sent.

Label Enable New User SMS Verification
Key newUser.sms.verification
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Enable New User SMS Verification
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to have PWM send an SMS message to the new user's mobile phone number before it creates the account. The NewUser must verify receipt of the SMS message before PWM creates the account. please insure that the user has entered their SMS information.

Label Enable New User External Verification
Key newUser.external.verification
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Enable New User External Verification
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to have PWM invoke the external verification method for a new user. The new user must verify the external responses before PWM creates the account.

Label Password Policy Template
Key newUser.passwordPolicy.user
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Password Policy Template
Syntax STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TESTUSER
Specify a valid LDAP user DN that PWM can use as a template for the new user password policy. If the value is the literal value "TESTUSER", PWM uses the configured test user's password policy as the policy for the new user prior to its actual creation in the LDAP directory.

Label New User Minimum Wait Time
Key newUser.minimumWaitTime
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User Minimum Wait Time
Syntax DURATION
Level 2
Required False
Confidential False
Scope DOMAIN
Default
10
Specify a delay time during a new user creation. PWM delays the creation of the user for at least this amount of time before forwarding the user to the next activity.

Specify the value in seconds.

Label After Registration Redirect URL
Key newUser.redirectUrl
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ After Registration Redirect URL
Syntax STRING
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default

URL to redirect user to after new user registration process is completed.

Label Prompt User for Password
Key newUser.promptForPassword
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Prompt User for Password
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Prompt user for password during user registration. If not enabled, a random password will be assigned to the user. In most cases you will want this enabled.

Label New User Email Token Maximum Lifetime
Key newUser.token.lifetime
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User Email Token Maximum Lifetime
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the lifetime a new user email token is valid (in seconds). The default is 0. When set to 0, the effective value is inherited from the setting Settings ⇨ Tokens ⇨ Token Maximum Lifetime

Label New User SMS Token Maximum Lifetime
Key newUser.token.lifetime.sms
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User SMS Token Maximum Lifetime
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the lifetime a new user SMS token is valid (in seconds). The default is 0. When set to 0, the effective value is inherited from the setting Settings ⇨ Tokens ⇨ Token Maximum Lifetime

New User Settings

New user self-registration settings. The new user registration module requires that the proxy user has sufficient permissions to create users and, if so configured, to check for duplicate values. PWM creates new users in the default LDAP directory profile.

Label Enable New User Registration
Key newUser.enable
Navigation Modules ⇨ Public ⇨ New User Registration ⇨ New User Settings ⇨ Enable New User Registration
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Set this option to allow PWM to enable the new user registration module and show new user registration as an option on the public menu and login pages.

Settings

The user activation module enables users to activate an account they have not previously authenticated. The user does not need to know the password to activate the account. Configure settings so that users can only execute this function once. Existing users cannot use this function.

Label Enable User Activation
Key activateUser.enable
Navigation Modules ⇨ Public ⇨ User Activation ⇨ Settings ⇨ Enable User Activation
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enables the new user activation module.

Label Activate User Form
Key activateUser.form
Navigation Modules ⇨ Public ⇨ User Activation ⇨ Settings ⇨ Activate User Form
Syntax FORM
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default FormItem Name:cn Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Username"} Description:{"":""}
ORACLE_DS FormItem Name:uid Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Username"} Description:{"":""}
AD FormItem Name:sAMAccountName Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap Label:{"":"Username"} Description:{"":""}
Specify the form fields for activate user module. PWM requires the users to enter each attribute specified. Ideally, add attributes that require the user to enter some personal data that is not publicly known.

Label Activation Search Filter
Key activateUser.searchFilter
Navigation Modules ⇨ Public ⇨ User Activation ⇨ Settings ⇨ Activation Search Filter
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify an LDAP search filter PWM uses to search for users during the user activation. Include each attribute in the Activate User Form in the LDAP search filter. PWM replaces tokens made of a form item name (such as cn) enclosed with a percent sign %cn% with values supplied by the user.

For example, if the Activate User Form includes the attributes cn and sn, then this filter might be appropriate:

(&(objectClass=person)(cn=%cn%)(sn=%sn%))

PWM tests any attributes listed in the form but not used in the search filter by performing an LDAP compare operation with the user supplied value.

If this setting is left blank, PWM automatically generates a search filter based on the required items in the Activate User Search Form.

User Activation Profiles

The user activation module enables users to activate an account they have not previously authenticated. The user does not need to know the password to activate the account. Configure settings so that users can only execute this function once. Existing users cannot use this function.

Label User Activation Profile Match
Key activateUser.queryMatch
Navigation Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ User Activation Profile Match
Syntax USER_PERMISSION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
TemplateValue
default UserPermission: LDAP Query: [Profile: 'all' Filter: (&(objectclass=person)(!(loginDisabled=TRUE))(!(loginTime=*)))]
AD UserPermission: LDAP Query: [Profile: 'all' Filter: (&(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(lastLogon=0)(!(lastLogonTimestamp=*))))]
Specify and LDAP filter that only allows PWM to active users who match this query. Generally, you only allow users who have never been authenticated and are not disabled to activate. The default example uses the last login time attributes on the user object to determine if the user has never logged in. It is the responsibility of the administrator to ensure this activation feature works correctly. Misconfiguration could potentially result in unintended activations occurring.

Label Unlock User During Activation
Key activateUser.allowUnlock
Navigation Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ Unlock User During Activation
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to allow users to try to unlock the user account during activation. If true, and if the users' account are locked PWM unlocks the users' accounts.

Label Token Send Method
Key activateUser.token.sendMethod
Navigation Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ Token Send Method
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
NONE None - Token verification will not be performed
EMAILONLY Email - Send to email address
SMSONLY SMS - Send via SMS
CHOICE_SMS_EMAIL User Choice - If both SMS and email address is available, user decides
Default
NONE
Select the methods used for sending the token code to the user.

Label Activate User Agreement Message
Key display.activateUser.agreement
Navigation Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ Activate User Agreement Message
Syntax LOCALIZED_TEXT_AREA
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default

Specify a message to display to the users before allowing them to activate their accounts. If blank, PWM does not display the activate user agreement page to the users. This message can include HTML tags.


Label Activation Actions (Before Password Change)
Key activateUser.writePreAttributes
Navigation Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ Activation Actions (Before Password Change)
Syntax ACTION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Add actions PWM executes after it activates the users but before it sets the password. Typically, use this to activate the account, as well as add some searchable indicator.

You can use macros.

Label Post-Activation Actions (After Password Change)
Key activateUser.writePostAttributes
Navigation Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ Post-Activation Actions (After Password Change)
Syntax ACTION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Add actions PWM executes after it actives the users and the users have changed or set their initial passwords. Typically, use this to activate the account, as well as add some searchable indicator.

You can use macros.

Challenge Policies

Define the challenge policy users use for populating response answers.

Label Challenge Profile Match
Key challenge.policy.queryMatch
Navigation Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Challenge Profile Match
Syntax USER_PERMISSION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
UserPermission: All Users: [Profile: 'all']
Specify an LDAP filter to search for users that have the permissions to set up Challenge/Responses.

Label Random Questions
Key challenge.randomChallenges
Navigation Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Random Questions
Syntax CHALLENGE
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
Locale: default
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is the name of the main character in your favorite book?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is the name of your favorite teacher?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is the name of your favorite pet?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What was the name of your childhood best friend?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What was your favorite show as a child?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Who is your favorite author?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is your favorite food?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is your partner's nickname?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is your favorite team?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What street did you grow up on?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What city / town were you born in?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is your favorite vehicle?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:If you could meet someone from history, who would it be?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is your least favorite film of all time?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Who was your least favorite teacher?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What food do you dislike the most?
Locale: ca
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Com es diu el personatge principal del seu llibre preferit?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Com es diu el seu mestre preferit?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Com es diu la seva mascota preferida?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Com es deia el seu millor amic de la infància?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quin era seu programa televisiu preferit en la infància?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quin és el seu escriptor preferit?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quin és el seu menjar preferit?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quin sobrenom té la seva parella?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quin és el seu equip preferit?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:En quin carrer va créixer?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:En quin poble o en quina ciutat va néixer?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quin és el seu vehicle preferit?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Si pogués conèixer un personatge històric, qui triaria?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quina és la pel·lícula que menys li ha agradat de totes les que ha vist?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Com es deia el mestre que menys li agradava?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quin és el menjar que menys li agrada?
Locale: zh-CN
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:在您最喜爱的书中,主人公叫什么名字?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜欢的老师叫什么名字?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜爱的宠物叫什么名字?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您儿时的好友叫什么名字?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:孩提时代,您最喜欢的节目是什么?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜欢的作者是谁?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最爱吃的食物是什么?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您伴侣的绰号是什么?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜爱的球队是什么?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您在哪条街道长大?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您出生在哪个城市/城镇?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜欢的交通工具是什么?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:如果您可以穿越历史邂逅某个人物,此人会是谁?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:一直以来,您最不喜欢的电影是什么?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最不喜欢的老师是谁?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最不爱吃哪种食物?
Locale: zh-TW
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜愛的書籍主角姓名?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜愛的老師姓名?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜愛的寵物名字?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您兒時摯友的姓名?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您小時候最喜歡的節目?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜愛的作家?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜愛的食物?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您伴侶的綽號?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜愛的運動隊伍?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您在哪條街上長大的?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您出生的城市/城鎮?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最喜愛的交通工具?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:若您可以與歷史人物見面,會是哪一位歷史人物?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最不喜愛的電影?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最不喜愛的老師?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:您最討厭的食物?
Locale: da
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvad hedder hovedpersonen i din yndlingsbog?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvad hedder din yndlingslærer?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvad er navnet på dit yndlingskæledyr?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvad hed din bedste barndomsven?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvad var dit yndlingsshow som barn?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvem er din yndlingsforfatter?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvad er din livret?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvad er din partners kaldenavn?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvad er dit yndlingshold?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvad var navnet på din barndomsgade?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvilken by er du født i?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvad er dit yndlingskøretøj?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvis du kunne møde en historisk person, hvem skulle det så være?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvilken film kan du mindst lide?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvilken lærer kunne du mindst lide?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Hvilken fødevare bryder du dig mindst om?
Locale: nl
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wat is de naam van de hoofdpersoon in uw favoriete boek?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wat is de naam van uw favoriete leraar?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wat is de naam van uw favoriete huisdier?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wat is de naam van uw beste jeugdvriend?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wat was uw favoriete tv-programma als kind?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wie is uw favoriete schrijver?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wat is uw favoriete eten?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wat is de bijnaam van uw partner?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wat is uw favoriete voetbalteam?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:In welke straat bent u opgegroeid?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:In welke stad of in welk dorp bent u geboren?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wat is uw favoriete voertuig?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Als u een bekende persoon uit het verleden zou kunnen ontmoeten, wie zou dat dan zijn?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wat is uw minst favoriete film aller tijden?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wie was uw minst favoriete leraar?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Welk eten vindt u het minst lekker?
Locale: en-CA
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is the name of the main character in your favourite book?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is the name of your favourite teacher?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is the name of your favourite pet?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What was the name of your childhood best friend?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What was your favourite show as a child?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Who is your favourite author?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is your favourite food?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is your partner's nickname?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is your favourite team?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What street did you grow up on?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What city/town were you born in?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is your favourite vehicle?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:If you could meet someone from history, who would it be?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What is your least favourite film of all time?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Who was your least favourite teacher?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:What food do you dislike the most?
Locale: fr
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Comment s'appelle le héros de votre livre préféré ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Comment s'appelle votre professeur préféré ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel est le nom de votre animal préféré ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Comment s'appelle votre meilleur ami d'enfance ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quelle était votre émission préférée lorsque vous étiez enfant ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qui est votre auteur préféré ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel est votre plat préféré ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel est le surnom de votre partenaire ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quelle est votre équipe préférée ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Dans quelle rue avez-vous grandi ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quelle est votre ville de naissance ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel est votre véhicule préféré ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Si vous pouviez rencontrer un personnage historique, qui voudriez-vous rencontrer ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel film avez-vous toujours détesté ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qui est le professeur que vous avez le plus détesté ?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel plat détestez-vous le plus ?
Locale: fr-CA
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Comment s'appelle le héros de votre livre préféré?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Comment s'appelle votre professeur préféré?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel est le nom de votre animal préféré?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Comment s'appelle votre meilleur ami d'enfance?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quelle était votre émission préférée lorsque vous étiez enfant?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qui est votre auteur préféré?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel est votre plat préféré?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel est le surnom de votre partenaire?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quelle est votre équipe préférée?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Dans quelle rue avez-vous grandi?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quelle est votre ville de naissance?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel est votre véhicule préféré?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Si vous pouviez rencontrer un personnage historique, qui voudriez-vous rencontrer?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel film avez-vous toujours détesté?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qui est le professeur que vous avez le plus détesté?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quel plat détestez-vous le plus?
Locale: de
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wie heißt die Hauptperson in Ihrem Lieblingsbuch?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wie heißt Ihr Lieblingslehrer?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wie heißt Ihr Lieblingshaustier?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wie hieß Ihr bester Freund/Ihre beste Freundin aus der Kindheit?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Welche Sendung haben Sie als Kind am liebsten angeschaut?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wie heißt Ihr Lieblingsautor?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Was essen Sie am liebsten?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wie lautet der Kosename Ihres Partners?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Welches ist Ihre Lieblingsmannschaft?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:In welcher Straße haben Sie als Kind gewohnt?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wie lautet Ihr Geburtsort?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Welches ist Ihr bevorzugtes Fahrzeug?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Welche historische Persönlichkeit würden Sie gerne kennenlernen?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wie heißt der schlechteste Film, den Sie je gesehen haben?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Wie hieß der Lehrer, den Sie am wenigsten mochten?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Was essen Sie überhaupt nicht gerne?
Locale: he
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מהו שם הדמות הראשית בספר האהוב עליך?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מהו שם המורה האהוב/ה עליך?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מהו שם חיית המחמד האהובה עליך?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מה היה שמו של חבר הילדות הטוב ביותר שלך?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מה היתה תוכנית הטלוויזיה האהובה עליך בילדותך?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מי הסופר האהוב עליך?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מהו המאכל האהוב עליך?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מהו הכינוי של בת/בן הזוג שלך?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מהו שם הקבוצה האהובה עליך?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:באיזה רחוב גדלת?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:באיזו עיר נולדת?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מהו הרכב האהוב עליך?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:אם היית יכול לפגוש דמות מההיסטוריה, את מי היית רוצה לפגוש?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מהו שם הסרט הכי פחות אהוב עליך בכל הזמנים?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מי היה המורה הכי פחות אהוב/ה עליך?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:מהו המאכל שאתה הכי לא אוהב?
Locale: it
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Come si chiama il protagonista del tuo libro preferito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Come si chiama il tuo insegnante preferito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Come si chiama il tuo animale domestico preferito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Come si chiamava il tuo miglior amico dell'infanzia?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual era il tuo programma preferito da bambino?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual è il tuo autore preferito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual è il tuo cibo preferito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual è il soprannome del/della tuo/a partner?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual è la tua squadra del cuore?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:In quale via sei cresciuto/a?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:In quale città sei nato/a?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual è il tuo mezzo di trasporto preferito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Se potessi incontrare un personaggio storico, chi sceglieresti?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual è il film che ti è piaciuto di meno in assoluto?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quale insegnante amavi di meno?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual è il cibo che odi di più?
Locale: ja
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:お気に入りの本の主人公の名前は何ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:お気に入りの先生の名前は何ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:お気に入りのペットの名前は何ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:子供の頃の親友の名前は何ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:子供の頃好きだったテレビ番組は何ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:好きな作家は誰ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:好きな食べ物は何ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:パートナーのニックネームは何ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:好きなチームは何ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:あなたが育った通りの名前は何ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:あなたが生まれた市町村区の名前は何ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:お気に入りの車は何ですか」?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:歴史上の人物に会えるとしたら、誰に会いたいですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:これまでに見た中で嫌いな映画は何ですか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:嫌いな先生は誰でしたか?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:一番嫌いな食べ物は何ですか?
Locale: pl
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Jak nazywa się główny bohater Twojej ulubionej książki?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Jak nazywa się Twój ulubiony nauczyciel?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Jak nazywa się Twój ulubiony zwierzak?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Jak miał na imię Twój najlepszy kolega z dzieciństwa?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Jaki był Twój ulubiony program telewizyjny w dzieciństwie?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Kto jest Twoim ulubionym pisarzem?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Co jest Twoją ulubioną potrawą?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Jak brzmi przydomek Twojego partnera?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Jaka jest Twoja ulubiona drużyna?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Na jakiej ulicy dorastałeś(-aś)?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Jakie miasto jest miejscem Twojego urodzenia?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Jaki jest Twój ulubiony pojazd?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Gdyby było możliwe spotkanie jakiejś historycznej postaci, kto by nią był?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Jaki jest Twój ulubiony film wszechczasów?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Kto był Twoim najmniej lubianym nauczycielem?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Jakiej potrawy najbardziej nie lubisz?
Locale: pt-BR
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual é o nome do personagem principal do seu livro favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual é o nome do seu professor favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual é o nome do seu animal de estimação favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual era o nome do seu melhor amigo de infância?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual era seu programa de TV favorito quando criança?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Quem é seu autor favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual é seu prato favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual é o apelido de seu(sua) companheiro(a)?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual é seu time favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Em que rua você cresceu?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Em que cidade você nasceu?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual é seu carro favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Se você pudesse conhecer um personagem histórico, quem seria?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual é o filme de que você menos gostou até hoje?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual era o professor de quem você menos gostava?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Qual é o prato de que você menos gosta?
Locale: ru
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Имя главного персонажа в вашей любимой книге.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Имя вашего любимого учителя.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Имя вашего любимого домашнего животного.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Имя вашего лучшего друга детства.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Ваше любимое шоу в детстве.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Ваш любимый автор.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Ваша любимая еда.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Как вы называете своего партнера?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Ваша любимая команда.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Улица, на которой вы выросли.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Город (населенный пункт), в котором вы родились.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Ваш любимый автомобиль.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:С кем из исторических персонажей вы бы хотели встретиться?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Самый нелюбимый вами фильм за все время.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Ваш самый нелюбимый учитель.
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Еда, которая вам не нравится больше всего.
Locale: es
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cuál es el nombre del personaje principal de su libro favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cuál es el nombre de su profesor favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cuál es el nombre de su mascota favorita?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cómo se llamaba su mejor amigo del colegio?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cuál era su programa de televisión favorito cuando era niño?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Quién es su autor favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cuál es su comida favorita?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cuál es el apodo de su pareja?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cuál es su equipo favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cuál es el nombre de la calle en la que se crió?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿En qué ciudad nació?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cuál es su vehículo favorito?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Si pudiera conocer a algún personaje histórico, ¿quién sería?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cuál es la película que menos le gusta?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Quién era el profesor que menos le gustaba?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:¿Cuál es la comida que menos le gusta?
Locale: sv
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vad heter huvudpersonen i din favoritbok?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vad heter din favoritlärare?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vad heter ditt favorithusdjur?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vad hette din bästa kompis när du var barn?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vilket var ditt favoritprogram på TV när du var liten?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vem är din favoritförfattare?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vilken är din favoriträtt?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vad är din partners smeknamn?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vilket lag håller du på?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vad hette gatan där du växte upp?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:I vilken stad är du född?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vilket är ditt favoritfordon?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Om du kunde träffa en historisk person, vem skulle du välja?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vilken film tycker du är historiens sämsta?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vilken lärare tyckte du sämst om?
 ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
  Text:Vilken mat tycker du sämst om?
Random Questions for Challenge/Response. PWM presents some of these questions to the user during forgotten password - the number set in the "Minimum Password Required" setting. You might require the users to supply answers to all or some of these questions when setting up their responses, you control this by the "Minimum Random Challenges Required During Setup" setting.

Label Required Questions
Key challenge.requiredChallenges
Navigation Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Required Questions
Syntax CHALLENGE
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Required Questions for Challenge/Response. The users must supply answers for all of these questions when setting up their responses. Additionally, the users must supply the answers to these questions during forgotten password.

Label Minimum Random Required
Key challenge.minRandomRequired
Navigation Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Minimum Random Required
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
2
Specify the minimum number of random questions required at time of forgotten password recovery.

Label Minimum Random Challenges Required During Setup
Key challenge.minRandomsSetup
Navigation Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Minimum Random Challenges Required During Setup
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
4
Specify the minimum number of random questions you require the users to complete during the Response Setup. If this number is higher than the available randoms, or lower than the minimum required, PWM adjusts it accordingly. Set the value to zero to force the users to configure all available random questions at the time of setup.

Label Help Desk Random Questions
Key challenge.helpdesk.randomChallenges
Navigation Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Help Desk Random Questions
Syntax CHALLENGE
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify additional random questions to present to the help desk users. PWM might require the users to supply answers to all or some of these questions when setting up their responses, as controlled by the "Minimum Help Desk Random Challenges Required During Setup" setting. The questions and answers are visible to Help Desk users but are not used for forgotten password recovery.

Label Help Desk Required Questions
Key challenge.helpdesk.requiredChallenges
Navigation Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Help Desk Required Questions
Syntax CHALLENGE
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Add the questions the users must supply answers for when setting up their responses. The questions and answers are visible to Help Desk users but are not used for forgotten password recovery.

Label Minimum Help Desk Random Challenges Required During Setup
Key challenge.helpdesk.minRandomsSetup
Navigation Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Minimum Help Desk Random Challenges Required During Setup
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
4
Specify the minimum number of Help Desk random questions you require the users to complete during the Response Setup. If this number is higher than the available randoms, or lower than the minimum required, the system adjusts it accordingly. Set this option to zero to force the users to configure all available randoms Challenge/Response questions at the time of setup.

Password Policies

Settings that define the LDAP directories that are used by the application. If the user identities are in multiple LDAP directories, configure each directory as an LDAP Directory Profile. Within each LDAP directory profile definition, you can control the individual servers and other settings for each LDAP directory.

Label Password Policy Profile Match
Key password.policy.queryMatch
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Password Policy Profile Match
Syntax USER_PERMISSION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
UserPermission: All Users: [Profile: 'all']
Specify a query to determine if this password policy applies to a given user. During login, if the system has not assigned a previous policy to the user, it considers the matches here and if positive, it assigns the user to this policy.

Label Minimum Length
Key password.policy.minimumLength
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Length
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
2
Specify the minimum length of the password. A value of zero disables this check.

Label Maximum Length
Key password.policy.maximumLength
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Length
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
64
Specify the maximum length of the password. A value of zero disables this check. Although you can set this limit to large values, the LDAP directory being used may have fixed limitations on the supported password length.

Label Maximum Repeat
Key password.policy.maximumRepeat
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Repeat
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the maximum amount of times the users might repeat any character throughout the password. PWM ignores case for this check. A value of zero disables this check.

Label Maximum Sequential Repeat
Key password.policy.maximumSequentialRepeat
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Sequential Repeat
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the maximum times the users might sequentially repeat any character throughout the password. PWM ignores case for this check. A value of zero disables this check.

Label Allow Numeric Characters
Key password.policy.allowNumeric
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow Numeric Characters
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to allow numeric characters in the password.

Label Allow First Character Numeric
Key password.policy.allowFirstCharNumeric
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow First Character Numeric
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to allow the first character of the password to be numeric. Applies only if the password policy allows numeric characters.

Label Allow Last Character Numeric
Key password.policy.allowLastCharNumeric
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow Last Character Numeric
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to allow the last character of the password to be numeric. Applies only if the password policy allows numeric characters.

Label Maximum Numeric
Key password.policy.maximumNumeric
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Numeric
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the maximum amount of numeric characters required (if the password policy allows numeric). A value of zero disables this check.

Label Minimum Numeric
Key password.policy.minimumNumeric
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Numeric
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the minimum amount of numeric characters required (if numeric allowed). A value of zero disables this check.

Label Allow Special Characters
Key password.policy.allowSpecial
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow Special Characters
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to allow special (non alpha-numeric) characters in the password.

Label Allow First Character Special
Key password.policy.allowFirstCharSpecial
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow First Character Special
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to allow the first character of the password to be a special character. Applies only if the password policy allows special characters.

Label Allow Last Character Special
Key password.policy.allowLastCharSpecial
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow Last Character Special
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to allow the last character of the password to be a special character. Applies only if the password policy allows special characters.

Label Maximum Special
Key password.policy.maximumSpecial
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Special
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the maximum amount of special characters required (if the password policy allows special characters). A value of zero disables this check.

Label Minimum Special
Key password.policy.minimumSpecial
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Special
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the minimum amount of special characters required (if special allowed). A value of zero disables this check.

Label Maximum Alphabetic
Key password.policy.maximumAlpha
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Alphabetic
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the maximum amount of alphabetic characters required. A value of zero disables this check.

Label Minimum Alphabetic
Key password.policy.minimumAlpha
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Alphabetic
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the minimum amount of alphabetic characters required. A value of zero disables this check.

Label Allow Non-Alphabetic Characters
Key password.policy.allowNonAlpha
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow Non-Alphabetic Characters
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to allow non-alphabetic characters in the password.

Label Maximum Non-Alphabetic
Key password.policy.maximumNonAlpha
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Non-Alphabetic
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the maximum amount of non-alphabetic characters required. A value of zero disables this check.

Label Minimum Non-Alphabetic
Key password.policy.minimumNonAlpha
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Non-Alphabetic
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the minimum amount of non-alphabetic characters required. A value of zero disables this check.

Label Maximum Uppercase
Key password.policy.maximumUpperCase
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Uppercase
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the maximum amount of uppercase characters required. A value of zero disables this check.

Label Minimum Uppercase
Key password.policy.minimumUpperCase
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Uppercase
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the minimum amount of uppercase characters required. A value of zero disables this check.

Label Maximum Lowercase
Key password.policy.maximumLowerCase
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Lowercase
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the maximum amount of lowercase characters required. A value of zero disables this check.

Label Minimum Lowercase
Key password.policy.minimumLowerCase
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Lowercase
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the minimum amount of lowercase characters required. A value of zero disables this check.

Label Minimum Unique Characters
Key password.policy.minimumUnique
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Unique Characters
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the minimum amount of unique characters allowed. A value of zero disables this check.

Label Maximum Characters From Previous Password
Key password.policy.maximumOldPasswordChars
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Characters From Previous Password
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the maximum amount of characters from the previous password allowed in the new password. A value of zero disables this check.

Label Minimum Lifetime
Key password.policy.minimumLifetime
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Lifetime
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the minimum amount of time that must pass between password changes. Value is in seconds. A value of zero disables this check.

Label Maximum Consecutive Characters
Key password.policy.maximumConsecutive
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Consecutive Characters
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the maximum amount of characters in a sequence such as 0123456789 or abcdefghijk. PWM defines a more specific character sequence by the unicode character order of each character after it converts the entire value to lowercase. A value of 0 disables this check.

Label Minimum Password Strength
Key password.policy.minimumStrength
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Password Strength
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
0
Specify the strength of the passwords. PWM judges the password strengths on a strength on a scale of 0 to 100 irrespective of other password policy settings. This setting requires that the users have a password that meets the minimum strength level specified here, regardless of other password policy rules. "Good" is 45 or better while 70 or better is considered "strong". A value of 0 disables this check.

Label Enforce Word List
Key password.policy.checkWordlist
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Enforce Word List
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to check the password against the configured Word List.

Label Active Directory Password Complexity
Key password.policy.ADComplexityLevel
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Active Directory Password Complexity
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
NONE None - Do not enforce AD Complexity Rules
AD2003 AD 2003 Level Complexity
AD2008 AD 2008 Level Complexity
Default
TemplateValue
default NONE
AD AD2003
Select the Microsoft Active Directory style password complexity rules.

AD 2003 Level Complexity:

  • Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters
  • Minimum 6 characters
  • Maximum 128 characters
  • Must contain characters from three of the following four categories:
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Base 10 digits (0 through 9)
    • Non-alphabetic characters (For example, !, $, #, %)

AD 2008 Level Complexity:

  • Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters
  • Minimum 6 characters
  • Maximum 512 characters
  • Must contain characters from several of the following categories. The setting Policies ⇨ Password Policies ⇨ [profile] ⇨ Active Directory 2008 Password Complexity Maximum Violations specifies the exact number of catagories.
    • European language uppercase alphabetic characters
    • European language lowercase alphabetic characters
    • Base 10 digits (0 through 9)
    • Non-alphabetic characters (for example, !, $, #, %)
    • Other alphabetic characters not included in the other categories

Label Active Directory 2008 Password Complexity Maximum Violations
Key password.policy.ADComplexityMaxViolations
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Active Directory 2008 Password Complexity Maximum Violations
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
2
Specify the maximum number of Active Directory 2008 Level Complexity category violations. This setting has no effect unless the setting Policies ⇨ Password Policies ⇨ [profile] ⇨ Active Directory Password Complexity is set to AD 2008 Level Complexity.

Label Required Regular Expression Matches
Key password.policy.regExMatch
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Required Regular Expression Matches
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify a Regular Expression pattern the password must match for the system to allow it. You can list multiple patterns. A pattern must match the entire password for the system to apply it. PWM ignores A partial match. You can use macros.

Label Disallowed Regular Expression Matches
Key password.policy.regExNoMatch
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Disallowed Regular Expression Matches
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify a Regular Expression pattern the password must not match for the system to allow it. You can list multiple patterns. A pattern must match the entire password for the system to apply it. PWM ignores a partial match. You can use macros.

Label Disallowed Values
Key password.policy.disallowedValues
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Disallowed Values
Syntax STRING_ARRAY
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
password
test
Specify a case insensitive list of values PWM does not allow the users to use as passwords.

Label Disallowed Attributes
Key password.policy.disallowedAttributes
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Disallowed Attributes
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope DOMAIN
Default
cn
givenName
sn
Specify a list of attributes not allowed to be used as passwords. For a given user, PWM reads the values and does not permit the users to use it as part of the password value. This check is case-insensitive. Note: Specifying a number after the attribute name restricts how many consecutive characters PWM disallows in the value (For example: "Language:4" means the password cannot contain: "Engl", "ngli", "glis", or "lish", for English speaking users).

Label Password Change Message
Key password.policy.changeMessage
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Password Change Message
Syntax LOCALIZED_TEXT_AREA
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify a message PWM displays to the users during password changes. Might include HTML markup. You can override this setting by adding a change password message read as part of an LDAP password policy.

Label Password Rule Text
Key password.policy.ruleText
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Password Rule Text
Syntax LOCALIZED_TEXT_AREA
Level 2
Required False
Confidential False
Scope DOMAIN
Default

When blank, PWM displays an automatically generated rule list to the user. The automated rule list may not be inclusive of all settings in the password policy. Some of the more esoteric or difficult to communicate rules do not appear in the automatically generated list. This is done in an attempt to not overwhelm the users with having to read and parse the rules before attempting to change their passwords. Should the user type a password that conflicts with such a rule - the per-keystroke rule checker provides direct feedback to the user on how to correct the problem.

If you do not want the automatically generated rule list, you can override it by setting a value here. The field permits HTML tags.

Label Disallow Current Password
Key password.policy.disallowCurrent
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Disallow Current Password
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to prohibit the current password from being used as a new password. Note: PWM can only enforce this if the login method permits the user's password to be known.

Label Minimum Character Groups Required
Key password.policy.charGroup.minimumMatch
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Character Groups Required
Syntax NUMERIC
Level 2
Required False
Confidential False
Scope DOMAIN
Default
0
Specify the number of regular expression matches defined in the setting Policies ⇨ Password Policies ⇨ [profile] ⇨ Character Group Definitions.

Label Character Group Definitions
Key password.policy.charGroup.regExValues
Navigation Policies ⇨ Password Policies ⇨ [profile] ⇨ Character Group Definitions
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope DOMAIN
Default
.*[0-9]
.*[a-z]
.*[A-Z]
.*[^A-Za-z0-9]
Add an LDAP filter that contains a list of regular expression character matches. Along with the setting Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Character Groups Required, this setting allows creating a complex list of requirements that the user only needs to partially match. For example, you can use this type of policy to replicate the Active Directory "3 out of 5" rules, but with more flexibility and customization.


Application

Application

Label App Property Overrides
Key pwm.appProperty.overrides
Navigation Settings ⇨ Application ⇨ App Property Overrides
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope SYSTEM
Default

(Troubleshooting only) Specify an override application properties value. Do not use unless directed to by a support expert.

Label Hide Configuration Health Warnings
Key display.hideConfigHealthWarnings
Navigation Settings ⇨ Application ⇨ Hide Configuration Health Warnings
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope SYSTEM
Default
False
Enable this option to hide health warnings about configuration issues from the health status monitors.

Label Site URL
Key pwm.selfURL
Navigation Settings ⇨ Application ⇨ Site URL
Syntax STRING
Level 0 (Normal)
Required False
Confidential False
Scope SYSTEM
Default

The URL to this application, as seen by users. PWM uses the value in email macros and other user-facing communications.

The URL must use a valid fully qualified hostname. Do not use a network address.

In simple environments, the URL will be the base of the URL in the browser you are currently using to view this page, however in more complex environments the URL will typically be an upstream proxy, gateway or network device.

The URL should include the path to the base application, typically /pwm.


Audit Configuration

Auditing

Label System Audit Event Types
Key audit.system.eventList
Navigation Settings ⇨ Auditing ⇨ Audit Configuration ⇨ System Audit Event Types
Syntax OPTIONLIST
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
STARTUP Startup
SHUTDOWN Shutdown
FATAL_EVENT Fatal Event
MODIFY_CONFIGURATION Modify Configuration
INTRUDER_ATTEMPT Non-User Intruder Attempt
INTRUDER_LOCK Non-User Intruder Lock
Default
FATAL_EVENT
INTRUDER_LOCK
MODIFY_CONFIGURATION
SHUTDOWN
STARTUP
Select system event types to record and act upon.

Label User Audit Event Types
Key audit.user.eventList
Navigation Settings ⇨ Auditing ⇨ Audit Configuration ⇨ User Audit Event Types
Syntax OPTIONLIST
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
AUTHENTICATE Authenticate
AGREEMENT_PASSED Agreement Passed
CHANGE_PASSWORD Change Password
UNLOCK_PASSWORD Unlock Password
RECOVER_PASSWORD Recover Password
SET_RESPONSES Set Responses
SET_OTP_SECRET Set OTP
ACTIVATE_USER Activate User
CREATE_USER New User
UPDATE_PROFILE Update Profile
DELETE_ACCOUNT Delete Account
INTRUDER_USER_LOCK Intruder User Lock
INTRUDER_USER_ATTEMPT Intruder User Attempt
TOKEN_ISSUED Token Issued
TOKEN_CLAIMED Token Claimed
CLEAR_RESPONSES Clear Responses
HELPDESK_SET_PASSWORD Helpdesk Set Password
HELPDESK_UNLOCK_PASSWORD Helpdesk Unlock Password
HELPDESK_CLEAR_RESPONSES Helpdesk Clear Responses
HELPDESK_CLEAR_OTP_SECRET Helpdesk Clear OTP
HELPDESK_DELETE_USER Helpdesk Delete User
HELPDESK_VIEW_DETAIL Helpdesk View Detail
HELPDESK_ACTION Helpdesk Action
HELPDESK_VERIFY_OTP Helpdesk Verify OTP
HELPDESK_VERIFY_OTP_INCORRECT Helpdesk Incorrect Verify OTP
HELPDESK_VERIFY_TOKEN Helpdesk Verify Token
HELPDESK_VERIFY_TOKEN_INCORRECT Helpdesk Incorrect Verify Token
HELPDESK_VERIFY_ATTRIBUTES Helpdesk Verify Attributes
HELPDESK_VERIFY_ATTRIBUTES_INCORRECT Helpdesk Incorrect Verify Attributes
Default
ACTIVATE_USER
AGREEMENT_PASSED
AUTHENTICATE
CHANGE_PASSWORD
CLEAR_RESPONSES
CREATE_USER
DELETE_ACCOUNT
HELPDESK_ACTION
HELPDESK_CLEAR_OTP_SECRET
HELPDESK_CLEAR_RESPONSES
HELPDESK_DELETE_USER
HELPDESK_SET_PASSWORD
HELPDESK_UNLOCK_PASSWORD
HELPDESK_VERIFY_ATTRIBUTES
HELPDESK_VERIFY_ATTRIBUTES_INCORRECT
HELPDESK_VERIFY_OTP
HELPDESK_VERIFY_OTP_INCORRECT
HELPDESK_VERIFY_TOKEN
HELPDESK_VERIFY_TOKEN_INCORRECT
HELPDESK_VIEW_DETAIL
INTRUDER_USER_LOCK
RECOVER_PASSWORD
SET_OTP_SECRET
SET_RESPONSES
TOKEN_CLAIMED
TOKEN_ISSUED
UNLOCK_PASSWORD
UPDATE_PROFILE
Select user event types to record and act upon.

Label LocalDB Audit Events Storage Max Age
Key events.audit.maxAge
Navigation Settings ⇨ Auditing ⇨ Audit Configuration ⇨ LocalDB Audit Events Storage Max Age
Syntax DURATION
Level 2
Required True
Confidential False
Scope SYSTEM
Default
15552000
Specify the maximum age (in seconds) of the local audit event log. The default is 30 days.

Label LocalDB Audit Events Storage Max Events
Key events.audit.maxEvents
Navigation Settings ⇨ Auditing ⇨ Audit Configuration ⇨ LocalDB Audit Events Storage Max Events
Syntax NUMERIC
Level 2
Required True
Confidential False
Scope SYSTEM
Default
1000000
Specify the maximum count of events in the local audit event log. The default is 1000000.

Audit Forwarding

Auditing

Label System Audit Event Email Alerts
Key email.adminAlert.toAddress
Navigation Settings ⇨ Auditing ⇨ Audit Forwarding ⇨ System Audit Event Email Alerts
Syntax STRING_ARRAY
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Define this template to send an email when System Audit events occur to the defined email addresses.

Label User Audit Event Email Alerts
Key audit.userEvent.toAddress
Navigation Settings ⇨ Auditing ⇨ Audit Forwarding ⇨ User Audit Event Email Alerts
Syntax STRING_ARRAY
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify one or more email addresses that the system sends an email to when the User Audit events occur.

Label Syslog Audit Server
Key audit.syslog.servers
Navigation Settings ⇨ Auditing ⇨ Audit Forwarding ⇨ Syslog Audit Server
Syntax STRING_ARRAY
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify one or more entries of the connection information for the syslog audit servers. When configured, PWM forwards all audit events to the specified syslog server entered as the first entry. If the first one fails then the others will be tried until there is a successful delivery. The format is <protocol>,<address>,<port>. The value for <protocol> can be either UDP, TCP or TLS. We recommend that UDP is used in the list as the last option because UDP does not report a failure.

Examples:
ProtocolAddressPortSetting
UDP127.0.0.1514udp,127.0.0.1,514
TCPcentral-syslog.example.com514tcp,central-syslog.example.com,514
TLSsecure-syslog.example.com6514tls,central-syslog.example.com,6514

Label Syslog Audit Server Certificates
Key audit.syslog.certificates
Navigation Settings ⇨ Auditing ⇨ Audit Forwarding ⇨ Syslog Audit Server Certificates
Syntax X509CERT
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Import the TLS Certificate of syslog service.

Label Syslog Output Format
Key audit.syslog.outputFormat
Navigation Settings ⇨ Auditing ⇨ Audit Forwarding ⇨ Syslog Output Format
Syntax SELECT
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
JSON JSON
CEF CEF
Default
JSON
Select a style for the syslog output syntax. The default JSON syntax can be used for typical syslog servers. The Common Event Format (CEF) can be used for CEF compatible audit servers.

Captcha

Captcha functionality uses an implementation of reCAPTCHA to prevent non-human attacks. If this server faces the public internet, it is strongly recommended to enable the CAPTCHA functionality. reCAPTCHA information can be found at http://www.google.com/recaptcha/

Registration at the reCAPTCHA site provides a site key and secret which you must configure here for reCAPTCHA support.

Label reCAPTCHA Site Key
Key captcha.recaptcha.publicKey
Navigation Settings ⇨ Captcha ⇨ reCAPTCHA Site Key
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Add a public reCAPTCHA key. If blank, PWM does not perform the CAPTCHA verification.

Label reCAPTCHA Secret
Key captcha.recaptcha.privateKey
Navigation Settings ⇨ Captcha ⇨ reCAPTCHA Secret
Syntax PASSWORD
Level 1 (Advanced)
Required False
Confidential True
Scope DOMAIN
Default
*hidden*
Add a private reCAPTCHA key. If blank, PWM does not perform the CAPTCHA verification.

Label CAPTCHA Protected Pages
Key captcha.protectedPages
Navigation Settings ⇨ Captcha ⇨ CAPTCHA Protected Pages
Syntax OPTIONLIST
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
LOGIN Login Form
FORGOTTEN_PASSWORD Forgotten Password
FORGOTTEN_USERNAME Forgotten Username
USER_ACTIVATION User Activation
NEW_USER_REGISTRATION New User Registration
Default
NEW_USER_REGISTRATION
Select the pages PWM protects with CAPTCHA. PWM requires the CAPTCHA validation only once per session. Thus, after a user passes the CAPTCHA validation during a session, PWM does not force the user to pass the CAPTCHA again despite the user accessing a second module enabled here.

Label CAPTCHA Skip Parameter Value
Key captcha.skip.param
Navigation Settings ⇨ Captcha ⇨ CAPTCHA Skip Parameter Value
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify a parameter with a key of "skipCaptcha" to allow PWM to skip the CAPTCHA request. This is useful for "internal" clients or links where the CAPTCHA is unneccessary.

For example, if the value is 'okay', a request to:

/public/forgottenpassword?skipCaptcha=okay

causes PWM to bypass the CAPTCHA.

Label CAPTCHA Skip Cookie
Key captcha.skip.cookie
Navigation Settings ⇨ Captcha ⇨ CAPTCHA Skip Cookie
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify a known browser cookie value in a cookie named 'captcha-key'. This allows PWM to skip the CAPTCHA request if the value of the browser cookie is correct. PWM stores the cookie value in the browser after a successful CAPTCHA check.

If blank, then PWM does not store nor read the browser cookie. If set to 'INSTANCEID', then PWM uses the instanceID. If set to any other value, then PWM uses the literal value.

Label CAPTCHA Intruder Attempt Trigger
Key captcha.intruderAttemptTrigger
Navigation Settings ⇨ Captcha ⇨ CAPTCHA Intruder Attempt Trigger
Syntax NUMERIC
Level 2
Required False
Confidential False
Scope DOMAIN
Default
0
Specify a number of intruder attempts before PWM requires CAPTCHA. If set to 0, PWM ignores the intruder attempt count and it always requires CAPTCHA. PWM considers intruder attempts for the current session and for the source network address.

The recommended value for this setting is 0. Determined network attackers might be able to bypass the CAPTCHA verification altogether if you use this setting.

Label reCAPTCHA Mode
Key captcha.recaptcha.mode
Navigation Settings ⇨ Captcha ⇨ reCAPTCHA Mode
Syntax SELECT
Level 2
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
V2 reCaptcha Version 2
V2_INVISIBLE reCaptcha Version 2 - Invisible
Default
V2
Select the reCaptcha mode to use.

Advanced

Advanced database configuration settings.

Label Database Key Column Type
Key db.columnType.key
Navigation Settings ⇨ Database (Remote) ⇨ Advanced ⇨ Database Key Column Type
Syntax STRING
Level 2
Required True
Confidential False
Scope SYSTEM
Default
TemplateValue
default VARCHAR
DB_ORACLE VARCHAR2
Specify the database column type for key columns. PWM uses the column type only during schema creation. All tables are two columns: a key and a value column. For most databases the standard VARCHAR column format is appropriate for the key column. Data stored in the key column generally is US-ASCII keys.

Label Database Value Column Type
Key db.columnType.value
Navigation Settings ⇨ Database (Remote) ⇨ Advanced ⇨ Database Value Column Type
Syntax STRING
Level 2
Required True
Confidential False
Scope SYSTEM
Default
TemplateValue
default TEXT
DB_ORACLE CLOB
Specify the database column type for value columns. PWM uses the column type only during schema creation. All tables are two columns: a key and a value column. For most databases, the standard TEXT column format is appropriate for the value column. Data stored in the value column generally is UTF-8 formatted XML, JSON, or other text-based value data.

Label Database Trace Logging
Key db.debugTrace.enable
Navigation Settings ⇨ Database (Remote) ⇨ Advanced ⇨ Database Trace Logging
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope SYSTEM
Default
False
Enable this option to allow PWM to log the database read/write activity and data to the TRACE debug output. Warning! Enabling this option can cause PWM to send security-sensitive information to the debug output, including passwords.

Connection

Settings

Label Database Driver
Key db.jdbc.driver
Navigation Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Driver
Syntax FILE
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default
[]
Upload the remote database JDBC Driver JAR or ZIP file supplied by the database vendor. The file must be under 10MB in size to upload. PWM stores the file contents as part of the application configuration file.

Label Database Class
Key db.classname
Navigation Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Class
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Add the remote database JDBC driver class name. Consult the database vendor to determine the correct class name for your database.

Database TypeExample Class Name
MS-SQLcom.microsoft.sqlserver.jdbc.SQLServerDriver
MS-SQL using jTDSnet.sourceforge.jtds.jdbc.Driver
Oracleoracle.jdbc.OracleDriver
The above are examples only, consult your database documentation for the proper setting value.

Label Database Connection String
Key db.url
Navigation Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Connection String
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify the remote database connection string in standard JDBC format. Your database administrator can help you with this setting. This setting configures the Java JDBC database driver with the information required to reach your database server such as IP address, port number, and DB name.

Database TypeExample Connection String
MS-SQL jdbc:sqlserver://host.example.net:port;databaseName=PWM
MS-SQL using jTDSjdbc:jtds:sqlserver://host.example.net:port/PWM
Oracle jdbc:oracle:thin:@//host.example.net:1521/PWM
The above are examples only, consult your database documentation for the proper connection string syntax.

Label Database User Name
Key db.username
Navigation Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database User Name
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify the remote database connection user name.

Label Database Password
Key db.password
Navigation Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Password
Syntax PASSWORD
Level 1 (Advanced)
Required False
Confidential True
Scope SYSTEM
Default
*hidden*
Specify the remote database connection password.

Label Database Vendor
Key db.vendor.template
Navigation Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Vendor
Syntax SELECT
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
DB_ORACLE Oracle
DB_OTHER Other
Default
DB_ORACLE
Select the vendor of the remote database.

Email Servers

Email Servers

Label SMTP Server Address
Key email.smtp.address
Navigation Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Server Address
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify an SMTP server address that sends the emails PWM generates. Removing this setting prevents PWM from sending any emails. Ensure that the server specified here allows relaying. For best results, use a local SMTP server.

Label SMTP Connection Type
Key email.smtp.type
Navigation Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Connection Type
Syntax SELECT
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
SMTP SMTP (Plaintext)
START_TLS StartTLS
SMTPS SMTPS (SSL/TLS)
Default
SMTP
The type of connection to use for the SMTP session.

Label SMTP Server Port
Key email.smtp.port
Navigation Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Server Port
Syntax NUMERIC
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default
25
Specify the network port number for the SMTP server.

Label SMTP Server Certificates
Key email.smtp.serverCerts
Navigation Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Server Certificates
Syntax X509CERT
Level 0 (Normal)
Required True
Confidential False
Scope SYSTEM
Default

Certificates used for secure communication with server. If no certificates are specfied, the default Java trust store will be used for certificate validation.

Label SMTP Server User Name
Key email.smtp.username
Navigation Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Server User Name
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify an SMTP user that logs in to the SMTP server so that it can send the emails PWM generates. A blank value here sends SMTP messages without authentication.

Label SMTP Server Password
Key email.smtp.userpassword
Navigation Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Server Password
Syntax PASSWORD
Level 1 (Advanced)
Required False
Confidential True
Scope SYSTEM
Default
*hidden*
Specify the password for the SMTP user. A blank value here sends SMTP messages without authentication.

Email Settings

Label Maximum Email Queue Age
Key email.queueMaxAge
Navigation Settings ⇨ Email ⇨ Email Settings ⇨ Maximum Email Queue Age
Syntax DURATION
Level 2
Required True
Confidential False
Scope SYSTEM
Default
3600
Specify the maximum age (in seconds) an email can wait in the send queue. If an email is in the send queue longer than this time, PWM discards it. Emails only persist in the send queue if there is an IO or network error to the SMTP server while sending the email.

Label SMTP Email Advanced Settings
Key email.smtp.advancedSettings
Navigation Settings ⇨ Email ⇨ Email Settings ⇨ SMTP Email Advanced Settings
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope SYSTEM
Default

Add Name/Value settings to control the behavior of the mail agent. Available settings are defined as part of the JavaMail API. The settings must be in "name=value" format, where name is the key value of a valid JavaMail API setting.

Label Default System From Address
Key email.system.fromAddress
Navigation Settings ⇨ Email ⇨ Email Settings ⇨ Default System From Address
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default
[email protected]
Specify a system From Address for the email templates.

Email Templates

Label Default From Address
Key email.default.fromAddress
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Default From Address
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
[email protected]
Specify a default From Address for the email templates.

Label Change Password Email
Key email.changePassword
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Change Password Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Change Password Notice <@DefaultEmailFromAddress@>
Subj:Password Change Notification
Body:You have changed your password. If you did not initiate a password change please contact your help desk immediately.
Html:You have changed your password. If you have changed your password, then no action is required. If you did not initiate a password change please contact your help desk.
Define this template to send an email to the users when password changes occur. PWM only sends this email when the users change their own passwords.

Label Help Desk Change Password Email
Key email.changePassword.helpdesk
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Help Desk Change Password Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Change Password Notice <@DefaultEmailFromAddress@>
Subj:Password Change Notification
Body:Your password has been changed by the heldesk. You should set a new password immediately. If you did not initiate a password change please contact your helpdesk.
Html:Your password has been changed by the helpdesk. You should set a new password immediately. If you did not initiate a password change please contact your helpdesk.
Define this template to send an email to users when the Help Desk changes the users' passwords. PWM expands macros for this setting based on the user who is changing their password, not the Help Desk user.

Label Update Profile Email
Key email.updateProfile
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Update Profile Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Profile Update <@DefaultEmailFromAddress@>
Subj:Profile Update
Body:Thank you for updating your profile information, @LDAP:givenName@.
Html:Thank you for updating your profile information, @LDAP:givenName@.
Define this template to send an email to users after a profile update.

Label Update Profile Email Verification
Key email.updateProfile.token
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Update Profile Email Verification
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Profile Update <@DefaultEmailFromAddress@>
Subj:Profile Update
Body:Thank you for updating your profile information. To continue with the update, please copy and paste the following code on the registration form:

%TOKEN%

If you did not request to change your profile, you do not need to take any action.
Html:Thank you for updating your profile. To complete the update, please click here to continue.

If for some reason this link does not work, you can copy and paste the following code on the registration form:

%TOKEN%

If you did not request to change your profile, you do not need to take any action.
Define this template to send an email to users during the profile email validation.

Label New User Email
Key email.newUser
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ New User Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:New User Registration <@DefaultEmailFromAddress@>
Subj:Welcome
Body:Thank you for registering your account, @LDAP:givenName@.
Html:Thank you for registering your account, @LDAP:givenName@.
Define this template to send an email to newly created users.

Label New User Verification Email
Key email.newUser.token
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ New User Verification Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:New User Registration <@DefaultEmailFromAddress@>
Subj:New User Verification
Body:Thank you for requesting a new account. To continue with your account registration, please copy and paste the following code on the registration form:

%TOKEN%

If you did not request to create a new account, you do not need to take any action.
Html:Thank you for requesting a new account. To continue with your account registration, please click here to continue.

If for some reason this link does not work, you can copy and paste the following code on the registration form:

%TOKEN%

If you did not request to create a new account, you do not need to take any action.
Define this template to send an email during the new user verification process. You can use %TOKEN% to insert the token value into the email.

Label Activation Email
Key email.activation
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Activation Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Activation Notification <@DefaultEmailFromAddress@>
Subj:Account Activated
Body:Thank you for activating your account, @LDAP:givenName@.
Html:Thank you for activating your account, @LDAP:givenName@.
Define this template to send an email to users after a successful activation.

Label Activation Verification Email
Key email.activation.token
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Activation Verification Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Activation Verification <@DefaultEmailFromAddress@>
Subj:Account Verification
Body:Thank you for requesting your account activation. To continue with your account activation, please copy and paste the following code onto the activation form:

%TOKEN%

If you did not request to create a new account, you do not need to take any action.
Html:Thank you for requesting your account activation. To continue with your account activation, please click here to continue.

If for some reason this link doesn't work, you can copy and paste the following code onto the activation form:

%TOKEN%

If you did not request to create a new account, you do not need to take any action.
Define this template to send an email during the activation verification process. You can use %TOKEN% to insert the token value into the email.

Label Forgotten Password Verification Email
Key email.challenge.token
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Forgotten Password Verification Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Forgotten Password <@DefaultEmailFromAddress@>
Subj:Forgotten Password Verification
Body:Thank you for requesting a password reset. To continue with your password reset, please copy and paste the following code onto the password reset form:

%TOKEN%

If you do not wish to change your password at this time, you do not need to take any action.
Html:Thank you for requesting a password reset. To continue with your password reset, please click here to continue.

If for some reason this link doesn't work, you can copy and paste the following code onto the password reset form:

%TOKEN%

If you do not wish to change your password at this time, you do not need to take any action.
Define this template to send an email during the forgotten password verification process. You can use %TOKEN% to insert the token value into the email.

Label Help Desk Verification Email
Key email.helpdesk.token
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Help Desk Verification Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Helpdesk <@DefaultEmailFromAddress@>
Subj:Helpdesk Verification
Body:Your helpdesk has sent you a code to verify your identity. Your verification code is:

%TOKEN%
Html:Your helpdesk has sent you a code to verify your identity. Your verification code is: %TOKEN%.
Define this template to send an email during the Help Desk verification process. You can use %TOKEN% to insert the token value into the email.

Label Guest Registration Email
Key email.guest
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Guest Registration Email
Syntax EMAIL
Level 2
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Guest Registration Agent <@DefaultEmailFromAddress@>
Subj:Welcome
Body:Your account has been created.

Your username is: @User:ID@
Your password is: @User:Password@
Html:Your account has been created.

Your username is:@User:ID@
Your password is: @User:Password@

Define this template to send an email to newly created guest users.

Label Guest Registration Update Email
Key email.updateguest
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Guest Registration Update Email
Syntax EMAIL
Level 2
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Guest Registration Agent <@DefaultEmailFromAddress@>
Subj:Account update notification
Body:Your account has been updated.
Html:Your account has been created.
Define this template to send an email to updated guest users.

Label Send Password Email
Key email.sendpassword
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Send Password Email
Syntax EMAIL
Level 2
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Password Notifier <@DefaultEmailFromAddress@>
Subj:Password Information
Body:Your new password is:

@User:Password@

Please change your password as soon as possible.
Html:Thank you for requesting a password reset. Your new password is:

@User:Password@

Define this template to send an email during forgotten password reset process if you enabled the send password functionality.

Label Send User Name Email
Key email.sendUsername
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Send User Name Email
Syntax EMAIL
Level 2
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Username Notifier <@DefaultEmailFromAddress@>
Subj:Username Information
Body:Your username is:

@User:ID@


Html:Your username is:

@User:ID@

Define this template to send an email for the forgotten user name process.

Label Intruder Notice Email
Key email.intruderNotice
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Intruder Notice Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Intruder Notifier <@DefaultEmailFromAddress@>
Subj:Password Information
Body:Your account has been temporarily disabled due to several incorrect login/password reset attempts. If this activity was not caused by you, please contact your administrator.
Html:Your account has been temporarily disabled due to several incorrect login/password reset attempts. If this activity was not caused by you, please contact your administrator.
Define this template to send an email when a userDN intruder lockout occurs.

Label Delete Account Email
Key email.deleteAccount
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Delete Account Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Delete Account Notice <@DefaultEmailFromAddress@>
Subj:Account Deletion Notice
Body:Your account has been deleted at your request.
Html:
Define this template to send an email to the users after the Account Delete action.

Label Help Desk Unlock Account Email
Key email.helpdesk.unlock
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Help Desk Unlock Account Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Unlock Account Notice <@DefaultEmailFromAddress@>
Subj:Account Unlock Notice
Body:Your account has been unlocked by the helpdesk.
Html:
Define this template to send an email to users to whose account is unlocked by the help desk.

Label Unlock Account Email
Key email.unlock
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Unlock Account Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Unlock Account Notice <@DefaultEmailFromAddress@>
Subj:Account Unlock Notice
Body:Your account has been unlocked.
Html:
Define this template to send an email to users who unlock their own account.

Label Password Expiration Notification Email
Key email.pwNotice
Navigation Settings ⇨ Email ⇨ Email Templates ⇨ Password Expiration Notification Email
Syntax EMAIL
Level 1 (Advanced)
Macro Support True
Required False
Confidential False
Scope DOMAIN
Default
EmailItem default: 
  To:@User:Email@
From:Password Expiration Notice <@DefaultEmailFromAddress@>
Subj:Password Expiration Notice
Body:Your password is about to expire. Your password will expire in @User:DaysUntilPwExpire@ days.
Html:
Email sent to users to notify the user of an impending password notification.

HTTP Client

HTTP Client

Label HTTP Proxy
Key http.proxy.url
Navigation Settings ⇨ HTTP Client ⇨ HTTP Proxy
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify the URL of the HTTP proxy server. If blank, the system uses no proxy server.
  • For HTTP proxy server, use "http://serverame:3128" format
  • For the authenticated proxy server, use the "http://username:password@servername:3128" format


Label HTTP Proxy Exceptions
Key http.proxy.exceptions
Navigation Settings ⇨ HTTP Client ⇨ HTTP Proxy Exceptions
Syntax STRING_ARRAY
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify one or more URLs of proxy exceptions. If an outgoing HTTP request from PWM matches a value in the list the request will be sent direct from the server and not through the configured HTTP Proxy server.

  • PWM attempts to match each item from the beginning of the requested URL string.
  • PWM decodes and parses the redirect URL before checking it against the whitelist.
  • If an error occurs when setting a redirect URL, set the debug logs to TRACE and watch the output as the error occurs.
  • PWM does not permit wildcards or case mis-matches, the values must match exactly.
  • If a fragment has the prefix regex:, PWM treats the remainder of the fragment as a regular expression. Regular expression matches must match the entire URL.
ExampleMatchesNot Matched
https://www.example.comhttps://www.example.com
https://www.example.com/
https://www.example.com/path
http://www.example.com
https://mail.example.com
http://www.example.com/p1http://www.example.com/p1
http://www.example.com/p1/p2
http://www.example.com/p1?a1=v1
https://www.example.com/p1
http://www.example.com/p2
/path1/path1
/path1/path2
/path1/path2/?param=v1
www.example.com/path1/
https://www.example.com/path1
/path2
regex:^(https?:\/\/)[a-z]*\.example\.com.*?$http://www.example.com
https://www.example.com
http://www.example.com/p1
http://mail.example.com/p1
www.example.com
http://www.example.org

HTTPS Server

HTTPS Web Server

Label HTTPS Private Key & Certificate
Key https.server.cert
Navigation Settings ⇨ HTTPS Server ⇨ HTTPS Private Key & Certificate
Syntax PRIVATE_KEY
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Import the private key and certificate used by the PWM HTTPS web server. If this setting does not have a value, the PWM HTTPS web server uses an auto-generated value based on Settings ⇨ Application ⇨ Site URL and other current configuration data. Changes to this setting require a server restart.

Label TLS Protocols
Key https.server.tls.protocols
Navigation Settings ⇨ HTTPS Server ⇨ TLS Protocols
Syntax OPTIONLIST
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
SSL_3_0 SSL v3.0
TLS_1_0 TLS v1.0
TLS_1_1 TLS v1.1
TLS_1_2 TLS v1.2
TLS_1_3 TLS v1.3
Default
TLS_1_2
TLS_1_3
Select the HTTPS TLS protocols supported by the PWM HTTPS web server. Changes to this setting require a server restart.

Label TLS Ciphers
Key https.server.tls.ciphers
Navigation Settings ⇨ HTTPS Server ⇨ TLS Ciphers
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default
TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256
Specify the HTTPS TLS ciphers accepted by the PWM HTTPS web server. The value for this setting is an ordered, comma separated list of Java SSE provided cipher names. Changes to this setting require a server restart.

Intruder Settings

Intruder Settings

Label Enable PWM Intruder Detection
Key intruder.enable
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Settings ⇨ Enable PWM Intruder Detection
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to enable the PWM intruder detection system. Your LDAP directory intruder detection settings function independently of this setting.

Label Enable Bad Password Simulation
Key security.ldap.simulateBadPassword
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Settings ⇨ Enable Bad Password Simulation
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
True
Enable this option to enable Bad Password simulation activity when a user enters a forgotten password field. When an identified user attempts to recover a forgotten password but uses incorrect data, PWM attempts to authenticate to the directory using a known bad password value. This is done to allow the LDAP directory to trigger its own defense mechanisms against intruders.

Intruder System Settings

Intruder System Settings

Label Intruder Record Storage Location
Key intruder.storageMethod
Navigation Settings ⇨ Intruder Detection ⇨ Intruder System Settings ⇨ Intruder Record Storage Location
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
DATABASE Remote Database
LOCALDB LocalDB
Default
LOCALDB
Select the data store used for Intruder Records. If you use Database, all application instances share a common view of intruder status. If you use LocalDB, each instance has its own intruder state. LocalDB is likely to have less performance overhead and having a consistent intruder state across all application instances might not be important. The Configure Guide uses a database if configured, if not it uses the LocalDB.

Intruder Timeouts

Intruder Timeouts

Label Intruder User Reset Time
Key intruder.user.resetTime
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder User Reset Time
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
1800
Specify the time period after which PWM clears a bad attempt from the lockout table. PWM marks the user lockout table for a user anytime a user has a failed attempt to authenticate, recover a password, or activate a user account.

Value is in number of seconds. A value of zero disables the user lockout functionality.

Label Intruder User Maximum Attempts
Key intruder.user.maxAttempts
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder User Maximum Attempts
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
10
Specify the maximum number of attempts a user might make before a lockout occurs. After the user exceeds this value, the user cannot perform any activities until the reset time interval has passed. A value of zero disables the user lockout functionality.

Label Intruder User Check Time
Key intruder.user.checkTime
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder User Check Time
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
300
Specify the maximum time period between each intruder attempt. When the user exceeds this time period, PWM resets the intruder attempt count to zero.

Label Intruder Attribute Reset Time
Key intruder.attribute.resetTime
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Attribute Reset Time
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
1800
Specify the time period after which PWM clears a bad attempt from the lockout table. PWM marks the attribute lockout table for a user anytime a non-authenticated user enters a form field.

Value is in number of seconds. A value of zero disables the attribute lockout functionality.

Label Intruder Attribute Maximum Attempts
Key intruder.attribute.maxAttempts
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Attribute Maximum Attempts
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
10
Specify the maximum number of attempts a user might make before a lockout occurs. After the user exceeds this value, the user cannot perform any activities until the reset time interval has passed. A value of zero disables the user lockout functionality.

Label Intruder Attribute Check Time
Key intruder.attribute.checkTime
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Attribute Check Time
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
300
Specify the maximum time period between each intruder attempt. When the user exceeds this time period, PWM resets the intruder attempt count to zero.

Label Intruder Token Destination Reset Time
Key intruder.tokenDest.resetTime
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Token Destination Reset Time
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
1800
Specify the time period after which PWM clears a bad attempt from the lockout table. PWM marks the attribute lockout table for a user anytime it sends a token, and it clears the lockout when the user consumes a token.

Value is in number of seconds. A value of zero disables the attribute lockout functionality.

Label Intruder Token Destination Attempts
Key intruder.tokenDest.maxAttempts
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Token Destination Attempts
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
10
Specify the maximum number of attempts a token destination can be used before a lockout occurs and the token destination can no longer be sent tokens. After the user exceeds this value, the user cannot perform any activities until the reset time interval has passed. A value of zero disables the token lockout functionality.

Label Intruder Token Destination Check Time
Key intruder.tokenDest.checkTime
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Token Destination Check Time
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
300
Specify the maximum time period between each intruder attempt. When the user exceeds this time period, PWM resets the intruder attempt count to zero.

Label Intruder Address Reset Time
Key intruder.address.resetTime
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Address Reset Time
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
1800
Specify the time period after which PWM clears a bad attempt from the lockout table. PWM marks the address lockout table for any source IP address anytime any user has a failed attempt to authenticate, recover a password, or activate a user account from that address.

Depending on how you deployed PWM, it might not be able to correctly identify the IP address of the user.

Value is in number of seconds. A value of zero disables the address lockout functionality.

Label Intruder Address Maximum Attempts
Key intruder.address.maxAttempts
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Address Maximum Attempts
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
30
Specify the maximum number of attempts any user might make within a particular address. After the users exceed this value, any user from that address cannot perform any activities until the reset time interval has passed. A value of zero disables the address lockout functionality.

Label Intruder Address Check Time
Key intruder.address.checkTime
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Address Check Time
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
300
Specify the maximum time period between each intruder attempt. When users exceed this time period, PWM resets the intruder attempt count to zero. A value of zero disables the address lockout functionality.

Label Maximum Intruder Attempts Per Session
Key intruder.session.maxAttempts
Navigation Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Maximum Intruder Attempts Per Session
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
8
Specify the maximum amount of intruder attempts per session. When the user exceeds this limit, PWM "locks" the session, and no other requests using that session succeed. A value of zero disables the session lockout functionality.

Localization

Localization

Label Locales (Languages) and Flags
Key knownLocales
Navigation Settings ⇨ Localization ⇨ Locales (Languages) and Flags
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope SYSTEM
Default
en::us
en_CA::ca
ca::catalonia
cs::cz
da::dk
de::de
el::gr
es::es
fi::fi
fr::fr
fr_CA::ca
hu::hu
iw::il
it::it
ja::jp
ko::kr
nl::nl
nb::no
no::no
nn::no
pl::pl
pt_BR::br
pt::pt
ru::ru
sk::sk
sv::se
th::th
tr::tr
zh_CN::cn
zh_TW::tw
List of locales available. The code is in two parts separated by two colons (::). The first part is the browser locale code, the second field is the iso country code used for the flag value.

Label Locale Cookie Age
Key locale.cookie.age
Navigation Settings ⇨ Localization ⇨ Locale Cookie Age
Syntax DURATION
Level 2
Required False
Confidential False
Scope SYSTEM
Default
604800
Specify the duration of time to remember a user's locale preferences. Anytime PWM overrides a browser's default locale setting, it stores a cookie in the browser remembering that setting for the duration of this setting.

Logging

Setting high debug levels can cause undesired overhead and the application might suffer as a result. Conversely, retaining high-level logs can help aid troubleshooting as well as security forensics.

Label Console (StdOut) Log Level
Key events.java.stdoutLevel
Navigation Settings ⇨ Logging ⇨ Console (StdOut) Log Level
Syntax SELECT
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
TRACE 6 - Trace
DEBUG 5 - Debug
INFO 4 - Info
WARN 3 - Warn
ERROR 2 - Error
FATAL 1 - Fatal
Off 0 - Off
Default
INFO
Specify the default Log level for stdout. Most servlet containers redirect stdout to a log file. For example, Apache Tomcat logs stdout output to the tomcat/logs/catalina.out file by default.

Label LocalDB Log Level
Key events.pwmDB.logLevel
Navigation Settings ⇨ Logging ⇨ LocalDB Log Level
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
TRACE 6 - Trace
DEBUG 5 - Debug
INFO 4 - Info
WARN 3 - Warn
ERROR 2 - Error
FATAL 1 - Fatal
Off 0 - Off
Default
INFO
Specify the level at which to log events in the LocalDB. You can view the log events written to the LocalDB in the administrator event log viewer.

Label File Log Level
Key events.fileAppender.level
Navigation Settings ⇨ Logging ⇨ File Log Level
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
TRACE 6 - Trace
DEBUG 5 - Debug
INFO 4 - Info
WARN 3 - Warn
ERROR 2 - Error
FATAL 1 - Fatal
Off 0 - Off
Default
INFO
Specify the level at which to log events to the local File Log. PWM writes log files to the servlet's WEB-INF/logs directory.

Label Maximum LocalDB Events
Key events.pwmDB.maxEvents
Navigation Settings ⇨ Logging ⇨ Maximum LocalDB Events
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope SYSTEM
Default
1000000
Specify the maximum log events stored in the LocalDB. PWM retains this number of events in the LocalDB database and displays these in the admin event log screen.

PWM consumes approximately 100MB of disk space for each 100,000 log events.

Label Maximum Age LocalDB Events
Key events.pwmDB.maxAge
Navigation Settings ⇨ Logging ⇨ Maximum Age LocalDB Events
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope SYSTEM
Default
2419200
Specify the maximum age of events stored in the LocalDB.

PWM periodically purges events older than the configured value here. Specify the value in seconds. Default is four weeks (60s * 60m * 24h * 7d * 4w = 2419200). A value of zero causes PWM not to remove events due to age.

Label Daily Summary Alerts
Key events.alert.dailySummary.enable
Navigation Settings ⇨ Logging ⇨ Daily Summary Alerts
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope SYSTEM
Default
True
Enable this option to send an email alert once a day (at 0:00 GMT) that contains a summary of the day's statistics and health.

Label Strength Meter Algorithm
Key password.strengthMeter.type
Navigation Settings ⇨ Logging ⇨ Strength Meter Algorithm
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
PWM Traditional - built in algorithm
ZXCVBN zxcvbn - open source library
Default
PWM
Choose the calculation algorithm type used for the password strength meter.


Password Expiration Notification

Password Expiration Notification

Label Enable Password Expiration Notification
Key pwNotify.enable
Navigation Settings ⇨ Password Expiration Notification ⇨ Enable Password Expiration Notification
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
False

Enable password expiration notification service. Operation of this service requires that a node service be configured. Status of this service can be viewed on the Administration -> Dashboard -> Password Notification page. The service will nominally execute once per day on the master node server.

If a job is missed because of an PWM, LDAP, or database service interruption it will be run within the next 24 hours as soon as service is restored. Running a job more than once will not result in duplicate emails sent to the user.

If a user's password expiration time changes since the last job, a new notification will be sent as appropriate.


Label Storage Mode
Key pwNotify.storageMode
Navigation Settings ⇨ Password Expiration Notification ⇨ Storage Mode
Syntax SELECT
Level 2
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
LDAP LDAP Directory
DB Remote Database
Default
TemplateValue
default LDAP
DB DB
Select storage mode used by node service module.

Label Expiration Notification User Match
Key pwNotify.queryString
Navigation Settings ⇨ Password Expiration Notification ⇨ Expiration Notification User Match
Syntax USER_PERMISSION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Users that will receive password expiration notifications.

Label Expiration Notification Intervals
Key pwNotify.intervals
Navigation Settings ⇨ Password Expiration Notification ⇨ Expiration Notification Intervals
Syntax STRING_ARRAY
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
1
3
7
Expiration Notification Day Intervals. The number of days before a user's password expiration before which an email notice will be set.

Label Job Offset
Key pwNotify.job.offSet
Navigation Settings ⇨ Password Expiration Notification ⇨ Job Offset
Syntax DURATION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
0
GMT job offset time. The expiration notice job will normally be executed at 0:00 GMT. This value can be adjusted to change the standard time of day the job is run.

Password Settings

Password related settings that apply to all users regardless of the password policy or profile appear here. For profile-specific password settings, see Profiles -> Password Policy Profiles.

Label Password Policy Source
Key password.policy.source
Navigation Settings ⇨ Password Settings ⇨ Password Policy Source
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
MERGE Merge Local and LDAP (default)
LDAP LDAP
PWM Local
Default
MERGE
Selct where PWM reads the password policy settings. If you select LDAP, PWM attempts to read the policy out of the LDAP directory, and it could ignore many of the following settings. If you select Local Config, then PWM uses the policy settings on this page, and it ignores any policy settings in the LDAP directory. If you select Merge, PWM reads both policies, and where there is any conflict, PWM chooses the most restrictive value of the policy.

The capability to read policy from LDAP is only available with some LDAP directory types.

Additionally, PWM uses the password policy as the only "local" policy. Upon a password set operation, the LDAP directory typically enforces whatever policies are configured in the directory itself.


Label Enable Shared History
Key password.sharedHistory.enable
Navigation Settings ⇨ Password Settings ⇨ Enable Shared History
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to use a global shared password history for all users. If enabled, all users share a common password history. This helps prevent users from using common organizational words as passwords. PWM stores the passwords as a salted and encrypted hash in the LocalDB.

Label Shared History Age
Key password.sharedHistory.age
Navigation Settings ⇨ Password Settings ⇨ Shared History Age
Syntax DURATION
Level 2
Required True
Confidential False
Scope DOMAIN
Default
2419200
Specify the maximum age of the shared history storage. Specify the value in seconds. The default is 28 days.

Label Password is Case Sensitive
Key password.policy.caseSensitivity
Navigation Settings ⇨ Password Settings ⇨ Password is Case Sensitive
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
read Read from Directory
true True (Case Sensitive)
false False (Case Insensitive)
Default
read
Enable this option to control if the password is case sensitive. In most cases, PWM can read this from the directory, but in some cases, the system cannot correctly read this value, so you can override it here.

Reporting

Options to enable and configure reporting.

Label Enable Daily Reporting Job
Key reporting.enable
Navigation Settings ⇨ Reporting ⇨ Enable Daily Reporting Job
Syntax BOOLEAN
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default
False
Enable daily reporting job. When enabled, PWM will execute a daily report update job.

Label Reporting Job Time Offset
Key reporting.job.timeOffset
Navigation Settings ⇨ Reporting ⇨ Reporting Job Time Offset
Syntax DURATION
Level 2
Required False
Confidential False
Scope SYSTEM
Default
0
Specify the number of seconds past midnight (GMT) when PWM processes the update job. Setting this option to -1 disables the nightly job processor.

Label Maximum LDAP Query Size
Key reporting.ldap.maxQuerySize
Navigation Settings ⇨ Reporting ⇨ Maximum LDAP Query Size
Syntax NUMERIC
Level 2
Required False
Confidential False
Scope SYSTEM
Default
100000
Specify the maximum number of records read during a reporting query search. Setting this value to a larger sizes requires more Java heap memory.

Label Reporting Job Intensity
Key reporting.job.intensity
Navigation Settings ⇨ Reporting ⇨ Reporting Job Intensity
Syntax SELECT
Level 2
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
LOW Low
MEDIUM Medium
HIGH High
Default
LOW
Control the level of intensity of a reporting job execution. Higher levels will complete the report job faster but cause more workload on PWM and the LDAP directory.

Label Reporting Summary Day Intervals
Key reporting.summary.dayValues
Navigation Settings ⇨ Reporting ⇨ Reporting Summary Day Intervals
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope SYSTEM
Default
-90
-60
-30
-14
-7
-3
30
60
90
Specify day intervals to include in report summary data.


SMS Gateway

Label SMS Gateway URL
Key sms.gatewayURL
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway URL
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify the URL for the SMS gateway.

Label SMS Gateway Certificates
Key sms.gatewayCertificates
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway Certificates
Syntax X509CERT
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Certificate for remote SMS service

Label HTTP(S) Method
Key sms.gatewayMethod
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ HTTP(S) Method
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
POST POST
GET GET
Default
POST
Select the HTTPS protocol method PWM uses for sending the SMS messages.

Label SMS Gateway User
Key sms.gatewayUser
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway User
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify the user name for the SMS gateway.

Label SMS Gateway Password
Key sms.gatewayPassword
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway Password
Syntax PASSWORD
Level 1 (Advanced)
Required False
Confidential True
Scope SYSTEM
Default
*hidden*
Specify the user password for the SMS gateway.

Label SMS Gateway Authentication Method
Key sms.gatewayAuthMethod
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway Authentication Method
Syntax SELECT
Level 2
Required True
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
REQUEST Request - Authentication will be part of the request
HTTP HTTP - Use HTTP basic authentication
Default
REQUEST
Select the method PWM uses for authentication to the SMS gateway.

Label SMS Request Data
Key sms.requestData
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Request Data
Syntax TEXT_AREA
Level 2
Required False
Confidential False
Scope SYSTEM
Default
user=%USER%&pass=%PASS%&to=%TO%&msg=%MESSAGE%
Specify the data PWM submits in order to send an SMS message. You can use certain codes that PWM replaces:
  • %USER%: authentication user name
  • %PASS%: authentication password
  • %SENDERID%: sender identification
  • %TO%: recipient SMS number
  • %REQUESTID%: randomly generated request identifier
  • %MESSAGE%: the message to be sent

Label SMS Data Content Type
Key sms.requestContentType
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Data Content Type
Syntax STRING
Level 2
Required False
Confidential False
Scope SYSTEM
Default
application/x-www-form-urlencoded
Specify the content type for POST data. This is the mime type for the content. This only applies if the HTTPS Method is POST. Common values are:
  • application/x-www-form-urlencoded: HTTP form data
  • text/plain: Plain ASCII data
  • text/xml: XML document
Optionally, you can append a character set. For examle:
  • application/x-www-form-urlencoded; charset=utf-8: HTTP form data in UTF-8 encoding

Label SMS Data Content Encoding
Key sms.requestContentEncoding
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Data Content Encoding
Syntax SELECT
Level 2
Required True
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
NONE None - no encoding
CSV CSV - Escape for comma separated values
HTML HTML - for HTML data
JAVA Java - for Java String representations
JAVASCRIPT Javascript - recommended for JSON formatted documents
SQL SQL - turn single-quotes (') into double single-quotes ('')
URL URL - recommended for GET requests and POST with form data (default)
XML XML - for XML and/or SOAP services
Default
URL
Select how PWM encodes the data for fields in the SMS message. The data might need encoding or escaping.

Label SMS Gateway HTTP Request Headers
Key sms.httpRequestHeaders
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway HTTP Request Headers
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope SYSTEM
Default

Specify any additional HTTP request headers for the SMS request. For example: SOAPAction for SOAP messages. Header should be a name/value pair delimitted by a colon (e.g. MyHeader:SomeValue).

Label Maximum SMS Text Length
Key sms.maxTextLength
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ Maximum SMS Text Length
Syntax NUMERIC
Level 2
Required True
Confidential False
Scope SYSTEM
Default
140
Specify the maximum length for the SMS text. Some services allow texts longer than one message (generally 140 bytes). If the text is longer than the configured maximum, PWM makes multiple requests.

Label SMS Sender ID
Key sms.senderID
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Sender ID
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify the alphanumerical sender identification. If blank, the provider uses a default or anonymous sender identification. In most cases, the SMS provider must validate the sender ID. Contact your provider for values that you can use as a valid sender identification.

Label SMS Phone Number Format
Key sms.phoneNumberFormat
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Phone Number Format
Syntax SELECT
Level 2
Required True
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
RAW Raw - Use the raw value that is read from the directory with no changes
PLAIN Plain - country code (e.g. 1 for USA) plus subscriber number (e.g. 12312345): 112312345
PLUS Plus - Same as plain, but with a plus sign as a prefix: +112312345
ZEROS Zeros - Same as plain, but prefixed with a double zero: 00112312345
Default
ZEROS
Select the format that PWM uses for the mobile phone number.

Label Default SMS Country Code
Key sms.defaultCountryCode
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ Default SMS Country Code
Syntax NUMERIC
Level 2
Required False
Confidential False
Scope SYSTEM
Default
1
Specify the default country code for the SMS phone number. For a list of country codes, see http://countrycode.org/. Set to 0 to disable this option.

Label Request ID Characters
Key sms.requestId.characters
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ Request ID Characters
Syntax STRING
Level 2
Required True
Confidential False
Scope SYSTEM
Default
0123456789abcdef
Specify the available characters in the SMS request ID.

Label Request ID Length
Key sms.requestId.length
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ Request ID Length
Syntax NUMERIC
Level 2
Required True
Confidential False
Scope SYSTEM
Default
6
Specify the ength of the SMS request ID.


Label Response Regular Expressions
Key sms.responseOkRegex
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ Response Regular Expressions
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope SYSTEM
Default

Specify the regular expression that you can use to determine whether PWM sent the SMS successfully to the gateway. If the response matches any of the expressions, PWM considers the transmission successful. If you do not specify any expressions, PWM assumes that all transmissions are successful. If the response matches none of the expressions, PWM retries the SMS later (default 30 seconds). Use the Maximum SMS Queue Age option to limit the number of retries. NOTE: The string must match an entire line. Use .* to match anything after the required texts.

Label Successful HTTP Result Codes
Key sms.successResultCodes
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ Successful HTTP Result Codes
Syntax STRING_ARRAY
Level 2
Required True
Confidential False
Scope SYSTEM
Default
200
Specify the HTTP Result codes that PWM consideres as successful send attempts.



Label Maximum SMS Queue Age
Key sms.queueMaxAge
Navigation Settings ⇨ SMS ⇨ SMS Gateway ⇨ Maximum SMS Queue Age
Syntax DURATION
Level 2
Required True
Confidential False
Scope SYSTEM
Default
300
Specify the maximum age (in seconds) an SMS can wait in the local send queue. If an SMS is in the send queue longer than this time, PWM discards it. The SMS messages only persist in the send queue if there is an IO or network error to the SMS gateway server while sending the message.

SMS Messages

Label Forgotten Password SMS Text
Key sms.challenge.token.message
Navigation Settings ⇨ SMS ⇨ SMS Messages ⇨ Forgotten Password SMS Text
Syntax LOCALIZED_STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
 Your security code is %TOKEN%
Specify the message text of the SMS PWM sends during the forgotten password token process.

Label Forgotten Password New Password SMS Text
Key sms.challenge.newpassword.message
Navigation Settings ⇨ SMS ⇨ SMS Messages ⇨ Forgotten Password New Password SMS Text
Syntax LOCALIZED_STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
 Your new password is %TOKEN%
Specify the message text of the SMS with new password PWM sends during the forgotten password process.

Label New User Verification SMS Text
Key sms.newUser.token.message
Navigation Settings ⇨ SMS ⇨ SMS Messages ⇨ New User Verification SMS Text
Syntax LOCALIZED_STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
 Your account verification code is %TOKEN%
Specify the text of the SMS PWM sends during the new user verification process.

Label Help Desk Verification SMS Text
Key sms.helpdesk.token.message
Navigation Settings ⇨ SMS ⇨ SMS Messages ⇨ Help Desk Verification SMS Text
Syntax LOCALIZED_STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
 Your security code is %TOKEN%
Specify the message text of the SMS PWM sends during the Help Desk token verification process.

Label Activation Token SMS Text
Key sms.activation.token.message
Navigation Settings ⇨ SMS ⇨ SMS Messages ⇨ Activation Token SMS Text
Syntax LOCALIZED_STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
 Your activation token is %TOKEN%.
Specify the message text of the token SMS PWM sends during an activation process.

Label Activation SMS Text
Key sms.activation.message
Navigation Settings ⇨ SMS ⇨ SMS Messages ⇨ Activation SMS Text
Syntax LOCALIZED_STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
 Thank you for activating your account.
Specify the message text of the SMS PWM sends after a succesful activation.

Label Forgotten User Name SMS Text
Key sms.forgottenUsername.message
Navigation Settings ⇨ SMS ⇨ SMS Messages ⇨ Forgotten User Name SMS Text
Syntax LOCALIZED_STRING
Level 1 (Advanced)
Macro Support True
Required True
Confidential False
Scope DOMAIN
Default
 Your username is @User:ID@
Specify the text of the SMS PWM sends upon a successful forgotten user name sequence, if you configured it.

Label Update Profile SMS Verification Text
Key sms.updateProfile.token.message
Navigation Settings ⇨ SMS ⇨ SMS Messages ⇨ Update Profile SMS Verification Text
Syntax LOCALIZED_STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
 Your verification code is %TOKEN%
Specify the text of the SMS PWM sends during the profile update SMS phone number verification.

Application Security

Label Security Key
Key pwm.securityKey
Navigation Settings ⇨ Security ⇨ Application Security ⇨ Security Key
Syntax PASSWORD
Level 0 (Normal)
Required False
Confidential True
Scope SYSTEM
Default
*hidden*

Specify a Security Key used for cryptographic functions such as the token verification. PWM requires a value if you enabled tokens for any of modules and configured a token storage method. PWM uses this value similar to how a cryptographic security certificate uses the private key.

If configured, this value must be at least 32 characters in length. The longer and more random this value, the more secure its uses are. If multiple instances are in use, you must configure each instance with the same value.

Upon initial setup, PWM assigns a random security key to this value that you can change at any time, however, any outstanding tokens or other material generated by an old security key become invalid.


Label Enable Reverse DNS
Key network.reverseDNS.enable
Navigation Settings ⇨ Security ⇨ Application Security ⇨ Enable Reverse DNS
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope SYSTEM
Default
True
Enable this option to have PWM use its reverse DNS system to record the hostname of the client. In some cases this can cause performance issues so you can disable it if you do not requrie it.

Label Show Detailed Error Messages
Key display.showDetailedErrors
Navigation Settings ⇨ Security ⇨ Application Security ⇨ Show Detailed Error Messages
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope SYSTEM
Default
False
Enable this option to display detailed error messages. While useful for administrators, especially during configuration, showing detailed error messages to users can be confusing as well as a security hazard. PWM ignores this setting until you close the Configuration Guide.

Label Maximum Session Duration
Key session.maxSeconds
Navigation Settings ⇨ Security ⇨ Application Security ⇨ Maximum Session Duration
Syntax DURATION
Level 2
Required False
Confidential False
Scope SYSTEM
Default
28800
Specify the maximum duration of a session (in seconds). Having a maximum session lifetime prevents certain types of long-term session fixation attacks.

Label Certificate Validation Mode
Key security.certificate.validationMode
Navigation Settings ⇨ Security ⇨ Application Security ⇨ Certificate Validation Mode
Syntax SELECT
Level 2
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
CA_ONLY Root Certificate Only
CERTIFICATE_CHAIN Entire Certificate Chain
Default
CA_ONLY
Specify how outbound SSL/TLS certificate validation will be performed by PWM.

Web Security

Label Enable Form Nonce
Key security.formNonce.enable
Navigation Settings ⇨ Security ⇨ Web Security ⇨ Enable Form Nonce
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope SYSTEM
Default
True
Enable this option to require a nonce (or unique key) for each form to prevent certain types of cross-site scripting (XSS) attacks.

Label Sticky Session Verification
Key enableSessionVerification
Navigation Settings ⇨ Security ⇨ Web Security ⇨ Sticky Session Verification
Syntax SELECT
Level 2
Required True
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
OFF Disabled
VERIFY Enabled
VERIFY_AND_CACHE Enabled - And pre-load browser cache
Default
VERIFY
Enable this option to verify browser sessions using an HTTP redirect and verification code. This verification proves that the browser can correctly establish a session with the server. Verification proves the browser either supports cookies or URL sessions (if enabled) and the communication channel between browser and application server is 'sticky' when there are multiple server instances. Additionally, it helps prevent some types of XSS attacks.

The pre-loaded browser cache shows a "please wait" screen to the user during the verification. This has the added benefit that the browser "pre-caches" many of the HTTP resources (JavaScript, CSS, images, and so forth) before it loads any actual pages.

Label Disallowed HTTP Inputs
Key disallowedInputs
Navigation Settings ⇨ Security ⇨ Web Security ⇨ Disallowed HTTP Inputs
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope SYSTEM
Default
(?s)(?i)<.*script.*
(?s)(?i)<.*xml.*
(?s)(?i)<.*img.*
(?s)(?i)<.*src.*
(?s)(?i)<.*href.*
Specify the disallowed values. If any input values (on any HTTP parameter) matches these patterns, PWM strips the matching portion from the input.

Label Use X-Forwarded-For Header
Key useXForwardedForHeader
Navigation Settings ⇨ Security ⇨ Web Security ⇨ Use X-Forwarded-For Header
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope SYSTEM
Default
True
If present, use the X-Forwarded-For HTTP header value as the client IP address instead of the source IP address of the HTTP connection. Typically, upstream proxies add X-Forwarded-For headers or firewalls and might be the only reliable way to identify the user's source IP address.

Label Allow Roaming Source Network Address
Key network.allowMultiIPSession
Navigation Settings ⇨ Security ⇨ Web Security ⇨ Allow Roaming Source Network Address
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope SYSTEM
Default
False
Enable this option to allow PWM to access a single HTTP session from different source IP addresses. Some load balancing or proxy network infrastructures might require this, but in most cases disable it. Especially since typical sessions are very short, there is not a practical reason for a user to access the same session from multiple client addresses.

Label Required HTTP Headers
Key network.requiredHttpHeaders
Navigation Settings ⇨ Security ⇨ Web Security ⇨ Required HTTP Headers
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope SYSTEM
Default

If specified, any HTTP/S request sent to this PWM application server must include these headers. This feature is useful if you have an upstream security gateway, proxy or web server and wish to only allow sessions from the gateway, and deny direct access to this PWM application server from clients.

The settings must be in name=value format. If the upstream security gateway, proxy or web server is not setting these name/value headers, you will no longer be able to access this PWM application server.

WARNING:If the client you are using to access this server is not setting the headers configured here, this PWM server will become inaccessible.


Label Page Leave Notice Timeout
Key security.page.leaveNoticeTimeout
Navigation Settings ⇨ Security ⇨ Web Security ⇨ Page Leave Notice Timeout
Syntax NUMERIC
Level 2
Required True
Confidential False
Scope SYSTEM
Default
0
Specify a timeout period for when a user navigates away from any page. The browser sends a notice to the server. The next time the browser requrest a page, PWM checks the timeout to determine if the last page leave time was greater then the timeout, and if so, it invalidates the user's session. This has the effect of logging out the users that navigate away from PWM without explicitly logging out. If set to zero, you disable this feature.

Label Prevent HTML Framing
Key security.preventFraming
Navigation Settings ⇨ Security ⇨ Web Security ⇨ Prevent HTML Framing
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope SYSTEM
Default
TemplateValue
default True
NOVL_IDM False
Enable this option to prevent browsers form displaying PWM inside an IFrame. PWM does this by setting the X-Frame-Options HTTP Header to DENY on all pages.

Label Redirect Whitelist
Key security.redirectUrl.whiteList
Navigation Settings ⇨ Security ⇨ Web Security ⇨ Redirect Whitelist
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope SYSTEM
Default

Specify a list of partial URL fragments. Any attempt to set the forwardURL or logoutURL via request parameter must match a URL fragment listed here.
  • PWM attempts to match each item from the beginning of the requested URL string.
  • PWM decodes and parses the redirect URL before checking it against the whitelist.
  • If an error occurs when setting a redirect URL, set the debug logs to TRACE and watch the output as the error occurs.
  • PWM does not permit wildcards or case mis-matches, the values must match exactly.
  • If a fragment has the prefix regex:, PWM treats the remainder of the fragment as a regular expression. Regular expression matches must match the entire URL.
ExampleMatchesNot Matched
https://www.example.comhttps://www.example.com
https://www.example.com/
https://www.example.com/path
http://www.example.com
https://mail.example.com
http://www.example.com/p1http://www.example.com/p1
http://www.example.com/p1/p2
http://www.example.com/p1?a1=v1
https://www.example.com/p1
http://www.example.com/p2
/path1/path1
/path1/path2
/path1/path2/?param=v1
www.example.com/path1/
https://www.example.com/path1
/path2
regex:^(https?:\/\/)[a-z]*\.example\.com.*?$http://www.example.com
https://www.example.com
http://www.example.com/p1
http://mail.example.com/p1
www.example.com
http://www.example.org

Label HTTP Content Security Policy Header
Key security.cspHeader
Navigation Settings ⇨ Security ⇨ Web Security ⇨ HTTP Content Security Policy Header
Syntax STRING
Level 2
Required False
Confidential False
Scope SYSTEM
Default
default-src 'self'; object-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src https://www.recaptcha.net/recaptcha/ https://www.gstatic.cn/recaptcha/  https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ 'self' 'unsafe-eval' 'nonce-%NONCE%'; frame-src https://www.recaptcha.net/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ ; report-uri @PwmContextPath@/public/api?processAction=cspReport
Set the HTTP Content-Security-Policy header. This header instructs the browser to limit the locations from which it loads fonts, scripts, and CSS files.


Basic Authentication

Basic Authentication

Label Enable Basic Authentication
Key basicAuth.enable
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ Basic Authentication ⇨ Enable Basic Authentication
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
True
Enables Basic Authentication.

Label Force Basic Authentication
Key forceBasicAuth
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ Basic Authentication ⇨ Force Basic Authentication
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this options to force basic authentication. If false, then the system presents the form page for unauthenticated users, however, if a basic auth header is present the system always uses it.

CAS SSO

Label CAS ClearPass URL
Key cas.clearPassUrl
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ CAS SSO ⇨ CAS ClearPass URL
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

For CAS authentication integration, enter the ClearPass url here. If blank, CAS authentication integration will be disabled.

You will also need to edit the WEB-INF/web.xml file to enable CAS integration. Uncomment the section for the CAS servlet filters, and modify the CAS servlet parameters as appropriate for your configuration.

Label CAS ClearPass Encryption Key
Key cas.clearPass.key
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ CAS SSO ⇨ CAS ClearPass Encryption Key
Syntax FILE
Level 2
Required False
Confidential False
Scope DOMAIN
Default
[]
ClearPass encryption key

Label CAS ClearPass Algorithm
Key cas.clearPass.alg
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ CAS SSO ⇨ CAS ClearPass Algorithm
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

The algorithm used by the encryption key

HTTP SSO

Label SSO Authentication Header Name
Key security.sso.authHeaderName
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ HTTP SSO ⇨ SSO Authentication Header Name
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the name of the HTTP header that configures PWM to use an upstream server to allow automatic logins with a only a user name, a password is not required. This setting controls the name of the HTTP header. When used, PWM prompts users for their passwords to access certain functionality.

OAuth

Integration with an OAuth identity server for SSO to this application.

Label OAuth Login URL
Key oauth.idserver.loginUrl
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Login URL
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the OAuth server login URL. This is the URL to redirect the user to for authentication.

Label OAuth Scope
Key oauth.idserver.scope
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Scope
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the optional OAuth scope. The OAuth identity service provider(IdP) provides this value. The scope provided, if any, must contain the user attribute to be read for authentication.

Label OAuth Token / Code Resolve Service URL
Key oauth.idserver.codeResolveUrl
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Token / Code Resolve Service URL
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the OAuth Code Resolve Service URL. The system uses this web service URL to resolve the artifact returned by the OAuth identity server.

Label OAuth Profile/UserInfo Service URL
Key oauth.idserver.attributesUrl
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Profile/UserInfo Service URL
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the URL of the web service provided by the identity server to return attribute data about the user.

Label OAuth Server Certificate
Key oauth.idserver.serverCerts
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Server Certificate
Syntax X509CERT
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Import the certificate for the OAuth web service server.

Label OAuth Client ID
Key oauth.idserver.clientName
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Client ID
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the OAuth client ID. The OAuth identity service provider(IdP) provides this value.

Label OAuth Shared Secret
Key oauth.idserver.secret
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Shared Secret
Syntax PASSWORD
Level 2
Required False
Confidential True
Scope DOMAIN
Default
*hidden*
Specify the OAuth shared secret. The OAuth identity service provider (IdP) provides this value.

Label OAuth User Name/DN Login Attribute
Key oauth.idserver.dnAttributeName
Navigation Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth User Name/DN Login Attribute
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the attribute to request from the OAuth server PWM uses as the user name for local authentication. PWM resolves this value the same as if the user had typed the password at the local authentication page.

Session Management

Session Management

Label Node Service Enabled
Key nodeService.enable
Navigation Settings ⇨ System ⇨ Session Management ⇨ Node Service Enabled
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope SYSTEM
Default
True
Enable or Disable the node service. The node service allows PWM to detect and identify when multiple application nodes are similar configured and can share user sessions.

Label Node Service Storage Mode
Key nodeService.storageMode
Navigation Settings ⇨ System ⇨ Session Management ⇨ Node Service Storage Mode
Syntax SELECT
Level 2
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
LDAP LDAP Directory
DB Remote Database
Default
TemplateValue
default LDAP
DB DB
Data storage system used for node service.

If LDAP is selected, a test user (LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Test User) must be configured and the response storage attribute (LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Test User) must be writable by the proxy user.

If DATABASE is selected then a database must be configured and available for PWM to operate.


Label Login Session Mode
Key security.loginSession.mode
Navigation Settings ⇨ System ⇨ Session Management ⇨ Login Session Mode
Syntax SELECT
Level 2
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
LOCAL Local
CRYPTCOOKIE Encrypted Cookie
Default
CRYPTCOOKIE
Select the mode PWM uses to manage the login session state. Local mode is the most secure and reliable, but it does not allow for server fail-over.

Label Module Session Mode
Key security.moduleSession.mode
Navigation Settings ⇨ System ⇨ Session Management ⇨ Module Session Mode
Syntax SELECT
Level 2
Required False
Confidential False
Scope SYSTEM
Options
Stored ValueDisplay
LOCAL Local
CRYPTCOOKIE Encrypted Cookie
Default
CRYPTCOOKIE
Select the mode PWM uses to manage the module session state. Local mode is the most secure and reliable, but it does not allow for server fail-over.

Telemetry

Telemetry

Label Enable Anonymous Statistics Publishing
Key pwm.publishStats.enable
Navigation Settings ⇨ Telemetry ⇨ Enable Anonymous Statistics Publishing
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope SYSTEM
Default
False
Enable this option to periodically share anonymous statistics of PWM. The published statistics are:
  • Version/Build Information
  • Cumulative Statistics
  • Which settings are non-default (but not the actual setting values)
  • Operating system name and version
Enabling this setting helps PWM developers know which features are used most often.

Label Enable Version Checking
Key pwm.versionCheck.enable
Navigation Settings ⇨ Telemetry ⇨ Enable Version Checking
Syntax BOOLEAN
Level 0 (Normal)
Required True
Confidential False
Scope SYSTEM
Default
True
Allow periodically checks for new versions. If a new version is detected, an item will be shown on the health check. No information about this installation is sent to the cloud server during the check.

Label Site Description
Key pwm.publishStats.siteDescription
Navigation Settings ⇨ Telemetry ⇨ Site Description
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

This optional value can be included if you want to identify your site when the anonymous statistics are published. You could use your organizations name or other descriptive value.

Tokens

Options for email and SMS tokens sent to users. Chose a token method appropriate to your environment.

Label Token Storage Method
Key token.storageMethod
Navigation Settings ⇨ Tokens ⇨ Token Storage Method
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
STORE_LOCALDB LocalDB
STORE_DB Database
STORE_CRYPTO Crypto
STORE_LDAP LDAP
Default
TemplateValue
default STORE_CRYPTO
DB STORE_DB
LOCALDB STORE_LOCALDB
Select the storage method PWM uses to save issued tokens.
MethodDescription
LocalDBStores the tokens in the local embedded LocalDB database. Tokens are not common across multiple application instances.
DBStore the tokens in a configured, remote database. Tokens work across multiple application instances.
CryptoUse crypto to create and read tokens, they are not stored locally. Tokens work across multiple application instances if they have the same Security Key. Crypto tokens ignore the length and character rules and might be too long to use for SMS purposes.
LDAPUse the LDAP directory to store tokens. Tokens work across multiple application instances. You cannot use LDAP tokens as New User Registration tokens.

Label Token Characters
Key token.characters
Navigation Settings ⇨ Tokens ⇨ Token Characters
Syntax STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
ABCDEFGHJKLMNPQRSTUVWXY3456789
Specify the available characters for the email token.

Label Token Length
Key token.length
Navigation Settings ⇨ Tokens ⇨ Token Length
Syntax NUMERIC
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
16
Specify the length of the email token

Label Token Maximum Lifetime
Key token.lifetime
Navigation Settings ⇨ Tokens ⇨ Token Maximum Lifetime
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
3600
Specify the default lifetime an token is valid (in seconds). The default is one hour. This default may be overridden by module specific settings.

Label Token LDAP attribute name
Key token.ldap.attribute
Navigation Settings ⇨ Tokens ⇨ Token LDAP attribute name
Syntax STRING
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
pwmToken
Specify the attribute that PWM uses when you enable the LDAP Token Storage Method to store and search for tokens.

Label Enable Token Destination Value Masking
Key token.valueMasking.enable
Navigation Settings ⇨ Tokens ⇨ Enable Token Destination Value Masking
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to mask token destination display values (email addresses and telephone numbers).

URL Settings

General URL settings for the application.

Label Forward URL
Key pwm.forwardURL
Navigation Settings ⇨ URL Settings ⇨ Forward URL
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify a URL that PWM forwards users to after the users complete any activity which does not require a log out.

You can override this setting for any given user session by adding a forwardURL parameter to any HTTP request. If blank, the system forwards the user to the PWM menu.

Label Logout URL
Key pwm.logoutURL
Navigation Settings ⇨ URL Settings ⇨ Logout URL
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the URL to redirect user to upon logout. If users access the site through a web authentication gateway, set the Logout URL to the gateway's Logout URL. If you are using a gateway and do not include the proper logout URL here, then users encounter authentication errors, intruder lockouts, and other problems. If things are working properly then the users see the gateway log out screen when logging out.

You can set the Logout URL to any appropriate relative or absolute URL. At the time the user's browser requests this URL, the local session has already been invalidated.

You can always override this setting for any given user session by adding a logoutURL parameter to any HTTP request during the session.

Label Home URL
Key pwm.homeURL
Navigation Settings ⇨ URL Settings ⇨ Home URL
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

Specify the URL to redirect the user to upon clicking the home button. If blank, the home button returns the user to the application context URL.

Label Intro URL
Key pwm.introURL
Navigation Settings ⇨ URL Settings ⇨ Intro URL
Syntax SELECT
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
/private/ /private
/public/ /public
Default
/private/
URL to redirect user to upon accessing the base context of this server (/pwm). The value must start with a slash (/) character, and it will be prepended by the base application path.

Label Domain Hostnames
Key domain.hosts
Navigation Settings ⇨ URL Settings ⇨ Domain Hostnames
Syntax STRING_ARRAY
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default

A list of explicit fully qualified DNS hostnames to be used for this domain. If this application is accessed by a client using an exact hostname specified here, then this domain will be used to service the client. Example: "password.acme.com".

User History

Auditing

Label User History Storage Location
Key events.user.storageMethod
Navigation Settings ⇨ User History ⇨ User History Storage Location
Syntax SELECT
Level 2
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
DATABASE Remote Database
LDAP LDAP
Default
TemplateValue
default LDAP
DB DATABASE
Select the data store you want to use for the user-specific audit history. This is the event history the users see in the Account Information module as well as the Help Desk operator's user detail panel.

Label User History Events
Key events.user.eventList
Navigation Settings ⇨ User History ⇨ User History Events
Syntax OPTIONLIST
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
AUTHENTICATE Authenticate
AGREEMENT_PASSED Agreement Passed
CHANGE_PASSWORD Change Password
UNLOCK_PASSWORD Unlock Password
RECOVER_PASSWORD Recover Password
SET_RESPONSES Set Responses
SET_OTP_SECRET Set OTP
ACTIVATE_USER Activate User
CREATE_USER New User
UPDATE_PROFILE Update Profile
INTRUDER_USER_LOCK Intruder User Lock
INTRUDER_USER_ATTEMPT Intruder User Attempt
TOKEN_ISSUED Token Issued
TOKEN_CLAIMED Token Claimed
CLEAR_RESPONSES Clear Responses
HELPDESK_SET_PASSWORD Helpdesk Set Password
HELPDESK_UNLOCK_PASSWORD Helpdesk Unlock Password
HELPDESK_CLEAR_RESPONSES Helpdesk Clear Responses
HELPDESK_CLEAR_OTP_SECRET Helpdesk Clear OTP
HELPDESK_VIEW_DETAIL Helpdesk View Detail
HELPDESK_ACTION Helpdesk Action
HELPDESK_VERIFY_OTP Helpdesk Verify OTP
Default
ACTIVATE_USER
CHANGE_PASSWORD
CLEAR_RESPONSES
CREATE_USER
HELPDESK_ACTION
HELPDESK_CLEAR_OTP_SECRET
HELPDESK_CLEAR_RESPONSES
HELPDESK_SET_PASSWORD
HELPDESK_UNLOCK_PASSWORD
HELPDESK_VERIFY_OTP
INTRUDER_USER_LOCK
RECOVER_PASSWORD
SET_OTP_SECRET
SET_RESPONSES
UNLOCK_PASSWORD
UPDATE_PROFILE
Select the event types you want to store on the user-specific audit history.

Label User History Maximum Events
Key events.ldap.maxEvents
Navigation Settings ⇨ User History ⇨ User History Maximum Events
Syntax NUMERIC
Level 2
Required True
Confidential False
Scope DOMAIN
Default
20
Specify the maximum number of events to hold in the event history attribute for a user.

Look & Feel

Label Interface Theme
Key interface.theme
Navigation Settings ⇨ User Interface ⇨ Look & Feel ⇨ Interface Theme
Syntax SELECT
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
basic basic
pwm pwm
autumn autumn
blue blue
matrix matrix
midnight midnight
red red
sterile sterile
tulips tulips
water water
embed -Embedded-
Default
pwm
Select a theme to change the look and feel of PWM. PWM provides the included themes primarily as inspiration to those wishing to make customizations.

If you select Embedded, the system uses the follow settings to contain the contents of the default CSS theme:

Themes are expected to be available at the url paths:

  • /pwm/public/resources/[theme]/style.css
  • /pwm/public/resources/[theme]/mobileStyle.css
You can add additional themes using Settings ⇨ User Interface ⇨ Look & Feel ⇨ Custom Resource Bundle. You can overwrite the default theme by specifying the URL parameter theme. For example: https://www.example.com:/pwm?theme=sterile




Label Embedded CSS Stylesheet
Key display.css.customStyle
Navigation Settings ⇨ User Interface ⇨ Look & Feel ⇨ Embedded CSS Stylesheet
Syntax TEXT_AREA
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Change the content of the embedded CSS Stylesheet. The setting Settings ⇨ User Interface ⇨ Look & Feel ⇨ Interface Theme must be set to Embedded for this setting to be useful. PWM serves the contents of this setting from the virtual URL of /public/resources/themes/embed/style.css.

Label Embedded Mobile CSS Stylesheet
Key display.css.customMobileStyle
Navigation Settings ⇨ User Interface ⇨ Look & Feel ⇨ Embedded Mobile CSS Stylesheet
Syntax TEXT_AREA
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Change the content of the embedded mobile CSS Stylesheet. The setting Settings ⇨ User Interface ⇨ Look & Feel ⇨ Interface Theme must be set to Embedded for this setting to be useful. PWM serves the contents of this setting from the virtual URL of /public/resources/themes/embed/mobileStyle.css.

Label Embedded JavaScript
Key display.js.custom
Navigation Settings ⇨ User Interface ⇨ Look & Feel ⇨ Embedded JavaScript
Syntax TEXT_AREA
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Enter custom JavaScript that PWM will embed onto all user HTML pages. The PWM JavaScript environment is not documented and may change from version to version. Using this feature should be done only in an environment where development resources are available to maintaine the custom JavaScript over time.

A few general tips:
  • The custom JavaScript will execute after the body onload event and after most of the PWM libraries have loaded.
  • The custom JavaScript will load on every page view. Your code can identify the current page by examinng the data-jsp-name attribute of the application-info html element. This element will appear on all pages.
  • Referencing any JavaScript or other URLs externally is not permitted by the default Content-Security-Policy. Instead include any scripts, images or css files you need locally by using Settings ⇨ User Interface ⇨ Look & Feel ⇨ Custom Resource Bundle.

Label Custom Resource Bundle
Key display.custom.resourceBundle
Navigation Settings ⇨ User Interface ⇨ Look & Feel ⇨ Custom Resource Bundle
Syntax FILE
Level 2
Required False
Confidential False
Scope DOMAIN
Default
[]

Upload a custom ZIP file containing static HTTP resources that PWM serves from the HTTP path /public/resources/ that it adds to the configuration.

The maximum ZIP file size is 10MB. Files included are types of HTML, text, images, and so forth. PWM does not perform any server side processing when serving these files.

UI Features

Label Enable Showing Masked Fields
Key display.showHidePasswordFields
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Enable Showing Masked Fields
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to allow the users to toggle the show/hide masked (hidden) data input fields, where appropriate. This setting applies to all HTML masked password fields, regardless of the actual data type.

Label Mask Password Fields
Key display.maskPasswordFields
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Mask Password Fields
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to mask sensitive input fields with standard "password" masking. If set to false, PWM displays sensitive fields as normal text input fields.

Label Mask Response Fields
Key display.maskResponseFields
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Mask Response Fields
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to mask Challenge/Response answer input fields with standard "password" masking. If set to false, PWM displays response fields as normal text input fields. This setting applies to both setup responses and forgotten password response entry screens.

Label Mask Token Input Fields
Key display.maskTokenFields
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Mask Token Input Fields
Syntax BOOLEAN
Level 2
Required True
Confidential False
Scope DOMAIN
Default
False
Enable this option to mask token input fields with standard "password" masking. When enabled, multi-line tokens (such as crypto-format tokens) will not be easily input by users.

Label Show Cancel Button
Key display.showCancelButton
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Show Cancel Button
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to show a "Cancel" button to the users, where appropriate. Pressing the cancel button sends the user to the forwardURL (or logoutURL if they have modified their password). The cancel button appears on the change password screen only if the password is not expired. The Cancel button only appears if the browser has JavaScript enabled.

Label Show Token Entry Success Pages
Key display.tokenSuccessPage
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Show Token Entry Success Pages
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to show a page to users after they enter their tokens successfully.

Label Show Success Pages
Key display.showSuccessPage
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Show Success Pages
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to display a "success" page to the user informing the user the action completed successfully. You can bypass this page by changing this setting to false.

Label Show Login Page Options
Key display.showLoginPageOptions
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Show Login Page Options
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to have the login page display the "Forgotten Password" and other options (if you enabled those components).

Label Show Logout Button
Key display.logoutButton
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Show Logout Button
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to show a logout button in the header and other menus as appropriate to authenticated users and administrators.

Label Show Home Button
Key display.homeButton
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Show Home Button
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to show a "home" button in the header and other menus as appropriate to authenticated users and administrators.

Label Show Idle Timeout Counter
Key display.idleTimeout
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Show Idle Timeout Counter
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to show the user's remaining idle time, and when that time reaches zero, PWM redirects the user to the logout page.

Label Show Strength Meter
Key password.showStrengthMeter
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Show Strength Meter
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
True
Enable this option to allow the users to see the password strength meter on the change password screen.

Label Idle Timeout Seconds
Key idleTimeoutSeconds
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Idle Timeout Seconds
Syntax DURATION
Level 1 (Advanced)
Required True
Confidential False
Scope DOMAIN
Default
300
Specify the number of seconds after which PWM unauthenticates an authenticated session. Minimum value is 60 seconds.

Label Reporting User Match
Key reporting.ldap.userMatch
Navigation Settings ⇨ User Interface ⇨ UI Features ⇨ Reporting User Match
Syntax USER_PERMISSION
Level 1 (Advanced)
Required False
Confidential False
Scope DOMAIN
Default
UserPermission: All Users: [Profile: 'all']
Select users to include in the reporting job.

REST Clients

Label External Token Destination Server URLs
Key external.destToken.urls
Navigation Settings ⇨ Web Services ⇨ REST Clients ⇨ External Token Destination Server URLs
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the URL of an external server. PWM provides this RESTful client API to allow flexibility in reading of the destination token addresses and how PWM displays them to the users.

When you populate this setting with a valid URL, just before PWM sends a token to a user, it makes an HTTP POST request. The body of the post includes the user's originally generated destination token addresss as well as additional user information. An example of the request data is provided here (it might vary depending on what data is available, and at what point the system issues the token):
{
   "tokenDestination":{
      "email":"[email protected]",
      "sms":"555-555-5555"
   },
   "userInfo":{
      "userDN":"_default|CN\u003dAllison Blake,OU\u003dNYC,OU\u003dPeople,DC\u003dad,DC\u003dism,DC\u003dexample,DC\u003dcom"
      "userID":"ablake",
      "userEmailAddress":"[email protected]",
      "passwordExpirationTime":"2383-02-20T09:10:33Z",
      "passwordLastModifiedTime":"2014-01-21T09:10:33Z",
      "requiresNewPassword":false,
      "requiresResponseConfig":true,
      "requiresUpdateProfile":true,
      "passwordStatus":{
         "expired":false,
         "preExpired":false,
         "violatesPolicy":false,
         "warnPeriod":false
      },
      "passwordPolicy":{
         "MaximumNumeric":"0",
         "MinimumSpecial":"0",
         "AllowLastCharSpecial":"true",
         "ADComplexity":"false",
         "RegExNoMatch":"",
         "AllowSpecial":"true",
         "MaximumSpecial":"0",
         "MinimumLowerCase":"0",
         "MaximumRepeat":"0",
         "MinimumUnique":"0",
         "MinimumNumeric":"0",
         "MinimumLength":"2",
         "DisallowedValues":"test\npassword",
         "CaseSensitive":"true",
         "RegExMatch":"",
         "DisallowCurrent":"false",
         "MaximumUnique":"0",
         "AllowFirstCharSpecial":"true",
         "MinimumLifetime":"0",
         "ExpirationInterval":"0",
         "UniqueRequired":"false",
         "MaximumSequentialRepeat":"0",
         "ChallengeResponseEnabled":"false",
         "AllowNumeric":"true",
         "EnforceAtLogin":"false",
         "AllowFirstCharNumeric":"true",
         "EnableWordlist":"true",
         "MaximumLength":"64",
         "DisallowedAttributes":"sn\ncn\ngivenName",
         "AllowLastCharNumeric":"true",
         "PolicyEnabled":"true",
         "MaximumUpperCase":"0",
         "MinimumUpperCase":"0",
         "ChangeMessage":"",
         "MaximumLowerCase":"0"
      },
      "passwordRules":[
         "Password is case sensitive.",
         "Must be at least 2 characters long.",
         "Must not include any of the following values:  test password",
         "Must not include part of your name or user name.",
         "Must not include a common word or commonly used sequence of characters."
      ]
   }
}
The web service must then respond with a body that includes a value for the tokenDestination values provided in the request, as well as a display value. For example:
{
    "email":"[email protected]",
    "sms":"555-555-5555",
    "displayValue":"e****@example.org or 555-555-****"
}
PWM substitutes the returned values for email and SMS for the original values, and if the system displays the destination to the user, it uses the displayValue of the actual destination email or SMS value. If an error occurs during the web service call, PWM shows the user an error.

Label External Password Check REST Server URLs
Key external.pwcheck.urls
Navigation Settings ⇨ Web Services ⇨ REST Clients ⇨ External Password Check REST Server URLs
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

PWM provides this RESTful client API to allow additional password rule checking to the application.

When you populate this setting with a valid URL, PWM makes an HTTP POST request during the password validation operation. The body of the post includes the user's desired password as well as additional user information. The following is an example of the request data (it might vary depending on what data is available, and at what point the system invokes the API):
{
   "password":"password1234",
   "userInfo":{
      "userDN":"_default|cn\u003dablake,ou\u003dusers,o\u003dexample",
      "userID":"ablake",
      "userEmailAddress":"[email protected]",
      "passwordExpirationTime":"2014-03-04T00:06:03Z",
      "passwordLastModifiedTime":"2014-02-02T00:06:03Z",
      "requiresNewPassword":false,
      "requiresResponseConfig":false,
      "requiresUpdateProfile":false,
      "passwordStatus":{
         "expired":false,
         "preExpired":false,
         "violatesPolicy":false,
         "warnPeriod":false
      },
      "passwordPolicy":{
         "MaximumNumeric":"0",
         "MinimumSpecial":"0",
         "AllowLastCharSpecial":"true",
         "ADComplexity":"false",
         "RegExNoMatch":"",
         "AllowSpecial":"true",
         "MaximumSpecial":"0",
         "MinimumLowerCase":"0",
         "MinimumUnique":"0",
         "MinimumNumeric":"1",
         "MinimumLength":"8",
         "DisallowedValues":"test\npassword",
         "CaseSensitive":"true",
         "RegExMatch":"",
         "DisallowCurrent":"false",
         "AllowFirstCharSpecial":"true",
         "MinimumLifetime":"0",
         "ExpirationInterval":"2592000",
         "UniqueRequired":"false",
         "MaximumSequentialRepeat":"0",
         "AllowNumeric":"true",
         "AllowFirstCharNumeric":"true",
         "EnableWordlist":"true",
         "MaximumLength":"12",
         "DisallowedAttributes":"sn\ncn\ngivenName",
         "AllowLastCharNumeric":"true",
         "PolicyEnabled":"true",
         "MaximumUpperCase":"0",
         "MinimumUpperCase":"0",
         "ChangeMessage":"Please change your password to meet the corporate policy",
         "MaximumLowerCase":"0"
      },
      "passwordRules":[
         "Password is case sensitive.",
         "Must be at least 8 characters long.",
         "Must be no more than 12 characters long.",
         "Must include at least 1 number.",
         "Must not include any of the following values:  test password",
         "Must not include part of your name or user name.",
         "Must not include a common word or commonly used sequence of characters."
      ]
   }
}
The web service must then respond with a body that includes a true/false status for an error state, as well as an errorMessage value to display to the user.
{
    "error": true,
    "errorMessage":"password check output - from rest api"
}

Label External Macro REST Server URLs
Key external.macros.urls
Navigation Settings ⇨ Web Services ⇨ REST Clients ⇨ External Macro REST Server URLs
Syntax STRING_ARRAY
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Specify the URL of the external macro server. PWM provides this RESTful client API to allow additional macro functions.

PWM uses each URL listed by the macro engine with a format such that @External1:value@ corresponds to the first URL, and @External2:value@ corresponds to the second URL and so on.

PWM passes the value as part of the JSON data sent to the web service. The system passes the user information only if the user is authenticated at the time of the invocation. The macro declartion sends the input value. The following is an example of the body of the HTTP POST request made by this application.

{
   "input":"macroInput",
   "userInfo":{
      "userDN":"_default|cn\u003dablake,ou\u003dusers,o\example",
      "userID":"ablake",
      "userEmailAddress":"[email protected]",
      "passwordExpirationTime":"2014-03-04T00:06:03Z",
      "passwordLastModifiedTime":"2014-02-02T00:06:03Z",
      "requiresNewPassword":false,
      "requiresResponseConfig":false,
      "requiresUpdateProfile":false,
      "passwordStatus":{
         "expired":false,
         "preExpired":false,
         "violatesPolicy":false,
         "warnPeriod":false
      },
      "passwordPolicy":{
         "MaximumNumeric":"0",
         "MinimumSpecial":"0",
         "AllowLastCharSpecial":"true",
         "ADComplexity":"false",
         "RegExNoMatch":"",
         "AllowSpecial":"true",
         "MaximumSpecial":"0",
         "MinimumLowerCase":"0",
         "MinimumUnique":"0",
         "MinimumNumeric":"1",
         "MinimumLength":"8",
         "DisallowedValues":"test\npassword",
         "CaseSensitive":"true",
         "RegExMatch":"",
         "DisallowCurrent":"false",
         "AllowFirstCharSpecial":"true",
         "MinimumLifetime":"0",
         "ExpirationInterval":"2592000",
         "UniqueRequired":"false",
         "MaximumSequentialRepeat":"0",
         "AllowNumeric":"true",
         "AllowFirstCharNumeric":"true",
         "EnableWordlist":"true",
         "MaximumLength":"12",
         "DisallowedAttributes":"sn\ncn\ngivenName",
         "AllowLastCharNumeric":"true",
         "PolicyEnabled":"true",
         "MaximumUpperCase":"0",
         "MinimumUpperCase":"0",
         "ChangeMessage":"Please change your password to meet the corporate policy",
         "MaximumLowerCase":"0"
      },
      "passwordRules":[
         "Password is case sensitive.",
         "Must be at least 8 characters long.",
         "Must be no more than 12 characters long.",
         "Must include at least 1 number.",
         "Must not include any of the following values:  test password",
         "Must not include part of your name or user name.",
         "Must not include a common word or commonly used sequence of characters."
      ]
   }
}
The web service must then respond with a body that includes a value for the tokenDestination values provided in the request, as well as a display value. For example:
{
   "output":"macro api output"
}
The system uses the output value as the macro substituion value.

Label External Remote Responses REST Server URL
Key external.remoteResponses.url
Navigation Settings ⇨ Web Services ⇨ REST Clients ⇨ External Remote Responses REST Server URL
Syntax STRING
Level 2
Required False
Confidential False
Scope DOMAIN
Default

PWM provides this RESTful client API to allow a remote service to provide Challenge/Response validation during forgotten password.

When you configure the setting Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Verification Methods to use Remote Responses, PWM invokes the URL configured here. The request includes user information and a verification session identifier. The remote service is responsible for returning instructions to the user, an error message, a list of prompts to present to the user, and the status of the verification process.

HTTP Request POST JSON Body example:
{
   "responseSessionID":"65634ab0-0112-41a1-93b1-e9e8178bbc29",
   "userInfo":{
      "userDN":"cn=testuser,ou=users,o=data",
      "ldapProfile":"default",
      "userID":"testuser",
      "userEmailAddress":"[email protected]",
      "passwordExpirationTime":"2000-01-01T01:01:01Z",
      "passwordLastModifiedTime":"2000-01-01T01:01:01Z",
      "requiresNewPassword":false,
      "requiresResponseConfig":false,
      "requiresUpdateProfile":false,
      "requiresInteraction":false,
      "passwordStatus":{
         "expired":false,
         "preExpired":false,
         "violatesPolicy":false,
         "warnPeriod":false
      },
      "passwordPolicy":{
         "MinimumNumeric":"0",
         "AllowNumeric":"TRUE",
         "MaximumSpecial":"0",
         "AllowLastCharSpecial":"TRUE",
         "MinimumLength":"5",
         "AllowFirstCharNumeric":"TRUE",
         "MaximumUpperCase":"0",
         "MinimumLowerCase":"0",
         "UniqueRequired":"FALSE",
         "PolicyEnabled":"true",
         "ADComplexityMaxViolations":"2",
         "MaximumLength":"12",
         "DisallowedValues":"",
         "MinimumUnique":"0",
         "MinimumLifetime":"0",
         "CaseSensitive":"TRUE",
         "AllowLastCharNumeric":"TRUE",
         "ExpirationInterval":"2592000",
         "AllowFirstCharSpecial":"TRUE",
         "MinimumSpecial":"0",
         "MaximumSequentialRepeat":"0",
         "MinimumUpperCase":"0",
         "DisallowedAttributes":"",
         "MaximumLowerCase":"0",
         "ChangeMessage":"Please change your password to meet the corporate policy",
         "MaximumNumeric":"0",
         "AllowSpecial":"TRUE"
      },
      "passwordRules":[
         "Password is case sensitive.",
         "Must be at least 5 characters long.",
         "Must be no more than 12 characters long."
      ]
   },
   "userResponses":{ 
      "identifier1":"user answer value"
   }
}
HTTP Response JSON body example:
{
   "displayInstructions":"please enter the data for the requested prompts",
   "verificationState":"INPROGRESS",
   "userPrompts":[
      {
         "displayPrompt":"User Prompt #1",
         "identifier":"identifier1"
      }
      {
         "displayPrompt":"User Prompt #2",
         "identifier":"identifier2"
      }
   ],
   "errorMessage":"error message"
}

Permitted values for verificationState are INPROGRESS, FAILED and COMPLETE.


Label Remote Form Data Service
Key external.remoteData.url
Navigation Settings ⇨ Web Services ⇨ REST Clients ⇨ Remote Form Data Service
Syntax REMOTE_WEB_SERVICE
Level 2
Required False
Confidential False
Scope DOMAIN
Default
[]

PWM provides this RESTful client API to allow a remote service to provide form data validation during form editing.

When you configure a form field to use a Remote REST API as it's source, PWM invokes the URL configured here. The request includes user information, form configuration data and a verification session identifier. The remote service is responsible for returning an error boolean, an error message to display to the user, and a detailed error message for administrator logging.

HTTP Request POST JSON Body example:
{
   "formInfo":{
      "module":"NewUser",
      "moduleProfileID":"cc3",
      "mode":"verify",
      "sessionID":"j651u3tc47bCFig7sy0LIxlwHYvXbZ4WHanVMUgRaIMEof7A8c3ahr5M5g9OemZw0UAHqLhb"
   },
   "formValues":{
      "mail":"[email protected]",
      "givenName":"john",
      "sn":"doe",
      "remote1":"value1"
   },
   "formConfigurations":[
      {
         "name":"mail",
         "minimumLength":1,
         "maximumLength":64,
         "type":"email",
         "source":"ldap",
         "required":true,
         "confirmationRequired":false,
         "readonly":false,
         "unique":true,
         "multivalue":false,
         "labels":{
            "":"Email Address"
         },
         "regexErrors":{
            "":"Email Address has invalid characters"
         },
         "description":{
            "":""
         },
         "regex":"^[a-zA-Z0-9 .,'@]*$",
         "placeholder":"[email protected]",
         "javascript":"",
         "selectOptions":{

         }
      },
      {
         "name":"givenName",
         "minimumLength":1,
         "maximumLength":64,
         "type":"text",
         "source":"ldap",
         "required":true,
         "confirmationRequired":false,
         "readonly":false,
         "unique":false,
         "multivalue":false,
         "labels":{
            "":"First Name"
         },
         "regexErrors":{
            "":""
         },
         "description":{
            "":""
         },
         "regex":"^[a-zA-Z0-9 .,'@]*$",
         "placeholder":"",
         "javascript":"",
         "selectOptions":{

         }
      },
      {
         "name":"sn",
         "minimumLength":1,
         "maximumLength":64,
         "type":"text",
         "source":"ldap",
         "required":true,
         "confirmationRequired":false,
         "readonly":false,
         "unique":false,
         "multivalue":false,
         "labels":{
            "":"Last Name"
         },
         "regexErrors":{
            "":""
         },
         "description":{
            "":""
         },
         "regex":"^[a-zA-Z0-9 .,'@]*$",
         "placeholder":"",
         "javascript":"",
         "selectOptions":{

         }
      },
      {
         "name":"remote1",
         "minimumLength":0,
         "maximumLength":255,
         "type":"text",
         "source":"remote",
         "required":false,
         "confirmationRequired":false,
         "readonly":false,
         "unique":false,
         "multivalue":false,
         "labels":{
            "":"remote1"
         },
         "regexErrors":{
            "":""
         },
         "description":{
            "":""
         },
         "regex":"",
         "placeholder":"",
         "javascript":"",
         "selectOptions":{

         }
      }
   ]
}
HTTP Response JSON body example:
{
   "error":true,
   "errorMsg":"Field remote1 Has the wrong value.",
   "errorDetail":"Incorrect Data",
   "formValues":{}
}

Permitted values for mode are verify, read and write. When set to read mode, the form fields must be included in a formValues element.


REST Services

Label Enable REST Web Server
Key external.webservices.enable
Navigation Settings ⇨ Web Services ⇨ REST Services ⇨ Enable REST Web Server
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope DOMAIN
Default
TemplateValue
default False
NOVL_IDM True
Enable this option to allow public use of web services. When false, PWM requires the form nonce for all web services. The form nonce is difficult (though not impossible) for a client to retreive programmatically. Therefore it is difficult, though not impossible to use the web services. When true, PWM does not require the form nonce to invoke the web services.

Label Public REST Web Services
Key webservices.public.enable
Navigation Settings ⇨ Web Services ⇨ REST Services ⇨ Public REST Web Services
Syntax OPTIONLIST
Level 2
Required False
Confidential False
Scope DOMAIN
Options
Stored ValueDisplay
Health Health - /health
ForgottenPassword Forgotten Password - /forgottenpassword
Statistics Statistics - /statistics
Default

Web Services which are enabled for public (unauthenticated) usage.

Label Web Service Non-LDAP Users and Passwords
Key webservices.external.secrets
Navigation Settings ⇨ Web Services ⇨ REST Services ⇨ Web Service Non-LDAP Users and Passwords
Syntax NAMED_SECRET
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Define Users and Passwords that are able to authenticate to and use the REST web services. For each user, a list of available services and a password can be defined. Invoking the REST web services using these users does not require an LDAP user and instead relies on the configured LDAP proxy user. In most cases this is the prefered appraoch for REST clients to authenticate. Usernames defined here will preempt LDAP username resolution.

Label Web Services LDAP Authentication Permissions
Key webservices.queryMatch
Navigation Settings ⇨ Web Services ⇨ REST Services ⇨ Web Services LDAP Authentication Permissions
Syntax USER_PERMISSION
Level 2
Required False
Confidential False
Scope DOMAIN
Default
TemplateValue
default
NOVL_IDM UserPermission: All Users: [Profile: 'all']
Add an LDAP filter that contains the users permitted to execute REST web services.

Label Web Services LDAP Third Party Permissions
Key webservices.thirdParty.queryMatch
Navigation Settings ⇨ Web Services ⇨ REST Services ⇨ Web Services LDAP Third Party Permissions
Syntax USER_PERMISSION
Level 2
Required False
Confidential False
Scope DOMAIN
Default

Add an LDAP filter that contains the users permitted to execute REST web services and specify a third party via the 'username' parameter.

Label Allow Challenge REST Service to Read Answers
Key webservices.enableReadAnswers
Navigation Settings ⇨ Web Services ⇨ REST Services ⇨ Allow Challenge REST Service to Read Answers
Syntax BOOLEAN
Level 2
Required False
Confidential False
Scope DOMAIN
Default
False
Enable this option to allow PWM to use web services to read stored Challenge/Response answers of users. The read responses are available in whatever hashing method format you selected.


Word Lists

Word Lists

Label Word List File URL
Key pwm.wordlist.location
Navigation Settings ⇨ Word Lists ⇨ Word List File URL
Syntax STRING
Level 1 (Advanced)
Required False
Confidential False
Scope SYSTEM
Default

Specify a word list file URL for dictionary checking to prevent users from using commonly used words as passwords. Using word lists is an important part of password security. Word lists are used by intruders to guess common passwords. The default word list included contains commonly used English passwords.

The first time a startup occurs with a new word list setting, it takes some time to compile the word list into a database. See the status screen and logs for progress information. The word list file format is one or more text files containing a single word per line, enclosed in a ZIP file. The String !#comment: at the beginning of a line indicates a comment.

The value must be a valid URL, using the protocol "file" (local file system), "http", or "https".

Label Word List Case Sensitivity
Key wordlistCaseSensitive
Navigation Settings ⇨ Word Lists ⇨ Word List Case Sensitivity
Syntax BOOLEAN
Level 1 (Advanced)
Required True
Confidential False
Scope SYSTEM
Default
False
Enable this option to treat the word list as case sensitive for all matches. Changing this value causes PWM to recompile the word list.

Label Word List Word Size Check
Key password.wordlist.wordSize
Navigation Settings ⇨ Word Lists ⇨ Word List Word Size Check
Syntax NUMERIC
Level 2
Required True
Confidential False
Scope SYSTEM
Default
0
Specify the minimum number of characters in the password that PWM checks against the Word List dictionary. For example, if the password the system checks is "wordlist" and this setting is set to 6, then the combinations "wordli", "wordlis", "wordlist", "ordlis", "ordlist", and "rdlist" are all checked against the configured dictionary. If any of these values are equal to any word in the Word List dictionary, then the system considers the password to match the Word List and rejects it. If this value is set to zero or the password to check is smaller than the value specified here, then the system checks the entire password against the Word List but not any smaller parts of it.