Reference Library
- Configuration Notes
- Default Settings
- Domains
- LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection
- LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Login Setup
- LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes
- LDAP ⇨ LDAP Settings ⇨ Global
- LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory
- LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Challenge Sets
- LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Settings
- LDAP ⇨ LDAP Settings ⇨ Oracle DS
- Modules ⇨ Authenticated ⇨ Account Information ⇨ Profiles ⇨ [profile]
- Modules ⇨ Authenticated ⇨ Account Information ⇨ Settings
- Modules ⇨ Authenticated ⇨ Administration
- Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile]
- Modules ⇨ Authenticated ⇨ Change Password ⇨ Settings
- Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile]
- Modules ⇨ Authenticated ⇨ Delete Account ⇨ Settings
- Modules ⇨ Authenticated ⇨ Guest Registration
- Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details
- Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options
- Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Verification
- Modules ⇨ Authenticated ⇨ Help Desk ⇨ Settings
- Modules ⇨ Authenticated ⇨ People Search
- Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile]
- Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Settings
- Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Profile ⇨ [profile]
- Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings
- Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Profiles ⇨ [profile]
- Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Settings
- Modules ⇨ Authenticated ⇨ Shortcut Menu
- Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile]
- Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Settings
- Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition
- Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth
- Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options
- Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings
- Modules ⇨ Public ⇨ Forgotten User Name
- Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile]
- Modules ⇨ Public ⇨ New User Registration ⇨ New User Settings
- Modules ⇨ Public ⇨ User Activation ⇨ Settings
- Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile]
- Policies ⇨ Challenge Policies ⇨ [profile]
- Policies ⇨ Password Policies ⇨ [profile]
- Settings ⇨ Application
- Settings ⇨ Auditing ⇨ Audit Configuration
- Settings ⇨ Auditing ⇨ Audit Forwarding
- Settings ⇨ Captcha
- Settings ⇨ Database (Remote) ⇨ Advanced
- Settings ⇨ Database (Remote) ⇨ Connection
- Settings ⇨ Email ⇨ Email Servers ⇨ [profile]
- Settings ⇨ Email ⇨ Email Settings
- Settings ⇨ Email ⇨ Email Templates
- Settings ⇨ HTTP Client
- Settings ⇨ HTTPS Server
- Settings ⇨ Intruder Detection ⇨ Intruder Settings
- Settings ⇨ Intruder Detection ⇨ Intruder System Settings
- Settings ⇨ Intruder Detection ⇨ Intruder Timeouts
- Settings ⇨ Localization
- Settings ⇨ Logging
- Settings ⇨ Password Expiration Notification
- Settings ⇨ Password Settings
- Settings ⇨ Reporting
- Settings ⇨ SMS ⇨ SMS Gateway
- Settings ⇨ SMS ⇨ SMS Messages
- Settings ⇨ Security ⇨ Application Security
- Settings ⇨ Security ⇨ Web Security
- Settings ⇨ Single Sign On (SSO) Client ⇨ Basic Authentication
- Settings ⇨ Single Sign On (SSO) Client ⇨ CAS SSO
- Settings ⇨ Single Sign On (SSO) Client ⇨ HTTP SSO
- Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth
- Settings ⇨ System ⇨ Session Management
- Settings ⇨ Telemetry
- Settings ⇨ Tokens
- Settings ⇨ URL Settings
- Settings ⇨ User History
- Settings ⇨ User Interface ⇨ Look & Feel
- Settings ⇨ User Interface ⇨ UI Features
- Settings ⇨ Web Services ⇨ REST Clients
- Settings ⇨ Web Services ⇨ REST Services
- Settings ⇨ Word Lists
Configuration Notes
Label
|
Configuration Notes |
Key
|
notes.noteText |
Navigation
|
Configuration Notes ⇨ Configuration Notes |
Syntax
|
TEXT_AREA |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify any configuration notes about your system. This option allows you to keep notes about any specific configuration options you have made with the system. |
Label
|
LDAP Vendor Default Settings |
Key
|
template.ldap |
Navigation
|
Default Settings ⇨ LDAP Vendor Default Settings |
Syntax
|
SELECT |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
DIRECTORY_SERVER_389 |
389 Directory Server |
AD |
Microsoft Active Directory |
NOVL |
NetIQ eDirectory |
NOVL_IDM |
NetIQ IDM / OAuth Integration |
OPEN_LDAP |
OpenLDAP |
ORACLE_DS |
Oracle Directory Server |
DEFAULT |
Others |
|
Default
|
DEFAULT
|
This setting changes the default values throughout this configuration to reasonable values based on this value. Only default (non-modified) settings are affected. Any settings that have been modified from the default are unaffected. You can change this setting at any time but use caution when doing so as the overall behavior of the application might change. After changing this setting, review and test PWM to ensure the desired behavior occurs. |
Label
|
Storage Default Settings |
Key
|
template.storage |
Navigation
|
Default Settings ⇨ Storage Default Settings |
Syntax
|
SELECT |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
LDAP |
LDAP |
DB |
Remote Database |
LOCALDB |
LocalDB (Testing Only) |
|
Default
|
LDAP
|
This setting changes the default values throughout this configuration to reasonable values based on this value. Only default (non-modified) settings are affected. Any settings that have been modified from the default are unaffected. You can change this setting at any time but use caution when doing so as the overall behavior of the application might change. After changing this setting review and test PWM to ensure the desired behavior occurs. |
Domains
Label
|
Domains |
Key
|
domain.list |
Navigation
|
Domains ⇨ Domains |
Syntax
|
DOMAIN |
Level
|
0
(Normal)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
default
|
List of domains supported by this application instance. Domain order is unimportant. The value of the domain(s) may be used in public URLs and parameters. Domains provide a way for multiple systems/sites/tenants/customers to use a single instance of this PWM application. Typically only a single instance is required. If multiple domains are listed, the configuration editor will allow per-domain configuration of many settings. Other settings are system-level and apply to the entire application instance. Saving the configuration after increasing or decreasing the number of domains beyond a single domain may cause application URLs to change, and this configuration editor will change to allow editing of multiple domain configurations |
Label
|
Administrative Domain |
Key
|
domain.system.adminDomain |
Navigation
|
Domains ⇨ Administrative Domain |
Syntax
|
STRING |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
default
|
Administrative Domain |
Label
|
Enable Domain Paths |
Key
|
domain.system.domainPathsEnabled |
Navigation
|
Domains ⇨ Enable Domain Paths |
Syntax
|
BOOLEAN |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
False
|
If enabled, domain IDs will be added to the URL path used to access this application, and URL paths will require the inclusion of the domain ID in the path. Example: "/pwm/private/login" will become "/pwm/default/private/login" or "/pwm/acme/private/login". Regardless of this setting, the domain is always accessible if the host header (the browser url) is matched by the setting in Settings ⇨ URL Settings ⇨ Domain Hostnames .
|
Connection
Label
|
LDAP URLs |
Key
|
ldap.serverUrls |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP URLs |
Syntax
|
STRING_ARRAY |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add a list of LDAP servers in URL format that PWM uses for a fail-over configuration. PWM uses the servers in order of appearance in this list. If the first server is unavailable PWM uses the next available server in the list. PWM periodically checks the first server to see if it has become available.- For secure SSL, use the "ldaps://servername:636" format
- For plain-text servers, use "ldap://serverame:389" format (not recommended)
When using secure connections, the Java virtual machine must trust the directory server, either because you have manually added the public key certificate from the tree to the Java keystore or you imported the certificate into the setting LDAP Server Certificates. - Do not use a non-secure connection for anything but the most basic testing purposes (Many LDAP servers reject password operations on non-secure connections)
- Do not use a load-balancing device for LDAP high availability, instead use the built in LDAP server fail-over functionality
- Do not use a DNS round-robin address
- Avoid using the network address, use the proper fully-qualified domain name address for the server
|
Label
|
LDAP Certificates |
Key
|
ldap.serverCerts |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Certificates |
Syntax
|
X509CERT |
Level
|
0
(Normal)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Import the LDAP Server Certificates. PWM stores these certificates in the configuration file and it uses them to validate the identity of your LDAP server. |
Label
|
LDAP Proxy User |
Key
|
ldap.proxy.username |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Proxy User |
Syntax
|
STRING |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the LDAP Proxy User PWM uses to access the LDAP directory. This user must have rights to browse users, and manage password attributes on the user object.
This value must be in LDAP distinguished name format, even if your LDAP directory accepts other types of values for the bind DN. An example of this format is cn=admin,o=example or cn=administrator,cn=users,dc=subdomain,dc=domain,dc=net.
Generally, the proxy user needs read/browse object rights to all user objects it manages, as well as create object rights in the new user container (if enabled). |
Label
|
LDAP Proxy Password |
Key
|
ldap.proxy.password |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Proxy Password |
Syntax
|
PASSWORD |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
True |
Scope
|
DOMAIN |
Default
|
*hidden*
|
Specify the password of the LDAP Proxy User. |
Label
|
LDAP Contextless Login Roots |
Key
|
ldap.rootContexts |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Contextless Login Roots |
Syntax
|
STRING_ARRAY |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the base context(s) to search for user names during authentication and other operations. During authentication, PWM will perform a subtree search in each context listed. In cases where more than a single user is found during a search, the process configured in setting LDAP ⇨ LDAP Settings ⇨ Global ⇨ LDAP Duplicate Mode is used to handle the duplicates.
Authentication to PWM is permitted only for users that are contained within the configured context values. |
Label
|
LDAP Test User |
Key
|
ldap.testuser.username |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Test User |
Syntax
|
STRING |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the fully qualified DN of an LDAP test user that PWM uses to test functionality and for access to the LDAP directory. Configure this user similar to a normal user account with normal access privileges. PWM periodically uses this account to perform a health check, including changing the password of the account.
Using a test user account greatly increases the system's ability to detect and alert configuration and health issues.
PWM tests the following functionality (if enabled) using the test user account.- Authentication
- Password policy reading
- Set password
- Set Challenge/Responses
- Load Challenge/Responses
|
Label
|
Auto Add GUID Value |
Key
|
ldap.guid.autoAddValue |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ Auto Add GUID Value |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
ORACLE_DS |
True |
default |
False |
|
Enable this option PWM creates and assigns a unique GUID value for any user attempting to authenticate that does not have a value. PWM writes the value to the attribute named in the LDAP GUID Attribute setting. |
Label
|
LDAP Search Timeout |
Key
|
ldap.search.timeoutSeconds |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Search Timeout |
Syntax
|
DURATION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
30
|
Specify the maximum amount of seconds to wait for an LDAP search to complete. |
Label
|
LDAP Profile Enabled |
Key
|
ldap.profile.enabled |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Profile Enabled |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to indicate if this LDAP profile is in use. For maintenance reasons, it might be helpful to remove an LDAP Profile from use instead of deleting the profile's configuration entirely. |
Login Setup
Label
|
User Name Search Filter |
Key
|
ldap.usernameSearchFilter |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Login Setup ⇨ User Name Search Filter |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
ORACLE_DS |
(&(objectClass=person)(uid=%USERNAME%)) |
AD |
(&(objectClass=person)(|(sAMAccountName=%USERNAME%)(cn=%USERNAME%)(mail=%USERNAME%))) |
default |
(&(objectClass=person)(cn=%USERNAME%)) |
|
Specify an LDAP search filter PWM uses for contextless login and other functions to find users in LDAP using user names. Replace the value %USERNAME% with the actual user name value. |
Label
|
User Selectable Login Contexts |
Key
|
ldap.selectableContexts |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Login Setup ⇨ User Selectable Login Contexts |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
(Optional) Add another field to the form-based login screen and other user search screens. The field allows the user to select a specific context. This is for situations where the LDAP directory does not have unique user names throughout the entire directory.
Values can further be set with both a display value and a context, separated by three colons.
For example:ou=sf,ou=ca,o=example:::San Francisco ou=lon,ou=uk,o=example:::London ou=nyc,ou=ny,o=example:::New York
|
Label
|
LDAP Profile Display Name |
Key
|
ldap.profile.displayName |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Login Setup ⇨ LDAP Profile Display Name |
Syntax
|
LOCALIZED_STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the display name for this LDAP Profile. |
Attributes
Label
|
Attribute to use for User Name |
Key
|
ldap.username.attr |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Attribute to use for User Name |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
default |
cn |
AD |
sAMAccountName |
|
Specify the attribute PWM uses for the user name. If blank, PWM uses the LDAP Naming Attribute. This option allows fields that display or store the User Name or User ID of a user to show something other then the LDAP Naming Attribute if appropriate. This value must be unique for this system. |
Label
|
LDAP GUID Attribute |
Key
|
ldap.guidAttribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ LDAP GUID Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
OPEN_LDAP |
entryuuid |
DIRECTORY_SERVER_389 |
uidNumber |
ORACLE_DS |
pwmGUID |
default |
VENDORGUID |
|
Specify an attribute PWM uses to identify and reference unique users in the LDAP directory. If set to the default value of VENDORGUID, the system attempts to read the vendor specific LDAP GUID. Alternatively, you can set any string readable attribute as the GUID as long as the directory enforces the uniqueness. Lastly, you can use a custom attribute and configure the "Auto Add GUID Value" option to true. The application-defined schema includes the attribute pwmGUID for this usage. |
Label
|
LDAP Naming Attribute |
Key
|
ldap.namingAttribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ LDAP Naming Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
ORACLE_DS |
uid |
default |
cn |
|
Specify the attribute name PWM uses as the naming attribute on LDAP user entries. This value is also the first part of the distinguished name of a user. This name is constant depending on directory vendor type, even if you use a different attribute for the login search filter. Typically, the naming attribute is cn or uid. |
Label
|
Last Password Update Attribute |
Key
|
passwordLastUpdateAttribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Last Password Update Attribute |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
AD |
|
ORACLE_DS |
|
default |
|
LDAP |
pwmLastPwdUpdate |
|
Specify the attribute that PWM uses to mark when the user updates password. Plus PWM uses it during replication checks and other processes. |
Label
|
User Group Attribute |
Key
|
ldap.user.group.attribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ User Group Attribute |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
DIRECTORY_SERVER_389 |
memberof |
AD |
memberOf |
ORACLE_DS |
isMemberOf |
OPEN_LDAP |
memberof |
default |
groupMembership |
|
Specify an attribute on the user entry that references group entries. The value of this attribute in the directory must be a LDAP DN. |
Label
|
User Email Attribute |
Key
|
email.userMailAttribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ User Email Attribute |
Syntax
|
STRING |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
mail
|
Specify the LDAP attribute that contains the users' email address. |
Label
|
Secondary User Email Attribute |
Key
|
email.userMailAttribute2 |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Secondary User Email Attribute |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the secondary LDAP attribute that contains the users' email address. |
Label
|
Tertiary User Email Attribute |
Key
|
email.userMailAttribute3 |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Tertiary User Email Attribute |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the tertiary LDAP attribute that contains the users' email address. |
Label
|
SMS Destination Address LDAP Attribute |
Key
|
sms.userSmsAttribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ SMS Destination Address LDAP Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
personalMobile
|
Specify the LDAP attribute containing the users' mobile phone numbers for SMS. |
Label
|
Secondary SMS Destination Address LDAP Attribute |
Key
|
sms.userSmsAttribute2 |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Secondary SMS Destination Address LDAP Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the secondary LDAP attribute containing the users' mobile phone numbers for SMS. |
Label
|
Tertiary SMS Destination Address LDAP Attribute |
Key
|
sms.userSmsAttribute3 |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Tertiary SMS Destination Address LDAP Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the tertiary LDAP attribute containing the users' mobile phone numbers for SMS. |
Label
|
Response Storage Attribute |
Key
|
challenge.userAttribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Response Storage Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
pwmResponseSet
|
Specify the attribute to use for response storage when storing responses in an LDAP directory. |
Label
|
User History LDAP Attribute |
Key
|
events.ldap.attribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ User History LDAP Attribute |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
pwmEventLog
|
Specify the attribute PWM uses to write a user event attribute in LDAP. The user event log attribute holds an XML document with the users' event history. Leave blank to disable logging event history in LDAP. |
Label
|
Web Service User Attributes |
Key
|
webservice.userAttributes |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Web Service User Attributes |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add the user attributes that the various web services use and PWM presents as part of the users' data sets. |
Label
|
OTP Secret LDAP Attribute |
Key
|
otp.secret.ldap.attribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ OTP Secret LDAP Attribute |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
pwmOtpSecret
|
Specify the LDAP attribute for storing the OTP secret. PWM only uses this setting when the storage method is set to LDAP. |
Label
|
LDAP Photo Attribute |
Key
|
peopleSearch.photo.ldapAttribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ LDAP Photo Attribute |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
photo
|
Specify the LDAP Attribute to use for a photo. Leave this option blank, if you do not want to display a photo. |
Label
|
Photo URL Override |
Key
|
peopleSearch.photo.urlOverride |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Photo URL Override |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a URL to override the photo. If the LDAP directory does not store the users' photos, this setting can show photos from an external system. If you specify this setting, PWM does not load the the photo from the LDAP directory.
Example:http://photos.example.com/employee/@LDAP:[email protected] |
Label
|
Organizational Chart Parent Attribute |
Key
|
peopleSearch.orgChart.parentAttribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Organizational Chart Parent Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
manager
|
Specify the attribute that contains the LDAP DN of the manager. If this setting is blank, PWM does not show the organizational chart view. |
Label
|
Organizational Chart Child Attribute |
Key
|
peopleSearch.orgChart.childAttribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Organizational Chart Child Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
directReports
|
Specify the attribute that contains the LDAP DN of the direct reports for a user. If this setting is blank, PWM does not show the organizational chart view. |
Label
|
Organizational Assistant Attribute |
Key
|
peopleSearch.orgChart.assistantAttribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Organizational Assistant Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
assistant
|
Specify the attribute that contains the LDAP DN of the assistant for a user. If this setting is blank, PWM will not show the assistant on the organizational chart view. |
Label
|
Organizational Chart Workforce ID Attribute |
Key
|
peopleSearch.orgChart.workforceIdAttribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Organizational Chart Workforce ID Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
workforceID
|
Specify the attribute that contains the workforce ID of the user. If this setting is blank, PWM data exports will not contain the workforce ID. |
Label
|
User Language Attribute |
Key
|
ldap.user.language.attribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ User Language Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Attribute that contains the language of the user in RFC1766 format. (The same format used by web browsers and the HTTP Accept-Language header.) This value is used only for user interactions when the user does not have an active web session such as an email notification. |
Label
|
Application Data Attribute |
Key
|
ldap.user.appData.attribute |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Application Data Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
pwmData
|
Specify an attribute that is used by PWM to store data for the various application data including ldap node services and password password expiration notification service. |
Label
|
Auto Set User Language Attribute |
Key
|
ldap.user.language.autoSet |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Auto Set User Language Attribute |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
disabled |
Disabled |
enabled |
Enabled - Write to LDAP attribute during authentication. |
|
Default
|
disabled
|
When enabled, the user's effective locale for a web session will be written to the LDAP language attribute. |
Label
|
Auto Add Object Classes |
Key
|
ldap.addObjectClasses |
Navigation
|
LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ User Attributes ⇨ Auto Add Object Classes |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
default |
pwmUser |
DB |
|
|
Specify the object classes to automatically add to users who authenticate to the password servlet. Typically, this is an auxiliary LDAP class that contains attributes used by PWM to store password self-service data. |
Global settings that control the interaction with an LDAP directory. PWM applies these settings regardless of the user's LDAP profile. For profile-specific settings, see Profiles -> LDAP Directory Profiles.
Label
|
LDAP Idle Timeout |
Key
|
ldap.idleTimeout |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Global ⇨ LDAP Idle Timeout |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
30
|
Specify a number of seconds the LDAP connection for a given session can remain idle before closing. If zero, then PWM maintains an LDAP connection throughout the lifetime of the HTTP session. |
Label
|
User Object Class |
Key
|
ldap.defaultObjectClasses |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Global ⇨ User Object Class |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
default |
inetOrgPerson |
AD |
User |
|
Specify the object classes of user entries in your LDAP directory. |
Label
|
Follow LDAP Referrals |
Key
|
ldap.followReferrals |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Global ⇨ Follow LDAP Referrals |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
default |
False |
AD |
True |
|
Eanble this option to have PWM follow LDAP Referrals. |
Label
|
LDAP Duplicate Mode |
Key
|
ldap.duplicateMode |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Global ⇨ LDAP Duplicate Mode |
Syntax
|
SELECT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
FIRST_ALL |
Match first user - Use first user discovered in any context or profile, ignore any duplicates |
FIRST_PROFILE |
Match first ldap profile - Use the first user discovered in the first profile that has only a single match |
NONE |
No duplicates Permitted - Fail whenever duplicate users are found in any context or profile |
|
Default
|
NONE
|
Select how PWM handles the situation when it finds multiple users matches for a search, such as during authentication. |
Label
|
User Selectable LDAP Context/Profile |
Key
|
ldap.selectableContextMode |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Global ⇨ User Selectable LDAP Context/Profile |
Syntax
|
SELECT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
SHOW_PROFILE |
Show the ldap profile |
SHOW_CONTEXTS |
Show the ldap profile and ldap contexts |
NONE |
Do not show |
|
Default
|
NONE
|
Control if the ldap context or profile is shown to the user as an option during user identification (login, forgotten password, etc). |
Label
|
Ignore Unreachable LDAP Profiles |
Key
|
ldap.ignoreUnreachableProfiles |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Global ⇨ Ignore Unreachable LDAP Profiles |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to have PWM ignore unreachable profiles when multiple LDAP profiles exist. PWM only shows a Directory Unavailable error during a user search when there is only a single LDAP Profile configured or all LDAP Profiles are unreachable. |
Label
|
Enable LDAP Wire Trace |
Key
|
ldap.wireTrace.enable |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Global ⇨ Enable LDAP Wire Trace |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to have PWM output all LDAP traffic to the TRACE logging level.
WARNING: enabling this option might allow PWM to write user passwords and other sensitive data to the log files. |
Label
|
Password Sync Enable Replication Checking |
Key
|
passwordSync.enableReplicaCheck |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Global ⇨ Password Sync Enable Replication Checking |
Syntax
|
SELECT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
DISABLED |
DISABLED - Do not perform replica sync checking |
ENABLED |
ENABLED - Enabled, but do not display individual progress to user |
ENABLED_SHOW |
ENABLED and Display - Enable replica sync checking and display progress to user |
|
Default
|
ENABLED
|
Enable this option to check for the password to be updated on all configured replicas (for a user's LDAP Profile). When enabled, replica sync checking polls all of the configured replicas on the user's LDAP Profile to determine if the password change time has been updated. The particular method to determine the last password change time varies per LDAP vendor type. |
Active Directory specific settings
Label
|
Use Proxy When Password Forgotten |
Key
|
ldap.ad.proxyForgotten |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory ⇨ Use Proxy When Password Forgotten |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
default |
False |
AD |
True |
|
Enable this option to have PWM use the LDAP proxy account for LDAP work when the users' forget their passwords. This is because an LDAP connection is not possible to Active Directory without the users' passwords. When authenticated in this condition, Active Directory forces the users to change their passwords immediately. |
Label
|
Allow Authentication When "Must Change Password On Next Login" Is Set |
Key
|
ldap.ad.allowAuth.requireNewPassword |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory ⇨ Allow Authentication When "Must Change Password On Next Login" Is Set |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to have Active Directory fail an LDAP login attempt when the users "must change password on next login" flag is set. If you enable this option, the system allows a login even though the LDAP bind failed. The user only can set a new password when this condition occurs. No other functions are available until the password has been set (and the system clears this flag). |
Label
|
Allow Authentication When Password Expired |
Key
|
ldap.ad.allowAuth.expired |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory ⇨ Allow Authentication When Password Expired |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to have Active Directory fail an LDAP login attempt when the current date is after the user's password expiration date. If you enabled this option, the system allows login even though the LDAP bind failed. The user only can set a new password when this condition occurs. No other functions are available until the user sets the password (and the system clears this flag). |
Label
|
Enforce Password Policy During Forgotten Password |
Key
|
ldap.ad.enforcePwHistoryOnSet |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory ⇨ Enforce Password Policy During Forgotten Password |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to enforce the password policy during forgotten password when Use Proxy When Password Forgotten is also set to true. This setting requires that the Active Directory servers be at Windows 2008 Server R2 SP1 or later. More specifically, it requires that the Active Directory servers support the LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2066) LDAP modification control. |
NetIQ eDirectory CR specific settings.
Label
|
Read eDirectory Challenge Sets |
Key
|
ldap.edirectory.readChallengeSets |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Challenge Sets ⇨ Read eDirectory Challenge Sets |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
NOVL |
True |
default |
False |
NOVL_IDM |
True |
|
Enable this option to have PWM read and apply the challenge set configuration from eDirectory Universal Password policy to users. If PWM applies an eDirectory challenge set to the user, PWM uses that policy, otherwise PWM uses the policy that is a part of this configuration. To require only NMAS configured challenge sets, ensure that you blank out the required and forgotten questions as part of this configuration, or else PWM uses those in cases where you have not defined eDirectory policy. |
Label
|
eDirectory Challenge Set Minimum Randoms During Setup |
Key
|
ldap.edirectory.cr.minRandomDuringSetup |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Challenge Sets ⇨ eDirectory Challenge Set Minimum Randoms During Setup |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the number of random questions you require the users to complete at the time of saving their Challenge/Response answers. |
Label
|
eDirectory Challenge Set Apply Word List |
Key
|
ldap.edirectory.cr.applyWordlist |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Challenge Sets ⇨ eDirectory Challenge Set Apply Word List |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to prohibit users from using answers in the word list dictionary in answers when the users save the Challenge/Response answers. |
Label
|
eDirectory Challenge Set Maximum Question Characters In Answer |
Key
|
ldap.edirectory.cr.maxQuestionCharsInAnswer |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Challenge Sets ⇨ eDirectory Challenge Set Maximum Question Characters In Answer |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the maximum number of characters of the question text PWM permits in answers when saving the Challenge/Response answers. |
NetIQ eDirectory specific settings.
Label
|
Save NMAS Responses |
Key
|
ldap.edirectory.storeNmasResponses |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Settings ⇨ Save NMAS Responses |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
NOVL |
True |
default |
False |
NOVL_IDM |
True |
|
Enable this option to have PWM save user responses to the NMAS response storage container on the user. This storage is in addition to any other configured response storage methods. |
Label
|
Enable NMAS Responses for Forgotten Password |
Key
|
ldap.edirectory.useNmasResponses |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Settings ⇨ Enable NMAS Responses for Forgotten Password |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
NOVL |
False |
default |
False |
NOVL_IDM |
True |
|
Enable this option to have PWM use NMAS stored responses for the forgotten password recovery. PWM tries all other configured storage methods before it evaluates the NMAS stored responses. |
Label
|
Read User Passwords |
Key
|
ldap.edirectory.readUserPwd |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ NetIQ eDirectory ⇨ eDirectory Settings ⇨ Read User Passwords |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
NOVL |
True |
default |
False |
NOVL_IDM |
True |
|
Enable this option to have PWM read the user's password from eDirectory before changing it. This prevents PWM from setting an extra password change to a temporary random password during the forgotten password sequence. If the proxy user does not have rights to read the password, then PWM generates a temporary random password for the user anyway. |
Oracle Directory Server-specific settings
Label
|
Allow Manipulation of PasswordAllowChangeTime |
Key
|
ldap.oracleDS.enable.manipAllowChangeTime |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Oracle DS ⇨ Allow Manipulation of PasswordAllowChangeTime |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to have PWM, during the forgotten password recovery sequence, allow manipulation of the allowPasswordChangeTime attribute. This allows forgotten password functionality with expected behavior when PWM enforces a policy of minimum time between password changes. |
Label
|
Allow Authentication When "Require Password Change at First Login and After Reset" Is Set |
Key
|
ldap.oracleDS.allowAuth.requireNewPassword |
Navigation
|
LDAP ⇨ LDAP Settings ⇨ Oracle DS ⇨ Allow Authentication When "Require Password Change at First Login and After Reset" Is Set |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to have PWM allow a login even though the LDAP bind failed. The Oracle Directory Server normally fails an LDAP login attempt when the user's pwdReset attribute is set due to an administrator password set. The user only can set a new password when this condition occurs. No other functions are available until the system sets the password (and clears this flag). |
Profiles for account information.
Label
|
Account Information Profile Match |
Key
|
accountInfo.queryMatch |
Navigation
|
Modules ⇨ Authenticated ⇨ Account Information ⇨ Profiles ⇨ [profile] ⇨ Account Information Profile Match |
Syntax
|
USER_PERMISSION |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
UserPermission: All Users: [Profile: 'all']
|
Account Information Profile Match |
Label
|
Show Password Event History |
Key
|
display.passwordHistory |
Navigation
|
Modules ⇨ Authenticated ⇨ Account Information ⇨ Profiles ⇨ [profile] ⇨ Show Password Event History |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to show logged in users their password event history. The password event history appears as a tab on the account information page. |
Label
|
Viewable Status Fields |
Key
|
accountInfo.viewStatusValues |
Navigation
|
Modules ⇨ Authenticated ⇨ Account Information ⇨ Profiles ⇨ [profile] ⇨ Viewable Status Fields |
Syntax
|
OPTIONLIST |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
AccountExpirationTime |
Account Expiration Time |
GUID |
GUID |
ForwardURL |
Forward URL |
LogoutURL |
Logout URL |
NetworkAddress |
Network Address |
NetworkHost |
Network Host |
PasswordExpired |
Password Expired |
PasswordExpireTime |
Password Expire Time |
PasswordPreExpired |
Password Pre-Expired |
PasswordSetTime |
Password Set Time |
PasswordSetTimeDelta |
Password Set Time Delta |
PasswordWarnPeriod |
Password Warn Period |
PasswordViolatesPolicy |
Password Violates Policy |
ResponsesStored |
Responses Stored |
ResponsesNeeded |
Responses Needed |
ResponsesTimestamp |
Responses Timestamp |
OTPStored |
OTP Stored |
OTPTimestamp |
OTP Timestamp |
Username |
Username |
UserDN |
User DN |
UserEmail |
User Email |
UserSMS |
User SMS |
|
Default
|
ForwardURL
LogoutURL
NetworkAddress
NetworkHost
OTPStored
OTPTimestamp
PasswordExpireTime
PasswordExpired
PasswordPreExpired
PasswordSetTime
PasswordSetTimeDelta
PasswordViolatesPolicy
PasswordWarnPeriod
ResponsesNeeded
ResponsesStored
ResponsesTimestamp
UserEmail
UserSMS
Username
|
Select the fields that are available for the users to view about their own account. |
Label
|
LDAP Display Attributes |
Key
|
accountInfo.view.form |
Navigation
|
Modules ⇨ Authenticated ⇨ Account Information ⇨ Profiles ⇨ [profile] ⇨ LDAP Display Attributes |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the LDAP attributes to show to users on the account information page. |
Settings for the account information module.
Label
|
Enable Account Information |
Key
|
display.accountInformation |
Navigation
|
Modules ⇨ Authenticated ⇨ Account Information ⇨ Settings ⇨ Enable Account Information |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to show the User Account Information menu on the main menu. |
Administration
Label
|
Administrator Permission |
Key
|
pwmAdmin.queryMatch |
Navigation
|
Modules ⇨ Authenticated ⇨ Administration ⇨ Administrator Permission |
Syntax
|
USER_PERMISSION |
Level
|
0
(Normal)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the permissions PWM uses to determine if it grants a user administrator rights. |
Label
|
Allow Admin to Skip Forced Activities |
Key
|
pwmAdmin.allowSkipForcedActivities |
Navigation
|
Modules ⇨ Authenticated ⇨ Administration ⇨ Allow Admin to Skip Forced Activities |
Syntax
|
BOOLEAN |
Level
|
0
(Normal)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Allow administrators to skip otherwise forced activities such as setup of challenge/response answers. |
The change password module is the core functionality of the application. Use these settings to control the behavior and functionality of the change password functionality that all users see.
Label
|
Change Password Profile Match |
Key
|
password.allowChange.queryMatch |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Change Password Profile Match |
Syntax
|
USER_PERMISSION |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
UserPermission: All Users: [Profile: 'all']
|
Specify the permissions used to detect if PWM permits users to change their passwords. |
Label
|
Logout After Password Change |
Key
|
logoutAfterPasswordChange |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Logout After Password Change |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to force users to log out (and send them to the logoutURL) after a password change.
In most cases, leave this option enabled (default), especially if you are using some type of single sign-on service. |
Label
|
Change Password Required Values Form |
Key
|
password.require.form |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Change Password Required Values Form |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the values the users are required to enter prior to a password change. |
Label
|
Require Current Password During Change |
Key
|
password.change.requireCurrent |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Require Current Password During Change |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
TRUE |
True |
FALSE |
False |
NOTEXPIRED |
Only when not expired |
|
Default
|
FALSE
|
Enable this option to require users to provide their current passwords on the Change Password page. You must enable this option if users are using a single sign-on service. In most cases, this is not required because the single sign-on service authenticates the users prior to accessing the Change Password page. |
Label
|
Password Change Agreement Message |
Key
|
display.password.changeAgreement |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Change Agreement Message |
Syntax
|
LOCALIZED_TEXT_AREA |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a message to display to users before allowing them to change their passwords. If blank, PWM does not display the change password agreement page to the users. This message can include HTML tags. This setting can use macros. For more information about macros, see the "View" menu "Show Macro Help". |
Label
|
Password Change Completion Message |
Key
|
display.password.completeMessage |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Change Completion Message |
Syntax
|
LOCALIZED_TEXT_AREA |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a message to display to users when they complete a password change. If blank, PWM does not display the change password completion page to the user. This message can include HTML tags. This setting can use macros. For more information, see the "View" menu "Show Macro Help". |
Label
|
Password Guide Text |
Key
|
display.password.guideText |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Guide Text |
Syntax
|
LOCALIZED_TEXT_AREA |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the text (with HTML tags/formatting) to show users on password guide page. This appears as a "password guide" link and pop-up dialog. Leave blank to not show the password guide link. This setting allows macros. For more information, see the "View" menu "Show Macro Help". |
Label
|
Password Change Minimum Wait Time |
Key
|
passwordSyncMinWaitTime |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Change Minimum Wait Time |
Syntax
|
DURATION |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
15
|
Specify how long, during a password change, the system waits before forwarding the user. This gives any background synchronization processes time to execute before the user executes the next operation.
Specify the value in seconds. |
Label
|
Password Change Maximum Wait Time |
Key
|
passwordSyncMaxWaitTime |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Change Maximum Wait Time |
Syntax
|
DURATION |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
90
|
Specify how long, during a password change, the system waits for the password to be synchronized to all configured LDAP servers. In cases where the synchronization might take an extraordinary amount of time, this setting prevents the page from timing out.
Specify the value in seconds. |
Label
|
Password Pre-Expire Time |
Key
|
expirePreTime |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Pre-Expire Time |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
86400
|
Specify the number of seconds before the users' passwords expire in which to force the users to change their passwords. If the users' passwords expire within this time frame, the system behaves as if the users' passwords have already expired.
Setting this value to a day prevents most cases of users' passwords expiring while they are logged in. The recommend setting for this value is 86400 (1 day). |
Label
|
Password Expire Warn Time |
Key
|
expireWarnTime |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Password Expire Warn Time |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
432000
|
Specify the number of seconds before users' passwords expire in which to warn the users to change their passwords. If the users' passwords expire within this time frame, the system warns the user during a CommandServlet checkExpire or checkAll operation.
If this time is zero or less than the expirePreTime, they system disables this feature. The recommended setting for this value is 432000 (5 days). |
Label
|
Check Expire During Authentication |
Key
|
expireCheckDuringAuth |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Check Expire During Authentication |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to check to see if authenticated users' passwords are expired (or about to expire based on the expirePreTime). If this is set to true, and the users' passwords are expired, PWM forces the users to the expire password page. |
Label
|
Post Password Change Actions |
Key
|
changePassword.writeAttributes |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Post Password Change Actions |
Syntax
|
ACTION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add actions to take after a user change password event occurs. PWM invokes these actions just after writing the password. You can use macros within the action and are expanded based on the logged in user. |
Label
|
Show Auto Generate Randoms |
Key
|
password.showAutoGen |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ [profile] ⇨ Show Auto Generate Randoms |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to display a link to users during the change password process that displays a list of auto-generated sample passwords that the system allows through the configured password policies. The users have the option to select and use one of the values in the list. If this option does not force the user to choose a password from the list. |
The change password module is the core functionality of the application. Use these settings to control the behavior and functionality of the change password functionality that all users see.
Label
|
Enable Change Password Module |
Key
|
changePassword.enable |
Navigation
|
Modules ⇨ Authenticated ⇨ Change Password ⇨ Settings ⇨ Enable Change Password Module |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable or Disable the change password module. |
Profiles
Label
|
Delete Account Profile Match |
Key
|
deleteAccount.permission |
Navigation
|
Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile] ⇨ Delete Account Profile Match |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the permissions to define the set of users for which this profile applies. |
Label
|
Delete Account Agreement |
Key
|
deleteAccount.agreement |
Navigation
|
Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile] ⇨ Delete Account Agreement |
Syntax
|
LOCALIZED_TEXT_AREA |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a message to display to the users before allowing them to delete their accounts. If blank, PWM does not display the delete account user agreement page to the users. This message can include HTML tags. |
Label
|
Delete LDAP Entry |
Key
|
deleteAccount.deleteEntry |
Navigation
|
Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile] ⇨ Delete LDAP Entry |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to control if PWM deletes the users' LDAP entry in the LDAP directory. In many cases, it is desirable to not actually delete the LDAP entry, but instead, disable the account and take other actions via the Pre-Delete Actions. |
Label
|
Pre-Delete Actions |
Key
|
deleteAccount.actions |
Navigation
|
Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile] ⇨ Pre-Delete Actions |
Syntax
|
ACTION |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add actions to execute during the user deletion process. PWM executes these actions prior to the actual LDAP entry deletion (if so configured). Typically, you use these actions to disable the LDAP account and trigger some type of process that results in an eventual deletion. |
Label
|
Next URL |
Key
|
deleteAccount.nextUrl |
Navigation
|
Modules ⇨ Authenticated ⇨ Delete Account ⇨ Profiles ⇨ [profile] ⇨ Next URL |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the URL of where to send the user to after deletion. If blank, the normal logout handling occurs. |
Settings
Label
|
Enable Delete Account |
Key
|
deleteAccount.enable |
Navigation
|
Modules ⇨ Authenticated ⇨ Delete Account ⇨ Settings ⇨ Enable Delete Account |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable the option to enable the delete account module for the users. |
Note: The guest user registration module requires that the logged in user has sufficient permissions to create users and if so configured, to check for duplicate values.
Label
|
Enable Guest Registration |
Key
|
guest.enable |
Navigation
|
Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Enable Guest Registration |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to enable guest registration. |
Label
|
Creation Context |
Key
|
guest.createContext |
Navigation
|
Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Creation Context |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
ou=guests,o=example
|
Specify the LDAP context where PWM creates the new guest accounts. |
Label
|
Guest Admin Permission |
Key
|
guest.adminGroup |
Navigation
|
Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Guest Admin Permission |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the query string PWM uses to detect if a user is a guest administrator. PWM performs an LDAP query during the login process against the logged in user to determine if the user is a guest administrator. If the user matches the query, then the system considers the user a guest administrator. |
Label
|
New Guest Form |
Key
|
guest.form |
Navigation
|
Modules ⇨ Authenticated ⇨ Guest Registration ⇨ New Guest Form |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
FormItem Name:cn
Type:text Min:2 Max:32 ReadOnly:false Required:true Confirm:false Unique:true Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
FormItem Name:givenName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"First\n Name"}
Description:{"":""}
FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last\n Name"}
Description:{"":""}
FormItem Name:mail
Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:true Multi-Value:false Source:ldap
Label:{"":"Email\n Address"}
Description:{"":""}
FormItem Name:telephoneNumber
Type:tel Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Telephone\n Number"}
Description:{"":""}
|
Specify the New Guest form creation attributes and fields. |
Label
|
Update Guest Form |
Key
|
guest.update.form |
Navigation
|
Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Update Guest Form |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
FormItem Name:cn
Type:text Min:2 Max:32 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
FormItem Name:givenName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"First\n Name"}
Description:{"":""}
FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last\n Name"}
Description:{"":""}
FormItem Name:mail
Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:true Multi-Value:false Source:ldap
Label:{"":"Email\n Address"}
Description:{"":""}
FormItem Name:telephoneNumber
Type:tel Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Telephone\n Number"}
Description:{"":""}
|
Specify the attributes and fields to update the New Guest form creation. |
Label
|
Guest Creation Actions |
Key
|
guest.writeAttributes |
Navigation
|
Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Guest Creation Actions |
Syntax
|
ACTION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add actions PWM performs after it creates a guest user. You can use macros. |
Label
|
Administrator DN Attribute |
Key
|
guest.adminAttribute |
Navigation
|
Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Administrator DN Attribute |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
manager
|
Specify the attribute in which PWM writes the DN of the logged in user in LDAP when it creates a guest user. PWM writes this attribute to the user object just after it creates the object. |
Label
|
Edit Guest By Original Administrator Only |
Key
|
guest.editOriginalAdminOnly |
Navigation
|
Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Edit Guest By Original Administrator Only |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to only allow the guest administrator who created the guest account to update the guest account details. |
Label
|
Maximum Duration of Account Validity |
Key
|
guest.maxValidDays |
Navigation
|
Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Maximum Duration of Account Validity |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
30
|
Specify the maximum number of days before the system disables the account. The guest administrator can use a calendar widget to select an expiration date, which must be within the account validity window. If this value is zero, PWM does not prompt the guest administrator for an expiration date and it does not record an expiration date on the user. |
Label
|
Attribute Used To Store Account Expiration Date |
Key
|
guest.expirationAttribute |
Navigation
|
Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Attribute Used To Store Account Expiration Date |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
loginExpirationTime
|
Specify the attribute PWM uses to store the account expiration date. If this value is blank, PWM does not prompt the guest administrator for an expiration date and it does not record an expiration date on the user. |
Help Desk Base
Label
|
Help Desk Profile Match |
Key
|
helpdesk.queryMatch |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Profile Match |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the users that this help desk profile definition will apply to. |
Label
|
Help Desk Search Attributes |
Key
|
helpdesk.search.form |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Search Attributes |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
default |
FormItem Name:cn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
FormItem Name:givenName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"First Name"}
Description:{"":""}
FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last Name"}
Description:{"":""}
FormItem Name:mail
Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Email"}
Description:{"":""}
FormItem Name:workforceID
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Workforce ID"}
Description:{"":""}
|
AD |
FormItem Name:sAMAccountName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
FormItem Name:givenName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"First Name"}
Description:{"":""}
FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last Name"}
Description:{"":""}
FormItem Name:mail
Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Email"}
Description:{"":""}
FormItem Name:userPrincipalName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"UPN"}
Description:{"":""}
|
|
Specify the attributes used in searching. |
Label
|
Help Desk Search Results |
Key
|
helpdesk.result.form |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Search Results |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
default |
FormItem Name:cn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
FormItem Name:givenName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"First Name"}
Description:{"":""}
FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last Name"}
Description:{"":""}
FormItem Name:mail
Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Email"}
Description:{"":""}
FormItem Name:workforceID
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Workforce ID"}
Description:{"":""}
|
AD |
FormItem Name:sAMAccountName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
FormItem Name:givenName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"First Name"}
Description:{"":""}
FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last Name"}
Description:{"":""}
FormItem Name:mail
Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Email"}
Description:{"":""}
FormItem Name:userPrincipalName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"UPN"}
Description:{"":""}
|
|
Add the fields PWM shows as a result of help desk searches. |
Label
|
Help Desk Search Filter |
Key
|
helpdesk.filter |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Search Filter |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the LDAP search filter to query the directory. Substitute %USERNAME% for user supplied user name. If not specified, PWM auto calculates a search filter based on the Help Desk Search Attributes. Examples - Edirectory:
(&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*)))) - Active Directory:
(&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(sAMAccountName=*%USERNAME%*)(userprincipalname=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*))))
|
Label
|
LDAP Search Base |
Key
|
helpdesk.searchBase |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ LDAP Search Base |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify one or more LDAP search bases. If empty, PWM uses the default LDAP search base. |
Label
|
Help Desk Detail Form |
Key
|
helpdesk.detail.form |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Detail Form |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
FormItem Name:cn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"CN"}
Description:{"":""}
FormItem Name:uid
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"uid"}
Description:{"":""}
FormItem Name:givenName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"First Name"}
Description:{"":""}
FormItem Name:initials
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Initials"}
Description:{"":""}
FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last Name"}
Description:{"":""}
FormItem Name:fullName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Full Name"}
Description:{"":""}
FormItem Name:preferredName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Preferred Name"}
Description:{"":""}
FormItem Name:mail
Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Email Address"}
Description:{"":""}
FormItem Name:telephoneNumber
Type:tel Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Telephone Number"}
Description:{"":""}
FormItem Name:title
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Title"}
Description:{"":""}
FormItem Name:ou
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Department"}
Description:{"":""}
FormItem Name:businessCategory
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Business Category"}
Description:{"":""}
FormItem Name:company
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Company"}
Description:{"":""}
FormItem Name:street
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Street"}
Description:{"":""}
FormItem Name:physicalDeliveryOfficeName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"City"}
Description:{"":""}
FormItem Name:st
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"State"}
Description:{"":""}
FormItem Name:l
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Location"}
Description:{"":""}
FormItem Name:employeeType
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Employee Type"}
Description:{"":""}
FormItem Name:employeeStatus
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Employee Status"}
Description:{"":""}
FormItem Name:workforceID
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Workforce ID"}
Description:{"":""}
|
Specify the fields PWM shows during the detail view of an individual. |
Label
|
Help Desk Search Result Limit |
Key
|
helpdesk.result.limit |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Search Result Limit |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
200
|
Specify a limit of the results of help desk searches. |
Label
|
Send Password to User |
Key
|
helpdesk.sendPassword |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Send Password to User |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to send the password to the user using the method selected under Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ New Password Send Method . |
Label
|
Post Set Password Actions |
Key
|
helpdesk.setPassword.writeAttributes |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Post Set Password Actions |
Syntax
|
ACTION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add actions the system executes after a Help Desk actor modifies the user's password. You can use macros. |
Label
|
Help Desk Actor Actions |
Key
|
helpdesk.actions |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Help Desk Actor Actions |
Syntax
|
ACTION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add actions available to the Help Desk actor. You can use macros. |
Label
|
Idle Timeout Seconds for Help Desk Users |
Key
|
helpdesk.idleTimeout |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Idle Timeout Seconds for Help Desk Users |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
3600
|
Specify the number of seconds after which PWM unauthenticates an authenticated session. PWM sets the session idle timeout to this value after a user successfully accesses the Help Desk module. |
Label
|
Enforce User Password Policy |
Key
|
helpdesk.enforcePasswordPolicy |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Enforce User Password Policy |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to require that the passwords set by Help Desk must meet the same password policy that normally constrains the user. |
Label
|
Clear Responses on Password Set |
Key
|
helpdesk.clearResponses |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Clear Responses on Password Set |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
yes |
True |
ask |
Ask |
no |
False |
|
Default
|
ask
|
Enable this option to allow the Help Desk operator to clear out a user's stored responses after changing the user's password. |
Label
|
Force Password Expiration On Password Set |
Key
|
helpdesk.forcePwExpiration |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Force Password Expiration On Password Set |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to force the system to expire the password for the users when the help desk operator sets a user's password. |
Label
|
Use Proxy Connection |
Key
|
helpdesk.useProxy |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Use Proxy Connection |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to use the application proxy connection for all actions initiated in the Help Desk module. When disabled, PWM initiates actions using the logged in user's LDAP connection, requiring that the user has appropriate privileges in the LDAP directory. |
Label
|
Person Detail Display Labels |
Key
|
helpdesk.displayName.cardLabels |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Person Detail Display Labels |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
@LDAP:givenName@ @LDAP:sn@
@LDAP:title@
@LDAP:mail@
@LDAP:telephoneNumber@
|
Specify the display labels for the user panel in the Help Desk Search detail. You can use LDAP attribute value such as @LDAP:givenName@ macros. |
Label
|
Token Send Method |
Key
|
helpdesk.token.sendMethod |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Details ⇨ Token Send Method |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
NONE |
None - Token verification will not be available |
EMAILONLY |
Email - Send to email address |
SMSONLY |
SMS - Send via SMS |
CHOICE_SMS_EMAIL |
Operator Choice - If both SMS and email address is available, helpdesk operator decides |
|
Default
|
NONE
|
Select the methods the system uses for sending the token code to the user. |
Help Desk Options
Label
|
Viewable Status Fields |
Key
|
helpdesk.viewStatusValues |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Viewable Status Fields |
Syntax
|
OPTIONLIST |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
AccountEnabled |
Account Enabled |
AccountExpired |
Account Expired |
AccountExpirationTime |
Account Expiration Time |
GUID |
GUID |
IntruderDetect |
Intruder Detect |
LastLoginTime |
Last Login Time |
LastLoginTimeDelta |
Last Login Time Delta |
PasswordExpired |
Password Expired |
PasswordExpireTime |
Password Expire Time |
PasswordPreExpired |
Password Pre-Expired |
PasswordSetTime |
Password Set Time |
PasswordSetTimeDelta |
Password Set Time Delta |
PasswordWarnPeriod |
Password Warn Period |
ResponsesStored |
Responses Stored |
ResponsesNeeded |
Responses Needed |
ResponsesTimestamp |
Responses Timestamp |
OTPStored |
OTP Stored |
OTPTimestamp |
OTP Timestamp |
Username |
Username |
UserDN |
User DN |
UserEmail |
User Email |
UserSMS |
User SMS |
|
Default
|
AccountEnabled
IntruderDetect
LastLoginTime
LastLoginTimeDelta
OTPStored
OTPTimestamp
PasswordExpireTime
PasswordExpired
PasswordPreExpired
PasswordSetTime
PasswordSetTimeDelta
PasswordWarnPeriod
ResponsesNeeded
ResponsesStored
ResponsesTimestamp
UserDN
UserEmail
UserSMS
Username
|
Select the fields that are available to help desk administrators to view the status of the users. |
Label
|
Set Password UI Mode |
Key
|
helpdesk.setPassword.mode |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Set Password UI Mode |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
none |
None |
type |
Type new password |
autogen |
Auto generate a list of random passwords to choose from |
both |
Auto generate a list of random passwords and allow typing of new password |
random |
Set the password to a random value unknown to the helpdesk operator |
|
Default
|
autogen
|
Select the mode to allow Help Desk administrators to set passwords. (Note the logged-in user must have the proper LDAP permissions.) |
Label
|
Enable Unlock |
Key
|
helpdesk.enableUnlock |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Unlock |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to enable the Help Desk module users to unlock an LDAP intruder locked account. |
Label
|
Enable Clear Responses Button |
Key
|
helpdesk.clearResponses.button |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Clear Responses Button |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to allow the Help Desk operator to clear out a user's stored responses by clicking a button. |
Label
|
Enable Clear One Time Password Settings Button |
Key
|
helpdesk.clearOtp.button |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Clear One Time Password Settings Button |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Eanble this option to allow the Help Desk operator to clear out a user's stored one-time password settings by clicking a button. |
Label
|
Enable Delete User Button |
Key
|
helpdesk.deleteUser.button |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Delete User Button |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to allow the Help Desk operator to delete the user. |
Label
|
Mask Password Value |
Key
|
helpdesk.setPassword.maskValue |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Mask Password Value |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to have PWM mask the password for a user when they are entering it. |
Label
|
Enable Photos |
Key
|
helpdesk.enablePhotos |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Photos |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable photos in helpdesk search screen |
Label
|
Enable Advanced Search |
Key
|
helpdesk.advancedSearch.enable |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Enable Advanced Search |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable advanced searching user interface. Allows operators to specify individual attributes for searching. |
Help Desk Verification
Label
|
Verification Methods |
Key
|
helpdesk.verificationMethods |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Verification ⇨ Verification Methods |
Syntax
|
VERIFICATION_METHOD |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
optional methods: n/a, required methods: n/a
|
Select the verification methods that the Help Desk operators use to confirm the identity of a user. Any method you set to required or optional is available to the Help Desk operator. If one or more methods are set to required, at least one of the required methods must be successfully completed before the Help Desk operator can view the user's details. |
Label
|
Verification Attributes |
Key
|
helpdesk.verification.form |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Verification ⇨ Verification Attributes |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
FormItem Name:postalCode
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Postal Code"}
Description:{"":""}
|
Specify the attributes used for LDAP Attributes on the setting Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ [profile] ⇨ Verification ⇨ Verification Methods . |
System-wide settings for Help Desk module.
Label
|
Enable Help Desk Module |
Key
|
helpdesk.enable |
Navigation
|
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Settings ⇨ Enable Help Desk Module |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to enable the Help Desk module. |
The people search module provides basic white pages or directory lookup functionality to your users. Customizations allow easy searching and display quick detailed information about your users' colleagues.
People Search Profiles
Label
|
Permitted Users |
Key
|
peopleSearch.queryMatch |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Permitted Users |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
UserPermission: All Users: [Profile: 'all']
|
Define an LDAP directory filter that contains the users permitted to access the People Search module. |
Label
|
Search Attributes |
Key
|
peopleSearch.search.form |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Search Attributes |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
FormItem Name:givenName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"First Name"}
Description:{"":""}
FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last Name"}
Description:{"":""}
FormItem Name:title
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Title"}
Description:{"":""}
FormItem Name:mail
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Email"}
Description:{"":""}
|
Add a list of LDAP attributes to search when generating an automatic search filter for the setting Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ People Search LDAP Filter. PWM also uses it to determine which fields in the user detail form it shows in the "Like" search option. |
Label
|
Search Result Attributes |
Key
|
peopleSearch.result.form |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Search Result Attributes |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
FormItem Name:givenName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"First Name"}
Description:{"":""}
FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last Name"}
Description:{"":""}
FormItem Name:title
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Title"}
Description:{"":""}
FormItem Name:mail
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Email"}
Description:{"":""}
FormItem Name:telephoneNumber
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Telephone"}
Description:{"":""}
|
Specify the attributes the People Search module shows in the search results table during searches. |
Label
|
Search Detail Attributes |
Key
|
peopleSearch.detail.form |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Search Detail Attributes |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
FormItem Name:givenName
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"First Name"}
Description:{"":""}
FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last Name"}
Description:{"":""}
FormItem Name:fullName
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Full Name"}
Description:{"":""}
FormItem Name:mail
Type:email Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Email Address"}
Description:{"":""}
FormItem Name:telephoneNumber
Type:tel Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Telephone Number"}
Description:{"":""}
FormItem Name:title
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Title"}
Description:{"":""}
FormItem Name:ou
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Department"}
Description:{"":""}
FormItem Name:businessCategory
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Business Category"}
Description:{"":""}
FormItem Name:company
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Company"}
Description:{"":""}
FormItem Name:street
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Street"}
Description:{"":""}
FormItem Name:physicalDeliveryOfficeName
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"City"}
Description:{"":""}
FormItem Name:st
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"State"}
Description:{"":""}
FormItem Name:l
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Location"}
Description:{"":""}
FormItem Name:employeeType
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Employee Type"}
Description:{"":""}
FormItem Name:employeeStatus
Type:text Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Employee Status"}
Description:{"":""}
FormItem Name:assistant
Type:userDN Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Assistant"}
Description:{"":""}
FormItem Name:manager
Type:userDN Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Manager"}
Description:{"":""}
FormItem Name:directReports
Type:userDN Min:1 Max:64 ReadOnly:true Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Direct Reports"}
Description:{"":""}
|
Specify attributes to show in the detail view of an individual person's record. |
Label
|
Search Result Limit |
Key
|
peopleSearch.result.limit |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Search Result Limit |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
200
|
Specify the maximum number of records PWM returns while searching. |
Label
|
Use Proxy LDAP Account |
Key
|
peopleSearch.useProxy |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Use Proxy LDAP Account |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to use the LDAP proxy account to perform searches. For proper security in most environments, do not enable this setting. |
Label
|
Person Detail Display Labels |
Key
|
peopleSearch.displayName.cardLabels |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Person Detail Display Labels |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
@LDAP:givenName@ @LDAP:sn@
@LDAP:title@
@LDAP:mail@
@LDAP:telephoneNumber@
|
Specify the display labels for the user panel in the People Search detail and on the organizational chart views. You can use LDAP attribute value such as @LDAP:givenName@ macros. |
Label
|
Maximum Cache Seconds |
Key
|
peopleSearch.maxCacheSeconds |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Maximum Cache Seconds |
Syntax
|
DURATION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
600
|
Specify the number of seconds that PWM caches the results of searches and record details that it reads from eDirectory. Use this setting to control the maximum amount of time PWM can use cached data. Setting to zero disables the cache entirely, but this might negatively impact the scalability of the application and the LDAP directory. |
Label
|
Enable Photos |
Key
|
peopleSearch.enablePhoto |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Photos |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to show photos of people in the organizational chart and detail used view. |
Label
|
Photo Display Permission |
Key
|
peopleSearch.photo.queryFilter |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Photo Display Permission |
Syntax
|
USER_PERMISSION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
UserPermission: All Users: [Profile: 'all']
|
Specify an LDAP permission filter to control photo visibility when displaying an organizational chart or detail record view. If a user does not match this permission, PWM does not display the user's photo. |
Label
|
People Search LDAP Filter |
Key
|
peopleSearch.searchFilter |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ People Search LDAP Filter |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the LDAP search filter the People Search module uses to query the directory. Substitute %USERNAME% for user-supplied user names. If blank, PWM auto-generates the search filter based on the values in the setting Modules ⇨ Authenticated ⇨ People Search ⇨ Search Attributes.
Example: (&(objectClass=Person)(|(givenName=*%USERNAME%*)(sn=*%USERNAME%*)(mail=*%USERNAME%*)(telephoneNumber=*%USERNAME%*)))
|
Label
|
LDAP Search base |
Key
|
peopleSearch.searchBase |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ LDAP Search base |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the LDAP search bases for the People Search module. If empty, PWM uses the default LDAP search bases. |
Label
|
Enable Organizational Chart |
Key
|
peopleSearch.enableOrgChart |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Organizational Chart |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to show an organizational chart of users. |
Label
|
Enable Export |
Key
|
peopleSearch.enableExport |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Export |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to allow download of organizational chart data. |
Label
|
Enable Team Mailto |
Key
|
peopleSearch.enableTeamMailto |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Team Mailto |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to allow to show a link that will email a team of users in the orgchart view. |
Label
|
Enable Printing |
Key
|
peopleSearch.enablePrinting |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Printing |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to show a print option in the org chart view. |
Label
|
Idle Timeout Seconds |
Key
|
peopleSearch.idleTimeout |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Idle Timeout Seconds |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the number of seconds after which an authenticated session becomes unauthenticated. If the value is set to 0, then PWM uses then the system-wide idle timeout value. If a user is using the People Search module without authenticating, then the system does not apply a timeout. |
Label
|
Enable Advanced Search |
Key
|
peopleSearch.advancedSearch.enable |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ [profile] ⇨ Enable Advanced Search |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable advanced searching user interface. Allows users to specify individual attributes for searching. |
People Search Settings
Label
|
Enable People Search |
Key
|
peopleSearch.enable |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Settings ⇨ Enable People Search |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to enable the People Search module. |
Label
|
Enable People Search Public (Non-Authenticated) Access |
Key
|
peopleSearch.enablePublic |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Settings ⇨ Enable People Search Public (Non-Authenticated) Access |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to allow access to the People Search module for unauthenticated users. |
Label
|
People Search Public Profile |
Key
|
peopleSearch.public.profile |
Navigation
|
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Settings ⇨ People Search Public Profile |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
default
|
Name of the People Search profile to be used by public users. |
Options for time-based one time passwords.
Label
|
One Time Password Profile Match |
Key
|
otp.secret.allowSetup.queryMatch |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Profile ⇨ [profile] ⇨ One Time Password Profile Match |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
UserPermission: All Users: [Profile: 'all']
|
Specify the set of users that this OTP Setup profile will include. |
Label
|
Force Setup of One Time Passwords |
Key
|
otp.forceSetup |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Profile ⇨ [profile] ⇨ Force Setup of One Time Passwords |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
FORCE |
Force Setup |
FORCE_ALLOW_SKIP |
Force Setup - but allow user to skip |
SKIP |
Do not force setup |
|
Default
|
SKIP
|
Enable this option and enabled one-time passwords to have PWM direct the user to configure a one-time password secret when logging in. PWM forces the user to configure one-time password if they do not have a current valid secret stored. |
Label
|
OTP Secret Identifier |
Key
|
otp.secret.identifier |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Profile ⇨ [profile] ⇨ OTP Secret Identifier |
Syntax
|
STRING |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
@User:Email@
|
Specify the User Identifier for OTP. Macros are available. |
Label
|
OTP Recovery Codes |
Key
|
otp.secret.recoveryCodes |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Profile ⇨ [profile] ⇨ OTP Recovery Codes |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
5
|
Specify the number of OTP recovery codes to supply to the users. Recovery codes can be used one time each to authenticate and are intended for occasions when the users lose access to their OTP devices. Set to zero to disable recovery codes. Not all storage formats support recovery codes. |
Options for time-based one time passwords.
Label
|
Allow Saving One Time Passwords |
Key
|
otp.enabled |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings ⇨ Allow Saving One Time Passwords |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to allow the user to configure and save an one time password. |
Label
|
OTP Secret Read Location |
Key
|
otp.secret.readPreference |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings ⇨ OTP Secret Read Location |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
LDAP |
LDAP |
LDAP-DB |
LDAP, Database |
LDAP-DB-LOCALDB |
LDAP, Database, LocalDB |
LDAP-LOCALDB |
LDAP, LocalDB |
LDAP-LOCALDB-DB |
LDAP, LocalDB, Database |
DB |
Database |
DB-LDAP |
Database, LDAP |
DB-LDAP-LOCALDB |
Database, LDAP, LocalDB |
DB-LOCALDB |
Database, LocalDB |
DB-LOCALDB-LDAP |
Database, LocalDB, LDAP |
LOCALDB |
LocalDB |
LOCALDB-DB |
LocalDB, Database |
LOCALDB-DB-LDAP |
LocalDB, Database, LDAP |
LOCALDB-LDAP |
LocalDB, LDAP |
LOCALDB-LDAP-DB |
LocalDB, LDAP, Database |
|
Default
|
Template | Value |
DB |
DB |
LOCALDB |
LOCALDB |
default |
LDAP |
|
Select the location where to read the OTP secret. If you select an option with multiple values, PWM reads each location in turn until it finds a stored response. |
Label
|
OTP Secret Write Location |
Key
|
otp.secret.writePreference |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings ⇨ OTP Secret Write Location |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
LDAP |
LDAP |
LDAP-DB |
LDAP, Database |
LDAP-LOCALDB |
LDAP, LocalDB |
LDAP-DB-LOCALDB |
LDAP, Database, LocalDB |
DB |
Database |
DB-LOCALDB |
Database, LocalDB |
LOCALDB |
LocalDB |
|
Default
|
Template | Value |
DB |
DB |
LOCALDB |
LOCALDB |
default |
LDAP |
|
Select the location where to write the OTP secret. PWM writes to all storage methods when the users configures their response answers. |
Label
|
Token Storage Method |
Key
|
otp.secret.storageFormat |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings ⇨ Token Storage Method |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
PWM |
JSON |
BASE32SECRET |
Base32 secret |
OTPURL |
OTP URL |
PAM |
PAM text |
|
Default
|
PWM
|
Select the storage format used to save one time password secrets.
Format | Description |
PWM JSON | Store the secret, descriptions, and recovery codes in PWM native (json) format. |
Base32 secret | Store only the TOTP-secret as a base32 encoded string. This format does not support recovery codes or counter based tokens. |
OTP URL | Store the secret and description as an otpauth:// url, used for generating the QR-code. This format does not support recovery codes. |
PAM text | Store the secret, description, and recovery codes in the text file format, used by the Google Authenticator PAM module. |
|
Label
|
Encrypt OTP secret |
Key
|
otp.secret.encrypt |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup OTP ⇨ OTP Settings ⇨ Encrypt OTP secret |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to have PWM use the Security Key to encrypt and decrypt token information, to make sure it is not readable as plain text. Multiple application instances must use the same Security Key. If you change the Security Key, stored OTP passwords are no longer usable. |
Settings that control the Challenge/Response features. These global settings apply regardless of the challenge policy. For profile-specific challenge settings, see Profiles --> Challenge Profiles.
Label
|
Force Response Setup |
Key
|
challenge.forceSetup |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Profiles ⇨ [profile] ⇨ Force Response Setup |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to direct the users to configure Challenge/Response when they log in. PWM forces the users to enter responses if they do not have current valid responses stored. |
Label
|
Show Response Confirmation |
Key
|
challenge.showConfirmation |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Profiles ⇨ [profile] ⇨ Show Response Confirmation |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to show the responses to the user after they configure them. This gives your users an opportunity to read and review their responses before submitting, however, it shows the responses on the screen and makes them visible to anyone else watching the users' screen. |
Label
|
Save Challenge Permission |
Key
|
challenge.allowSetup.queryMatch |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Profiles ⇨ [profile] ⇨ Save Challenge Permission |
Syntax
|
USER_PERMISSION |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
UserPermission: All Users: [Profile: 'all']
|
Specify the permissions used to determine if you permits the users to configure challenges. This LDAP query must return the user or else PWM does not permit the user to configure challenges. |
Label
|
Check Responses Match |
Key
|
command.checkResponses.queryMatch |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Profiles ⇨ [profile] ⇨ Check Responses Match |
Syntax
|
USER_PERMISSION |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
UserPermission: All Users: [Profile: 'all']
|
Controls which users are forced to setup responses. Users that match this permission will be forced to setup responses. |
Settings that control the Challenge/Response features. These global settings apply regardless of the challenge policy. For profile-specific challenge settings, see Profiles --> Challenge Profiles.
Label
|
Enable Setup Responses |
Key
|
challenge.enable |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Settings ⇨ Enable Setup Responses |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to have the save responses page available to users. (Default enabled) |
Label
|
Case Insensitive Responses |
Key
|
challenge.caseInsensitive |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Settings ⇨ Case Insensitive Responses |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable to control the case sensitivity of responses. If enabled, then PWM deems the responses correct even if the case is wrong. Changing this value does not change existing stored responses -- PWM saves the case sensitive flag on each users' stored responses. |
Label
|
Allow Duplicate Responses |
Key
|
challenge.allowDuplicateResponses |
Navigation
|
Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Setup Security Settings ⇨ Allow Duplicate Responses |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this to allow duplicate responses in setup security responses |
The shortcut menu displays a list of click-able links to users. This functionality might be useful as a basic landing page for users.
Label
|
Enable Shortcuts |
Key
|
shortcut.enable |
Navigation
|
Modules ⇨ Authenticated ⇨ Shortcut Menu ⇨ Enable Shortcuts |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to enable the shortcuts module. |
Label
|
Shortcut Items |
Key
|
shortcut.items |
Navigation
|
Modules ⇨ Authenticated ⇨ Shortcut Menu ⇨ Shortcut Items |
Syntax
|
LOCALIZED_STRING_ARRAY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Locale: default
Google::http://www.google.com::(objectClass=person)::Google Search
Example::http://www.Example.com::(&(objectClass=person)(cn=n*))::Example Page
Yahoo::http://www.yahoo.com::(objectClass=person)::Yahoo Home Page
|
Specify the list of available shortcuts.
Format: label::url::ldapQuery::descriptionlabel | Label to show to users | ldapQuery | Valid LDAP syntax style query, if the user matches this query, then PWM shows the shortcut to the users. | url | http shortcut to direct the user to | description | Long description of the shortcut |
|
Label
|
Shortcut Headers |
Key
|
shortcut.httpHeaders |
Navigation
|
Modules ⇨ Authenticated ⇨ Shortcut Menu ⇨ Shortcut Headers |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the HTTP Headers to use to control the visible list of shortcuts. If this header is present, PWM uses these values to determine which of the configured shortcuts are available to a user. The values must correspond to the label values specified as part of the shortcut items. When this header is present, PWM does not use the ldapQuery portion of the shortcut items and instead displays the shortcuts only if the label is present in the header.
Values can be set in multiple headers, or by comma separating the values.
A blank value disables this feature.Warning:Only enable this feature if an upstream proxy/gateway server controls this header value. Otherwise it may be possible for a client to inject this value and view shortcuts not otherwise visible. |
Label
|
Launch Shortcuts in New Window |
Key
|
shortcut.newWindow |
Navigation
|
Modules ⇨ Authenticated ⇨ Shortcut Menu ⇨ Launch Shortcuts in New Window |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to launch shortcuts in a new window (or tab). |
.
Label
|
Update Profile Match |
Key
|
updateAttributes.queryMatch |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile Match |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
UserPermission: All Users: [Profile: 'all']
|
Add an LDAP query that only allows users who match this query to update their profiles. |
Label
|
Update Profile Actions |
Key
|
updateAttributes.writeAttributes |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile Actions |
Syntax
|
ACTION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add actions to execute after PWM populates a user's attributes. |
Label
|
Force Update Profile |
Key
|
updateAttributes.forceSetup |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Force Update Profile |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to present the Update Profile module to the users upon login if the users do not satisfy the form configuration conditions. Specifically, PWM checks the Required and Regular Expression conditions against the current LDAP form values. The users cannot perform other functions until they update the form values to values that match the form configuration. |
Label
|
Update Profile Agreement Message |
Key
|
display.updateAttributes.agreement |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile Agreement Message |
Syntax
|
LOCALIZED_TEXT_AREA |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a message to display to the users before allowing them to update their profiles. If blank, PWM does not display the update profile agreement page to the users. This message can include HTML tags. |
Label
|
Update Profile Form |
Key
|
updateAttributes.form |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile Form |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
FormItem Name:mail
Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:true Multi-Value:false Source:ldap
Label:{"":"Email\n Address"}
Description:{"":""}
FormItem Name:title
Type:text Min:1 Max:64 ReadOnly:false Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Title"}
Description:{"":""}
FormItem Name:telephoneNumber
Type:tel Min:1 Max:64 ReadOnly:false Required:false Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Telephone\n Number"}
Description:{"":""}
|
Update Profile Form values. |
Label
|
Show Update Profile Confirmation |
Key
|
updateAttributes.showConfirmation |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Show Update Profile Confirmation |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to show the update attributes to the users after they configure them. This gives your users an opportunity to read and review their attributes before submitting, however, it shows the responses on the screen and makes them visible to anyone else watching the users' screens. |
Label
|
Enable Email Verification |
Key
|
updateAttributes.email.verification |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Enable Email Verification |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to send an email to the user's email address before PWM updates the account. The user's email must change to cause this verification email to be sent. The user must verify receipt of the email before PWM updates the account. |
Label
|
Enable SMS Verification |
Key
|
updateAttributes.sms.verification |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Enable SMS Verification |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to send an SMS to the users' mobile phone numbers before updating the account. The user must verify receipt of the SMS before PWM updates the account. |
Label
|
Update Profile Email Token Maximum Lifetime |
Key
|
updateAttributes.token.lifetime |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile Email Token Maximum Lifetime |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the lifetime a update profile email token is valid (in seconds). The default is 0. When set to 0, the effective value is inherited from the setting Settings ⇨ Tokens ⇨ Token Maximum Lifetime |
Label
|
Update Profile SMS Token Maximum Lifetime |
Key
|
updateAttributes.token.lifetime.sms |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Update Profile SMS Token Maximum Lifetime |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the lifetime a new user update profile SMS token is valid (in seconds). The default is 0. When set to 0, the effective value is inherited from the setting Settings ⇨ Tokens ⇨ Token Maximum Lifetime |
Label
|
Custom Links |
Key
|
updateAttributes.customLinks |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ [profile] ⇨ Custom Links |
Syntax
|
CUSTOMLINKS |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Create custom links for users to navigate to while updating their profile data. |
.
Label
|
Enable Update Profile |
Key
|
updateAttributes.enable |
Navigation
|
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Settings ⇨ Enable Update Profile |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable the option to Update Profile Attributes. If true, this setting enables the Update Profile module. |
Definition
Label
|
Forgotten Password Profile Match |
Key
|
recovery.queryMatch |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Forgotten Password Profile Match |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
ORACLE_DS |
UserPermission: All Users: [Profile: 'all'] |
AD |
UserPermission: All Users: [Profile: 'all'] |
default |
UserPermission: All Users: [Profile: 'all'] |
|
Add an LDAP filter that defines the set of users that PWM assigns to this profile. |
Label
|
Verification Methods |
Key
|
recovery.verificationMethods |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Verification Methods |
Syntax
|
VERIFICATION_METHOD |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
optional methods: n/a, required methods: ["Secret Questions and Answers"]
|
Select the verification methods PWM uses during the forgotten password process. The users must satisfy each option set to required. The users can then select any of the remaining optional methods until they complete the minimum number of optional methods.
You can modify tthe names and a description shown to users for these methods by editing the display text keys for Field_VerificationMethod[Method] and Description_VerificationMethod[Method] where [Method] is the method type. |
Label
|
Token Send Method |
Key
|
challenge.token.sendMethod |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Token Send Method |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
EMAILONLY |
Email - Send to email address |
SMSONLY |
SMS - Send via SMS |
CHOICE_SMS_EMAIL |
User Choice - If both SMS and email address is available, user decides |
|
Default
|
EMAILONLY
|
Select the methods you want to use for sending the token code or new password to the user. |
Label
|
Forgotten Password Recovery Mode |
Key
|
recovery.action |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Forgotten Password Recovery Mode |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
RESETPW |
Allow user to set new password |
SENDNEWPW |
Send new password |
SENDNEWPW_AND_EXPIRE |
Send new password and mark as expired |
|
Default
|
RESETPW
|
Add actions to take when the user completes the forgotten password process. |
Label
|
New Password Send Method |
Key
|
recovery.sendNewPassword.sendMethod |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ New Password Send Method |
Syntax
|
SELECT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
EMAILONLY |
Email - Send to email address |
SMSONLY |
SMS - Send via SMS |
|
Default
|
EMAILONLY
|
Select the method to send new password to users when the Forgotten Password Success Action is set to Send new password. |
Label
|
Required LDAP Attributes |
Key
|
challenge.requiredAttributes |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Required LDAP Attributes |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add the required LDAP attributes for forgotten password authentication. The users must supply these attributes as part of the forgotten password authentication process. The LDAP Proxy User requires the LDAP compare permission to these attributes. |
OAuth
Label
|
OAuth Login URL |
Key
|
recovery.oauth.idserver.loginUrl |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Login URL |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the OAuth server login URL. PWM uses this is the URL to redirect the user to for authentication. |
Label
|
OAuth Code Resolve Service URL |
Key
|
recovery.oauth.idserver.codeResolveUrl |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Code Resolve Service URL |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the OAuth Token / Code Resolve Service URL. PWM uses this web service URL to resolve the artifact returned by the OAuth identity server. |
Label
|
OAuth Profile Service URL |
Key
|
recovery.oauth.idserver.attributesUrl |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Profile Service URL |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the web service URL provided by the identity server to return attribute data about the user. |
Label
|
OAuth Web Service Server Certificate |
Key
|
recovery.oauth.idserver.serverCerts |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Web Service Server Certificate |
Syntax
|
X509CERT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Import the certificate for the OAuth web service server. |
Label
|
OAuth Client ID |
Key
|
recovery.oauth.idserver.clientName |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Client ID |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the OAuth client ID. The OAuth identity service provider gives you this value. |
Label
|
OAuth Shared Secret |
Key
|
recovery.oauth.idserver.secret |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Shared Secret |
Syntax
|
PASSWORD |
Level
|
2 |
Required
|
False |
Confidential
|
True |
Scope
|
DOMAIN |
Default
|
*hidden*
|
Specify the OAuth shared secret. The OAuth identity service provider gives you this value. |
Label
|
OAuth User Name/DN Login Attribute |
Key
|
recovery.oauth.idserver.dnAttributeName |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth User Name/DN Login Attribute |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the attribute to request from the OAuth server that PWM uses as the user name for local authentication. PWM then resolves this value the same as if the user had typed the password at the local authentication page. |
Label
|
OAuth Inject User Name Value |
Key
|
recovery.oauth.idserver.usernameSendValue |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ OAuth ⇨ OAuth Inject User Name Value |
Syntax
|
STRING |
Level
|
2 |
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the user name value to send as part of the /grant redirect request. The remote OAuth server must support the /sign endpoint for this to work. |
Options for forgotten password configuration.
Label
|
Allow Intruder Unlock |
Key
|
challenge.allowUnlock |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Allow Intruder Unlock |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to allow users to intruder unlock their account during forgotten password. If true, and if the users' accounts are intruder locked due to too many invalid login attempts, and the users' passwords are not expired, then PWM gives the users a chance to unlock their accounts instead of resetting their passwords. |
Label
|
Allow Forgotten Password when Locked |
Key
|
recovery.allowWhenLocked |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Allow Forgotten Password when Locked |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to allow users to use the forgotten password feature when the account is intruder locked in LDAP. This feature is not available when a user is using NMAS stored responses. |
Label
|
Allow Token Resend |
Key
|
recovery.token.resend.enable |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Allow Token Resend |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Allow the user to resend a token in case they did not receive it. |
Label
|
Minimum Password Lifetime Options |
Key
|
recovery.minimumPasswordLifetimeOptions |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Minimum Password Lifetime Options |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
ALLOW |
Allow - Allow normal action (ignore minimum lifetime) |
UNLOCKONLY |
UnlockOnly - Allow only intruder password unlock |
NONE |
None - Prohibit usage of the forgotten password module |
|
Default
|
ALLOW
|
Options to control behavior when a user attempts to use the forgotten password module while their password is within the minimum password policy lifetime window of their effective password policy. These options are only relevant if the user has an effective minimum password lifetime as part of their password policy. |
Label
|
Forgotten Password Post Actions |
Key
|
recovery.postActions |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Forgotten Password Post Actions |
Syntax
|
ACTION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Actions to execute after a user has successfully completed the forgotten password sequence and the user's password has been modified. You can use macros. |
Label
|
Agreement Message |
Key
|
recovery.changeAgreement |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Options ⇨ Agreement Message |
Syntax
|
LOCALIZED_TEXT_AREA |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a message to display to users before allowing them to recover their forgotten passwords. If blank, PWM does not display the agreement page to the users. This message can include HTML tags. This setting can use macros. For more information about macros, see the "View" menu "Show Macro Help". |
Settings for forgotten password configuration.
Label
|
Enable Forgotten Password |
Key
|
recovery.enable |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Enable Forgotten Password |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to have the forgotten password recovery available to users. |
Label
|
Forgotten Password User Search Form |
Key
|
recovery.form |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Forgotten Password User Search Form |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
ORACLE_DS |
FormItem Name:uid
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
|
AD |
FormItem Name:sAMAccountName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
|
default |
FormItem Name:cn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
|
|
Specify the form fields for the activate user module. PWM requires the users to enter each attribute. Ideally, PWM requires the users to enter some personal data that is not publicly known. |
Label
|
Forgotten Password User Search Filter |
Key
|
recovery.searchFilter |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Forgotten Password User Search Filter |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add an LDAP search filter PWM uses to search for users during forgotten password recovery. The LDAP search filter must include each attribute in the Forgotten Password User Search Form. PWM replaces tokens made of a form item name (such as cn ) enclosed with a percent sign %cn% with values supplied by the user.
For example, if the Activate User Form included the attributes cn and sn , then this filter might be appropriate:
(&(objectClass=person)(cn=%cn%)(sn=%sn%))
If this setting is left blank, PWM automatically generates a search filter based on the required items in the Forgotten Password User Search Form. |
Label
|
Response Read Location |
Key
|
recovery.response.readPreference |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Response Read Location |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
LDAP |
LDAP |
LDAP-DB |
LDAP, Database |
LDAP-DB-LOCALDB |
LDAP, Database, LocalDB |
LDAP-LOCALDB |
LDAP, LocalDB |
LDAP-LOCALDB-DB |
LDAP, LocalDB, Database |
DB |
Database |
DB-LDAP |
Database, LDAP |
DB-LDAP-LOCALDB |
Database, LDAP, LocalDB |
DB-LOCALDB |
Database, LocalDB |
DB-LOCALDB-LDAP |
Database, LocalDB, LDAP |
LOCALDB |
LocalDB |
LOCALDB-DB |
LocalDB, Database |
LOCALDB-DB-LDAP |
LocalDB, Database, LDAP |
LOCALDB-LDAP |
LocalDB, LDAP |
LOCALDB-LDAP-DB |
LocalDB, LDAP, Database |
|
Default
|
Template | Value |
DB |
DB |
LOCALDB |
LOCALDB |
default |
LDAP |
|
Select the location where PWM reads the responses. If you select an option with multiple values, PWM reads each location in turn until it finds a stored response. |
Label
|
Response Write Location |
Key
|
recovery.response.writePreference |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Response Write Location |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
LDAP |
LDAP |
LDAP-DB |
LDAP, Database |
LDAP-LOCALDB |
LDAP, LocalDB |
LDAP-DB-LOCALDB |
LDAP, Database, LocalDB |
DB |
Database |
DB-LOCALDB |
Database, LocalDB |
LOCALDB |
LocalDB |
|
Default
|
Template | Value |
DB |
DB |
LOCALDB |
LOCALDB |
default |
LDAP |
|
Select the location where PWM writes the responses. PWM writes to all storage methods when the user configures their response answers. WARNING: Never use the LocalDB to store responses in a production system as there are no methods to make the LocalDB storage redundant, nor are optimal backup methods available for the LocalDB. |
Label
|
Responses Storage Hashing Method |
Key
|
response.hashMethod |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Responses Storage Hashing Method |
Syntax
|
SELECT |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
TEXT |
None (Plaintext) |
MD5 |
MD5 |
SHA1 |
SHA1 |
SHA1_SALT |
SHA-1 with Salt |
SHA256_SALT |
SHA-256 with Salt |
SHA512_SALT |
SHA-512 with Salt |
PBKDF2 |
PBKDF2WithHmacSHA1 |
PBKDF2_SHA256 |
PBKDF2WithHmacSHA256 |
PBKDF2_SHA512 |
PBKDF2WithHmacSHA512 |
BCRYPT |
BCrypt |
SCRYPT |
SCrypt |
|
Default
|
PBKDF2_SHA512
|
Select the method of hashing PWM uses to store responses. Storing the responses as plaintext might facilitate synchronization or migration to other systems but is not secure. This setting only controls how PWM writes the responses. PWM can always read stored responses in other formats. PWM cannot convert existing responses until a user re-saves their responses. You can use the reporting engine to identify and count the hash types in use. |
Label
|
Enable Bogus User Policy |
Key
|
recovery.bogus.user.enable |
Navigation
|
Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Enable Bogus User Policy |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to have forgotten password act as though invalid user searches are valid, and present such users with a bogus forgotten password policy. This can help prevent username discovery. |
Allows a user to search for a forgotten user name using a configurable search filter and attributes.
Label
|
Enable Forgotten User Name |
Key
|
forgottenUsername.enable |
Navigation
|
Modules ⇨ Public ⇨ Forgotten User Name ⇨ Enable Forgotten User Name |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to enable forgotten user name registration. |
Label
|
Forgotten User Name Form |
Key
|
forgottenUsername.form |
Navigation
|
Modules ⇨ Public ⇨ Forgotten User Name ⇨ Forgotten User Name Form |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
FormItem Name:mail
Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Email\n Address"}
Description:{"":""}
FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last\n Name"}
Description:{"":""}
|
Add fields PWM uses to search for the user name. |
Label
|
Forgotten User Name Search Filter |
Key
|
forgottenUsername.searchFilter |
Navigation
|
Modules ⇨ Public ⇨ Forgotten User Name ⇨ Forgotten User Name Search Filter |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify an LDAP search filter PWM uses to search for users during forgotten user name recovery. The LDAP search filter must include each attribute in the Forgotten User Name Form. PWM replaces the tokens made of a form item name (such as cn ) enclosed with a percent sign %cn% with values supplied by the user.
For example, if the Forgotten User Name Form included the attributes cn and sn , then this filter might be appropriate:
(&(objectClass=person)(cn=%cn%)(sn=%sn%))
If this setting is left blank, PWM automatically generates a search filter based on the required items in the Forgotten User Name Form at the time of the search. |
Label
|
Forgotten User Name Message |
Key
|
forgottenUsername.message |
Navigation
|
Modules ⇨ Public ⇨ Forgotten User Name ⇨ Forgotten User Name Message |
Syntax
|
LOCALIZED_TEXT_AREA |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Locale: default
Your username is @User:ID@. Please record your username for future use.
Locale: zh
您的用户名是 @User:ID@。请记录你的用户名以供将来使用。
Locale: zh-TW
您的使用者名稱為 @User:ID@。請記錄您的使用者名稱以供日後使用。
Locale: cs
Vaše přihlašovací jméno je @User:ID@. Prosíme zapamatujte si své přihlašovací jméno.
Locale: nl
Uw gebruikersnaam is @User:ID@. Onthoud uw gebruikersnaam voor later gebruik.
Locale: fi
Käyttäjätunnuksesi on @User:ID@. Tallenna se myöhempää käyttöä varten.
Locale: fr
Votre nom d'utilisateur est @User:ID@. Enregistrez-le pour pouvoir l'utiliser ultérieurement.
Locale: de
Ihr Benutzername ist @User:ID@. Notieren Sie sich den Benutzernamen für den späteren Gebrauch.
Locale: he
שם המשתמש שלך הינו @User:ID@. אנא זכור מידע זה לשימוש עתידי.
Locale: hu
Az Ön felhasználóneve %field%. Kérem jegyezze föl, hogy a jövőben használni tudja.
Locale: it
Il tuo nome utente è @User:ID@. Per favore annotati il tuo nome utente per uso futuro.
Locale: ja
ユーザ名は @User:ID@ です。将来の使用に備えてユーザ名を記録しておいてください。
Locale: no
Brukernavnet ditt er @User:ID@. Vennligst ta vare p� ditt brukernavn for fremtidig bruk.
Locale: nn
Brukarnamnet ditt er %field%. Ver venleg � ta vare p� brukarnamnet ditt for framtidig bruk.
Locale: pl
Twoja nazwa użytkownika to @User:ID@. Należy zapisać swoją nazwę użytkownika na przyszłość.
Locale: pt
Seu nome de utilizador é @User:ID@. Por favor, registe seu nome de utilizador para uso futuro.
Locale: pt-BR
Seu nome de usuário é @User:ID@. Registre seu nome de usuário para uso futuro.
Locale: sk
Vaše používateľské meno je @User:ID@. Uložte si toto meno pre ďalšie použitie.
Locale: es
Su nombre de usuario es @User:ID@. Guarde el nombre de usuario para tener una referencia en el futuro.
Locale: sv
Ditt användarnamn är @User:ID@. Anteckna ditt användarnamn för framtida bruk.
Locale: th
ชื้อผู้ใช้ของคุณคือ @User:ID@ กรุณาใส่ชื่อผู้ใช้ของคุณสำหรับการใช้งานในอนาคต
Locale: tr
Kullanıcı adınız @User:ID@ . Kullanıcı adınızı unutmayın.
|
Edit the message to show to a user upon a successful forgotten user name action. |
Label
|
User Name Send Method |
Key
|
forgottenUsername.sendUsername.sendMethod |
Navigation
|
Modules ⇨ Public ⇨ Forgotten User Name ⇨ User Name Send Method |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
NONE |
None - Do not send email |
EMAILONLY |
Email - Send to email address |
SMSONLY |
SMS - Send via SMS |
|
Default
|
NONE
|
Select the method of how to send user name to user. In the content of the message, you can use a macro as appropriate. |
New user self-registration settings. The new user registration module requires that the proxy user has sufficient permissions to create users and, if so configured, to check for duplicate values. PWM creates new users in the default LDAP directory profile.
Label
|
New User Form |
Key
|
newUser.form |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User Form |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
FormItem Name:mail
Type:email Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:true Multi-Value:false Source:ldap
Label:{"":"Email\n Address"}
Description:{"":""}
Regex:^[a-zA-Z0-9 .,'@]*$ Regex Error:{"":"Email Address has invalid\n characters"}FormItem Name:givenName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"First\n Name"}
Description:{"":""}
Regex:^[a-zA-Z0-9 .,'@]*$ Regex Error:{"":""}FormItem Name:sn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Last\n Name"}
Description:{"":""}
Regex:^[a-zA-Z0-9 .,'@]*$ Regex Error:{"":""}
|
Specify the New User form creation attributes and fields. This is used to determine what information will need to be filled in before submitting the new user form to create the new user. |
Label
|
LDAP Profile |
Key
|
newUser.ldapProfile |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ LDAP Profile |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the LDAP profile where you would like PWM to create new users. If blank, the default LDAP profile will be used when creating new user. |
Label
|
Creation Context |
Key
|
newUser.createContext |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Creation Context |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
ou=users,o=example
|
Specify the LDAP context where you would like PWM to create new users. You can use macros in this setting. |
Label
|
New User Agreement Message |
Key
|
display.newuser.agreement |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User Agreement Message |
Syntax
|
LOCALIZED_TEXT_AREA |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a message to display to users before allowing them to register as a new user. If blank, PWM will not display the new user agreement page to the user trying to register. This New User Agreement Message can also include HTML tags. |
Label
|
Profile Display Name |
Key
|
newUser.profile.displayName |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Profile Display Name |
Syntax
|
LOCALIZED_STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the publicly viewable display name of this profile. This value will only be seen if the profile was enabled to be shown publicly. |
Label
|
Profile Visible on Menu |
Key
|
newUser.profile.visible |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Profile Visible on Menu |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Show this New User profile to users when they select New User registration. If disabled, this profile is still available by direct URL but is not shown as a selectable profile. |
Label
|
New User Actions |
Key
|
newUser.writeAttributes |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User Actions |
Syntax
|
ACTION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the actions the system takes when it creates a user. The actions will be executed just after the user is created in the LDAP directory. You can use macros in this setting. |
Label
|
Delete On Creation Failure |
Key
|
newUser.deleteOnFail |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Delete On Creation Failure |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to have PWM delete the new user account if the creation fails for some reason. It deletes the (potentially partially-created) "broken" account in LDAP. |
Label
|
Logout After Creation |
Key
|
newUser.logoutAfterCreation |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Logout After Creation |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to force the new user to log out (and send him to the logoutURL) after the account has been created.
Leave this option disabled (default) to make PWM automatically login the new user. |
Label
|
LDAP Entry ID Definition |
Key
|
newUser.username.definition |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ LDAP Entry ID Definition |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
@RandomChar:16:ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@
|
Specify the display name, or entry ID that is included in the LDAP naming attribute for the new registered users. Some directories use an LDAP entry instead of a user name. When you enable this setting, the system generates an entryID or an LDAP entry that includes random characters by default.You must specify macros for this setting. For more information about macros, see Configuring Macros for Messages and Actions. If you leave this field blank, the system does not generate a random user name or entry ID. For example, in the LDAP directory, specify the value as @User:Email@ to display the display name or entry ID for the new registered user as their email address. When multiple values are entered, if the first value already exists, each value will be tried in order until an unused value is found. |
Label
|
Enable New User Email Verification |
Key
|
newUser.email.verification |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Enable New User Email Verification |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to have PWM send an email to the new user's email address before it creates the account. The new user must verify receipt of the email before PWM creates the account. All of your email settings must also be filled out before this will work. Testing the email settings should take place to verify that this email will be sent. |
Label
|
Enable New User SMS Verification |
Key
|
newUser.sms.verification |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Enable New User SMS Verification |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to have PWM send an SMS message to the new user's mobile phone number before it creates the account. The NewUser must verify receipt of the SMS message before PWM creates the account. please insure that the user has entered their SMS information. |
Label
|
Enable New User External Verification |
Key
|
newUser.external.verification |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Enable New User External Verification |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to have PWM invoke the external verification method for a new user. The new user must verify the external responses before PWM creates the account. |
Label
|
Password Policy Template |
Key
|
newUser.passwordPolicy.user |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Password Policy Template |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
TESTUSER
|
Specify a valid LDAP user DN that PWM can use as a template for the new user password policy. If the value is the literal value "TESTUSER", PWM uses the configured test user's password policy as the policy for the new user prior to its actual creation in the LDAP directory. |
Label
|
New User Minimum Wait Time |
Key
|
newUser.minimumWaitTime |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User Minimum Wait Time |
Syntax
|
DURATION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
10
|
Specify a delay time during a new user creation. PWM delays the creation of the user for at least this amount of time before forwarding the user to the next activity.
Specify the value in seconds. |
Label
|
After Registration Redirect URL |
Key
|
newUser.redirectUrl |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ After Registration Redirect URL |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
URL to redirect user to after new user registration process is completed. |
Label
|
Prompt User for Password |
Key
|
newUser.promptForPassword |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ Prompt User for Password |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Prompt user for password during user registration. If not enabled, a random password will be assigned to the user. In most cases you will want this enabled. |
Label
|
New User Email Token Maximum Lifetime |
Key
|
newUser.token.lifetime |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User Email Token Maximum Lifetime |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the lifetime a new user email token is valid (in seconds). The default is 0. When set to 0, the effective value is inherited from the setting Settings ⇨ Tokens ⇨ Token Maximum Lifetime |
Label
|
New User SMS Token Maximum Lifetime |
Key
|
newUser.token.lifetime.sms |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Profiles ⇨ [profile] ⇨ New User SMS Token Maximum Lifetime |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the lifetime a new user SMS token is valid (in seconds). The default is 0. When set to 0, the effective value is inherited from the setting Settings ⇨ Tokens ⇨ Token Maximum Lifetime |
New user self-registration settings. The new user registration module requires that the proxy user has sufficient permissions to create users and, if so configured, to check for duplicate values. PWM creates new users in the default LDAP directory profile.
Label
|
Enable New User Registration |
Key
|
newUser.enable |
Navigation
|
Modules ⇨ Public ⇨ New User Registration ⇨ New User Settings ⇨ Enable New User Registration |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Set this option to allow PWM to enable the new user registration module and show new user registration as an option on the public menu and login pages. |
The user activation module enables users to activate an account they have not previously authenticated. The user does not need to know the password to activate the account. Configure settings so that users can only execute this function once. Existing users cannot use this function.
Label
|
Enable User Activation |
Key
|
activateUser.enable |
Navigation
|
Modules ⇨ Public ⇨ User Activation ⇨ Settings ⇨ Enable User Activation |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enables the new user activation module. |
Label
|
Activate User Form |
Key
|
activateUser.form |
Navigation
|
Modules ⇨ Public ⇨ User Activation ⇨ Settings ⇨ Activate User Form |
Syntax
|
FORM |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
ORACLE_DS |
FormItem Name:uid
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
|
AD |
FormItem Name:sAMAccountName
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
|
default |
FormItem Name:cn
Type:text Min:1 Max:64 ReadOnly:false Required:true Confirm:false Unique:false Multi-Value:false Source:ldap
Label:{"":"Username"}
Description:{"":""}
|
|
Specify the form fields for activate user module. PWM requires the users to enter each attribute specified. Ideally, add attributes that require the user to enter some personal data that is not publicly known. |
Label
|
Activation Search Filter |
Key
|
activateUser.searchFilter |
Navigation
|
Modules ⇨ Public ⇨ User Activation ⇨ Settings ⇨ Activation Search Filter |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify an LDAP search filter PWM uses to search for users during the user activation. Include each attribute in the Activate User Form in the LDAP search filter. PWM replaces tokens made of a form item name (such as cn ) enclosed with a percent sign %cn% with values supplied by the user.
For example, if the Activate User Form includes the attributes cn and sn , then this filter might be appropriate:
(&(objectClass=person)(cn=%cn%)(sn=%sn%))
PWM tests any attributes listed in the form but not used in the search filter by performing an LDAP compare operation with the user supplied value.
If this setting is left blank, PWM automatically generates a search filter based on the required items in the Activate User Search Form. |
The user activation module enables users to activate an account they have not previously authenticated. The user does not need to know the password to activate the account. Configure settings so that users can only execute this function once. Existing users cannot use this function.
Label
|
User Activation Profile Match |
Key
|
activateUser.queryMatch |
Navigation
|
Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ User Activation Profile Match |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
default |
UserPermission: LDAP Query: [Profile: 'all' Filter: (&(objectclass=person)(!(loginDisabled=TRUE))(!(loginTime=*)))] |
AD |
UserPermission: LDAP Query: [Profile: 'all' Filter: (&(objectclass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(lastLogon=0)(!(lastLogonTimestamp=*))))] |
|
Specify and LDAP filter that only allows PWM to active users who match this query. Generally, you only allow users who have never been authenticated and are not disabled to activate. The default example uses the last login time attributes on the user object to determine if the user has never logged in. It is the responsibility of the administrator to ensure this activation feature works correctly. Misconfiguration could potentially result in unintended activations occurring. |
Label
|
Unlock User During Activation |
Key
|
activateUser.allowUnlock |
Navigation
|
Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ Unlock User During Activation |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to allow users to try to unlock the user account during activation. If true, and if the users' account are locked PWM unlocks the users' accounts. |
Label
|
Token Send Method |
Key
|
activateUser.token.sendMethod |
Navigation
|
Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ Token Send Method |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
NONE |
None - Token verification will not be performed |
EMAILONLY |
Email - Send to email address |
SMSONLY |
SMS - Send via SMS |
CHOICE_SMS_EMAIL |
User Choice - If both SMS and email address is available, user decides |
|
Default
|
NONE
|
Select the methods used for sending the token code to the user. |
Label
|
Activate User Agreement Message |
Key
|
display.activateUser.agreement |
Navigation
|
Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ Activate User Agreement Message |
Syntax
|
LOCALIZED_TEXT_AREA |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a message to display to the users before allowing them to activate their accounts. If blank, PWM does not display the activate user agreement page to the users. This message can include HTML tags. |
Label
|
Activation Actions (Before Password Change) |
Key
|
activateUser.writePreAttributes |
Navigation
|
Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ Activation Actions (Before Password Change) |
Syntax
|
ACTION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add actions PWM executes after it activates the users but before it sets the password. Typically, use this to activate the account, as well as add some searchable indicator.
You can use macros. |
Label
|
Post-Activation Actions (After Password Change) |
Key
|
activateUser.writePostAttributes |
Navigation
|
Modules ⇨ Public ⇨ User Activation ⇨ User Activation Profiles ⇨ [profile] ⇨ Post-Activation Actions (After Password Change) |
Syntax
|
ACTION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add actions PWM executes after it actives the users and the users have changed or set their initial passwords. Typically, use this to activate the account, as well as add some searchable indicator.
You can use macros. |
Define the challenge policy users use for populating response answers.
Label
|
Challenge Profile Match |
Key
|
challenge.policy.queryMatch |
Navigation
|
Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Challenge Profile Match |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
UserPermission: All Users: [Profile: 'all']
|
Specify an LDAP filter to search for users that have the permissions to set up Challenge/Responses. |
Label
|
Random Questions |
Key
|
challenge.randomChallenges |
Navigation
|
Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Random Questions |
Syntax
|
CHALLENGE |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Locale: default
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is the name of the main character in your favorite book?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is the name of your favorite teacher?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is the name of your favorite pet?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What was the name of your childhood best friend?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What was your favorite show as a child?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Who is your favorite author?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is your favorite food?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is your partner's nickname?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is your favorite team?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What street did you grow up on?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What city / town were you born in?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is your favorite vehicle?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:If you could meet someone from history, who would it be?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is your least favorite film of all time?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Who was your least favorite teacher?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What food do you dislike the most?
Locale: ca
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Com es diu el personatge principal del seu llibre preferit?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Com es diu el seu mestre preferit?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Com es diu la seva mascota preferida?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Com es deia el seu millor amic de la infància?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quin era seu programa televisiu preferit en la infància?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quin és el seu escriptor preferit?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quin és el seu menjar preferit?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quin sobrenom té la seva parella?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quin és el seu equip preferit?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:En quin carrer va créixer?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:En quin poble o en quina ciutat va néixer?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quin és el seu vehicle preferit?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Si pogués conèixer un personatge històric, qui triaria?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quina és la pel·lícula que menys li ha agradat de totes les que ha vist?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Com es deia el mestre que menys li agradava?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quin és el menjar que menys li agrada?
Locale: zh-CN
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:在您最喜爱的书中,主人公叫什么名字?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜欢的老师叫什么名字?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜爱的宠物叫什么名字?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您儿时的好友叫什么名字?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:孩提时代,您最喜欢的节目是什么?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜欢的作者是谁?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最爱吃的食物是什么?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您伴侣的绰号是什么?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜爱的球队是什么?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您在哪条街道长大?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您出生在哪个城市/城镇?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜欢的交通工具是什么?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:如果您可以穿越历史邂逅某个人物,此人会是谁?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:一直以来,您最不喜欢的电影是什么?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最不喜欢的老师是谁?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最不爱吃哪种食物?
Locale: zh-TW
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜愛的書籍主角姓名?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜愛的老師姓名?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜愛的寵物名字?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您兒時摯友的姓名?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您小時候最喜歡的節目?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜愛的作家?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜愛的食物?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您伴侶的綽號?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜愛的運動隊伍?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您在哪條街上長大的?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您出生的城市/城鎮?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最喜愛的交通工具?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:若您可以與歷史人物見面,會是哪一位歷史人物?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最不喜愛的電影?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最不喜愛的老師?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:您最討厭的食物?
Locale: da
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvad hedder hovedpersonen i din yndlingsbog?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvad hedder din yndlingslærer?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvad er navnet på dit yndlingskæledyr?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvad hed din bedste barndomsven?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvad var dit yndlingsshow som barn?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvem er din yndlingsforfatter?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvad er din livret?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvad er din partners kaldenavn?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvad er dit yndlingshold?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvad var navnet på din barndomsgade?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvilken by er du født i?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvad er dit yndlingskøretøj?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvis du kunne møde en historisk person, hvem skulle det så være?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvilken film kan du mindst lide?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvilken lærer kunne du mindst lide?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Hvilken fødevare bryder du dig mindst om?
Locale: nl
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wat is de naam van de hoofdpersoon in uw favoriete boek?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wat is de naam van uw favoriete leraar?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wat is de naam van uw favoriete huisdier?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wat is de naam van uw beste jeugdvriend?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wat was uw favoriete tv-programma als kind?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wie is uw favoriete schrijver?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wat is uw favoriete eten?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wat is de bijnaam van uw partner?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wat is uw favoriete voetbalteam?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:In welke straat bent u opgegroeid?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:In welke stad of in welk dorp bent u geboren?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wat is uw favoriete voertuig?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Als u een bekende persoon uit het verleden zou kunnen ontmoeten, wie zou dat dan zijn?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wat is uw minst favoriete film aller tijden?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wie was uw minst favoriete leraar?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Welk eten vindt u het minst lekker?
Locale: en-CA
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is the name of the main character in your favourite book?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is the name of your favourite teacher?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is the name of your favourite pet?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What was the name of your childhood best friend?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What was your favourite show as a child?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Who is your favourite author?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is your favourite food?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is your partner's nickname?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is your favourite team?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What street did you grow up on?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What city/town were you born in?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is your favourite vehicle?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:If you could meet someone from history, who would it be?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What is your least favourite film of all time?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Who was your least favourite teacher?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:What food do you dislike the most?
Locale: fr
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Comment s'appelle le héros de votre livre préféré ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Comment s'appelle votre professeur préféré ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel est le nom de votre animal préféré ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Comment s'appelle votre meilleur ami d'enfance ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quelle était votre émission préférée lorsque vous étiez enfant ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qui est votre auteur préféré ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel est votre plat préféré ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel est le surnom de votre partenaire ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quelle est votre équipe préférée ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Dans quelle rue avez-vous grandi ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quelle est votre ville de naissance ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel est votre véhicule préféré ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Si vous pouviez rencontrer un personnage historique, qui voudriez-vous rencontrer ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel film avez-vous toujours détesté ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qui est le professeur que vous avez le plus détesté ?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel plat détestez-vous le plus ?
Locale: fr-CA
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Comment s'appelle le héros de votre livre préféré?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Comment s'appelle votre professeur préféré?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel est le nom de votre animal préféré?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Comment s'appelle votre meilleur ami d'enfance?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quelle était votre émission préférée lorsque vous étiez enfant?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qui est votre auteur préféré?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel est votre plat préféré?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel est le surnom de votre partenaire?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quelle est votre équipe préférée?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Dans quelle rue avez-vous grandi?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quelle est votre ville de naissance?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel est votre véhicule préféré?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Si vous pouviez rencontrer un personnage historique, qui voudriez-vous rencontrer?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel film avez-vous toujours détesté?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qui est le professeur que vous avez le plus détesté?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quel plat détestez-vous le plus?
Locale: de
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wie heißt die Hauptperson in Ihrem Lieblingsbuch?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wie heißt Ihr Lieblingslehrer?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wie heißt Ihr Lieblingshaustier?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wie hieß Ihr bester Freund/Ihre beste Freundin aus der Kindheit?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Welche Sendung haben Sie als Kind am liebsten angeschaut?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wie heißt Ihr Lieblingsautor?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Was essen Sie am liebsten?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wie lautet der Kosename Ihres Partners?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Welches ist Ihre Lieblingsmannschaft?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:In welcher Straße haben Sie als Kind gewohnt?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wie lautet Ihr Geburtsort?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Welches ist Ihr bevorzugtes Fahrzeug?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Welche historische Persönlichkeit würden Sie gerne kennenlernen?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wie heißt der schlechteste Film, den Sie je gesehen haben?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Wie hieß der Lehrer, den Sie am wenigsten mochten?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Was essen Sie überhaupt nicht gerne?
Locale: he
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מהו שם הדמות הראשית בספר האהוב עליך?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מהו שם המורה האהוב/ה עליך?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מהו שם חיית המחמד האהובה עליך?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מה היה שמו של חבר הילדות הטוב ביותר שלך?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מה היתה תוכנית הטלוויזיה האהובה עליך בילדותך?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מי הסופר האהוב עליך?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מהו המאכל האהוב עליך?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מהו הכינוי של בת/בן הזוג שלך?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מהו שם הקבוצה האהובה עליך?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:באיזה רחוב גדלת?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:באיזו עיר נולדת?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מהו הרכב האהוב עליך?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:אם היית יכול לפגוש דמות מההיסטוריה, את מי היית רוצה לפגוש?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מהו שם הסרט הכי פחות אהוב עליך בכל הזמנים?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מי היה המורה הכי פחות אהוב/ה עליך?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:מהו המאכל שאתה הכי לא אוהב?
Locale: it
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Come si chiama il protagonista del tuo libro preferito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Come si chiama il tuo insegnante preferito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Come si chiama il tuo animale domestico preferito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Come si chiamava il tuo miglior amico dell'infanzia?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual era il tuo programma preferito da bambino?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual è il tuo autore preferito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual è il tuo cibo preferito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual è il soprannome del/della tuo/a partner?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual è la tua squadra del cuore?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:In quale via sei cresciuto/a?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:In quale città sei nato/a?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual è il tuo mezzo di trasporto preferito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Se potessi incontrare un personaggio storico, chi sceglieresti?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual è il film che ti è piaciuto di meno in assoluto?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quale insegnante amavi di meno?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual è il cibo che odi di più?
Locale: ja
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:お気に入りの本の主人公の名前は何ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:お気に入りの先生の名前は何ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:お気に入りのペットの名前は何ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:子供の頃の親友の名前は何ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:子供の頃好きだったテレビ番組は何ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:好きな作家は誰ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:好きな食べ物は何ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:パートナーのニックネームは何ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:好きなチームは何ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:あなたが育った通りの名前は何ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:あなたが生まれた市町村区の名前は何ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:お気に入りの車は何ですか」?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:歴史上の人物に会えるとしたら、誰に会いたいですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:これまでに見た中で嫌いな映画は何ですか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:嫌いな先生は誰でしたか?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:一番嫌いな食べ物は何ですか?
Locale: pl
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Jak nazywa się główny bohater Twojej ulubionej książki?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Jak nazywa się Twój ulubiony nauczyciel?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Jak nazywa się Twój ulubiony zwierzak?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Jak miał na imię Twój najlepszy kolega z dzieciństwa?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Jaki był Twój ulubiony program telewizyjny w dzieciństwie?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Kto jest Twoim ulubionym pisarzem?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Co jest Twoją ulubioną potrawą?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Jak brzmi przydomek Twojego partnera?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Jaka jest Twoja ulubiona drużyna?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Na jakiej ulicy dorastałeś(-aś)?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Jakie miasto jest miejscem Twojego urodzenia?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Jaki jest Twój ulubiony pojazd?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Gdyby było możliwe spotkanie jakiejś historycznej postaci, kto by nią był?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Jaki jest Twój ulubiony film wszechczasów?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Kto był Twoim najmniej lubianym nauczycielem?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Jakiej potrawy najbardziej nie lubisz?
Locale: pt-BR
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual é o nome do personagem principal do seu livro favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual é o nome do seu professor favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual é o nome do seu animal de estimação favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual era o nome do seu melhor amigo de infância?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual era seu programa de TV favorito quando criança?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Quem é seu autor favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual é seu prato favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual é o apelido de seu(sua) companheiro(a)?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual é seu time favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Em que rua você cresceu?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Em que cidade você nasceu?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual é seu carro favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Se você pudesse conhecer um personagem histórico, quem seria?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual é o filme de que você menos gostou até hoje?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual era o professor de quem você menos gostava?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Qual é o prato de que você menos gosta?
Locale: ru
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Имя главного персонажа в вашей любимой книге.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Имя вашего любимого учителя.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Имя вашего любимого домашнего животного.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Имя вашего лучшего друга детства.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Ваше любимое шоу в детстве.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Ваш любимый автор.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Ваша любимая еда.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Как вы называете своего партнера?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Ваша любимая команда.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Улица, на которой вы выросли.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Город (населенный пункт), в котором вы родились.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Ваш любимый автомобиль.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:С кем из исторических персонажей вы бы хотели встретиться?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Самый нелюбимый вами фильм за все время.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Ваш самый нелюбимый учитель.
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Еда, которая вам не нравится больше всего.
Locale: es
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cuál es el nombre del personaje principal de su libro favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cuál es el nombre de su profesor favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cuál es el nombre de su mascota favorita?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cómo se llamaba su mejor amigo del colegio?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cuál era su programa de televisión favorito cuando era niño?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Quién es su autor favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cuál es su comida favorita?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cuál es el apodo de su pareja?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cuál es su equipo favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cuál es el nombre de la calle en la que se crió?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿En qué ciudad nació?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cuál es su vehículo favorito?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Si pudiera conocer a algún personaje histórico, ¿quién sería?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cuál es la película que menos le gusta?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Quién era el profesor que menos le gustaba?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:¿Cuál es la comida que menos le gusta?
Locale: sv
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vad heter huvudpersonen i din favoritbok?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vad heter din favoritlärare?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vad heter ditt favorithusdjur?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vad hette din bästa kompis när du var barn?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vilket var ditt favoritprogram på TV när du var liten?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vem är din favoritförfattare?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vilken är din favoriträtt?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vad är din partners smeknamn?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vilket lag håller du på?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vad hette gatan där du växte upp?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:I vilken stad är du född?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vilket är ditt favoritfordon?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Om du kunde träffa en historisk person, vem skulle du välja?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vilken film tycker du är historiens sämsta?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vilken lärare tyckte du sämst om?
ChallengeItem: [AdminDefined: true MinLength:4 MaxLength:200 MaxQuestionCharsInAnswer:3 EnforceWordlist:true]
Text:Vilken mat tycker du sämst om?
|
Random Questions for Challenge/Response. PWM presents some of these questions to the user during forgotten password - the number set in the "Minimum Password Required" setting. You might require the users to supply answers to all or some of these questions when setting up their responses, you control this by the "Minimum Random Challenges Required During Setup" setting. |
Label
|
Required Questions |
Key
|
challenge.requiredChallenges |
Navigation
|
Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Required Questions |
Syntax
|
CHALLENGE |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Required Questions for Challenge/Response. The users must supply answers for all of these questions when setting up their responses. Additionally, the users must supply the answers to these questions during forgotten password. |
Label
|
Minimum Random Required |
Key
|
challenge.minRandomRequired |
Navigation
|
Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Minimum Random Required |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
2
|
Specify the minimum number of random questions required at time of forgotten password recovery. |
Label
|
Minimum Random Challenges Required During Setup |
Key
|
challenge.minRandomsSetup |
Navigation
|
Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Minimum Random Challenges Required During Setup |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
4
|
Specify the minimum number of random questions you require the users to complete during the Response Setup. If this number is higher than the available randoms, or lower than the minimum required, PWM adjusts it accordingly. Set the value to zero to force the users to configure all available random questions at the time of setup. |
Label
|
Help Desk Random Questions |
Key
|
challenge.helpdesk.randomChallenges |
Navigation
|
Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Help Desk Random Questions |
Syntax
|
CHALLENGE |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify additional random questions to present to the help desk users. PWM might require the users to supply answers to all or some of these questions when setting up their responses, as controlled by the "Minimum Help Desk Random Challenges Required During Setup" setting. The questions and answers are visible to Help Desk users but are not used for forgotten password recovery. |
Label
|
Help Desk Required Questions |
Key
|
challenge.helpdesk.requiredChallenges |
Navigation
|
Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Help Desk Required Questions |
Syntax
|
CHALLENGE |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add the questions the users must supply answers for when setting up their responses. The questions and answers are visible to Help Desk users but are not used for forgotten password recovery. |
Label
|
Minimum Help Desk Random Challenges Required During Setup |
Key
|
challenge.helpdesk.minRandomsSetup |
Navigation
|
Policies ⇨ Challenge Policies ⇨ [profile] ⇨ Minimum Help Desk Random Challenges Required During Setup |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
4
|
Specify the minimum number of Help Desk random questions you require the users to complete during the Response Setup. If this number is higher than the available randoms, or lower than the minimum required, the system adjusts it accordingly. Set this option to zero to force the users to configure all available randoms Challenge/Response questions at the time of setup. |
Settings that define the LDAP directories that are used by the application. If the user identities are in multiple LDAP directories, configure each directory as an LDAP Directory Profile. Within each LDAP directory profile definition, you can control the individual servers and other settings for each LDAP directory.
Label
|
Password Policy Profile Match |
Key
|
password.policy.queryMatch |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Password Policy Profile Match |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
UserPermission: All Users: [Profile: 'all']
|
Specify a query to determine if this password policy applies to a given user. During login, if the system has not assigned a previous policy to the user, it considers the matches here and if positive, it assigns the user to this policy. |
Label
|
Minimum Length |
Key
|
password.policy.minimumLength |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Length |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
2
|
Specify the minimum length of the password. A value of zero disables this check. |
Label
|
Maximum Length |
Key
|
password.policy.maximumLength |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Length |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
64
|
Specify the maximum length of the password. A value of zero disables this check. Although you can set this limit to large values, the LDAP directory being used may have fixed limitations on the supported password length. |
Label
|
Maximum Repeat |
Key
|
password.policy.maximumRepeat |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Repeat |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the maximum amount of times the users might repeat any character throughout the password. PWM ignores case for this check. A value of zero disables this check. |
Label
|
Maximum Sequential Repeat |
Key
|
password.policy.maximumSequentialRepeat |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Sequential Repeat |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the maximum times the users might sequentially repeat any character throughout the password. PWM ignores case for this check. A value of zero disables this check. |
Label
|
Allow Numeric Characters |
Key
|
password.policy.allowNumeric |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow Numeric Characters |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to allow numeric characters in the password. |
Label
|
Allow First Character Numeric |
Key
|
password.policy.allowFirstCharNumeric |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow First Character Numeric |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to allow the first character of the password to be numeric. Applies only if the password policy allows numeric characters. |
Label
|
Allow Last Character Numeric |
Key
|
password.policy.allowLastCharNumeric |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow Last Character Numeric |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to allow the last character of the password to be numeric. Applies only if the password policy allows numeric characters. |
Label
|
Maximum Numeric |
Key
|
password.policy.maximumNumeric |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Numeric |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the maximum amount of numeric characters required (if the password policy allows numeric). A value of zero disables this check. |
Label
|
Minimum Numeric |
Key
|
password.policy.minimumNumeric |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Numeric |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the minimum amount of numeric characters required (if numeric allowed). A value of zero disables this check. |
Label
|
Allow Special Characters |
Key
|
password.policy.allowSpecial |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow Special Characters |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to allow special (non alpha-numeric) characters in the password. |
Label
|
Allow First Character Special |
Key
|
password.policy.allowFirstCharSpecial |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow First Character Special |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to allow the first character of the password to be a special character. Applies only if the password policy allows special characters. |
Label
|
Allow Last Character Special |
Key
|
password.policy.allowLastCharSpecial |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow Last Character Special |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to allow the last character of the password to be a special character. Applies only if the password policy allows special characters. |
Label
|
Maximum Special |
Key
|
password.policy.maximumSpecial |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Special |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the maximum amount of special characters required (if the password policy allows special characters). A value of zero disables this check. |
Label
|
Minimum Special |
Key
|
password.policy.minimumSpecial |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Special |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the minimum amount of special characters required (if special allowed). A value of zero disables this check. |
Label
|
Maximum Alphabetic |
Key
|
password.policy.maximumAlpha |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Alphabetic |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the maximum amount of alphabetic characters required. A value of zero disables this check. |
Label
|
Minimum Alphabetic |
Key
|
password.policy.minimumAlpha |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Alphabetic |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the minimum amount of alphabetic characters required. A value of zero disables this check. |
Label
|
Allow Non-Alphabetic Characters |
Key
|
password.policy.allowNonAlpha |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Allow Non-Alphabetic Characters |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to allow non-alphabetic characters in the password. |
Label
|
Maximum Non-Alphabetic |
Key
|
password.policy.maximumNonAlpha |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Non-Alphabetic |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the maximum amount of non-alphabetic characters required. A value of zero disables this check. |
Label
|
Minimum Non-Alphabetic |
Key
|
password.policy.minimumNonAlpha |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Non-Alphabetic |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the minimum amount of non-alphabetic characters required. A value of zero disables this check. |
Label
|
Maximum Uppercase |
Key
|
password.policy.maximumUpperCase |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Uppercase |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the maximum amount of uppercase characters required. A value of zero disables this check. |
Label
|
Minimum Uppercase |
Key
|
password.policy.minimumUpperCase |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Uppercase |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the minimum amount of uppercase characters required. A value of zero disables this check. |
Label
|
Maximum Lowercase |
Key
|
password.policy.maximumLowerCase |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Lowercase |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the maximum amount of lowercase characters required. A value of zero disables this check. |
Label
|
Minimum Lowercase |
Key
|
password.policy.minimumLowerCase |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Lowercase |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the minimum amount of lowercase characters required. A value of zero disables this check. |
Label
|
Minimum Unique Characters |
Key
|
password.policy.minimumUnique |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Unique Characters |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the minimum amount of unique characters allowed. A value of zero disables this check. |
Label
|
Maximum Characters From Previous Password |
Key
|
password.policy.maximumOldPasswordChars |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Characters From Previous Password |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the maximum amount of characters from the previous password allowed in the new password. A value of zero disables this check. |
Label
|
Minimum Lifetime |
Key
|
password.policy.minimumLifetime |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Lifetime |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the minimum amount of time that must pass between password changes. Value is in seconds. A value of zero disables this check. |
Label
|
Maximum Consecutive Characters |
Key
|
password.policy.maximumConsecutive |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Maximum Consecutive Characters |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the maximum amount of characters in a sequence such as 0123456789 or abcdefghijk. PWM defines a more specific character sequence by the unicode character order of each character after it converts the entire value to lowercase. A value of 0 disables this check. |
Label
|
Minimum Password Strength |
Key
|
password.policy.minimumStrength |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Password Strength |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the strength of the passwords. PWM judges the password strengths on a strength on a scale of 0 to 100 irrespective of other password policy settings. This setting requires that the users have a password that meets the minimum strength level specified here, regardless of other password policy rules. "Good" is 45 or better while 70 or better is considered "strong". A value of 0 disables this check. |
Label
|
Enforce Word List |
Key
|
password.policy.checkWordlist |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Enforce Word List |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to check the password against the configured Word List. |
Label
|
Active Directory Password Complexity |
Key
|
password.policy.ADComplexityLevel |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Active Directory Password Complexity |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
NONE |
None - Do not enforce AD Complexity Rules |
AD2003 |
AD 2003 Level Complexity |
AD2008 |
AD 2008 Level Complexity |
|
Default
|
Template | Value |
default |
NONE |
AD |
AD2003 |
|
Select the Microsoft Active Directory style password complexity rules. AD 2003 Level Complexity: - Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters
- Minimum 6 characters
- Maximum 128 characters
- Must contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (For example, !, $, #, %)
AD 2008 Level Complexity: - Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters
- Minimum 6 characters
- Maximum 512 characters
- Must contain characters from several of the following categories. The setting Policies ⇨ Password Policies ⇨ [profile] ⇨ Active Directory 2008 Password Complexity Maximum Violations specifies the exact number of catagories.
- European language uppercase alphabetic characters
- European language lowercase alphabetic characters
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
- Other alphabetic characters not included in the other categories
|
Label
|
Active Directory 2008 Password Complexity Maximum Violations |
Key
|
password.policy.ADComplexityMaxViolations |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Active Directory 2008 Password Complexity Maximum Violations |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
2
|
Specify the maximum number of Active Directory 2008 Level Complexity category violations. This setting has no effect unless the setting Policies ⇨ Password Policies ⇨ [profile] ⇨ Active Directory Password Complexity is set to AD 2008 Level Complexity . |
Label
|
Required Regular Expression Matches |
Key
|
password.policy.regExMatch |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Required Regular Expression Matches |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a Regular Expression pattern the password must match for the system to allow it. You can list multiple patterns. A pattern must match the entire password for the system to apply it. PWM ignores A partial match. You can use macros. |
Label
|
Disallowed Regular Expression Matches |
Key
|
password.policy.regExNoMatch |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Disallowed Regular Expression Matches |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a Regular Expression pattern the password must not match for the system to allow it. You can list multiple patterns. A pattern must match the entire password for the system to apply it. PWM ignores a partial match. You can use macros. |
Label
|
Disallowed Values |
Key
|
password.policy.disallowedValues |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Disallowed Values |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
password
test
|
Specify a case insensitive list of values PWM does not allow the users to use as passwords. |
Label
|
Disallowed Attributes |
Key
|
password.policy.disallowedAttributes |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Disallowed Attributes |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
cn
givenName
sn
|
Specify a list of attributes not allowed to be used as passwords. For a given user, PWM reads the values and does not permit the users to use it as part of the password value. This check is case-insensitive. Note: Specifying a number after the attribute name restricts how many consecutive characters PWM disallows in the value (For example: "Language:4" means the password cannot contain: "Engl", "ngli", "glis", or "lish", for English speaking users). |
Label
|
Password Change Message |
Key
|
password.policy.changeMessage |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Password Change Message |
Syntax
|
LOCALIZED_TEXT_AREA |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a message PWM displays to the users during password changes. Might include HTML markup. You can override this setting by adding a change password message read as part of an LDAP password policy. |
Label
|
Password Rule Text |
Key
|
password.policy.ruleText |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Password Rule Text |
Syntax
|
LOCALIZED_TEXT_AREA |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
When blank, PWM displays an automatically generated rule list to the user. The automated rule list may not be inclusive of all settings in the password policy. Some of the more esoteric or difficult to communicate rules do not appear in the automatically generated list. This is done in an attempt to not overwhelm the users with having to read and parse the rules before attempting to change their passwords. Should the user type a password that conflicts with such a rule - the per-keystroke rule checker provides direct feedback to the user on how to correct the problem.
If you do not want the automatically generated rule list, you can override it by setting a value here. The field permits HTML tags. |
Label
|
Disallow Current Password |
Key
|
password.policy.disallowCurrent |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Disallow Current Password |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to prohibit the current password from being used as a new password. Note: PWM can only enforce this if the login method permits the user's password to be known. |
Label
|
Minimum Character Groups Required |
Key
|
password.policy.charGroup.minimumMatch |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Character Groups Required |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify the number of regular expression matches defined in the setting Policies ⇨ Password Policies ⇨ [profile] ⇨ Character Group Definitions . |
Label
|
Character Group Definitions |
Key
|
password.policy.charGroup.regExValues |
Navigation
|
Policies ⇨ Password Policies ⇨ [profile] ⇨ Character Group Definitions |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
.*[0-9]
.*[a-z]
.*[A-Z]
.*[^A-Za-z0-9]
|
Add an LDAP filter that contains a list of regular expression character matches. Along with the setting Policies ⇨ Password Policies ⇨ [profile] ⇨ Minimum Character Groups Required , this setting allows creating a complex list of requirements that the user only needs to partially match. For example, you can use this type of policy to replicate the Active Directory "3 out of 5" rules, but with more flexibility and customization. |
Application
Label
|
App Property Overrides |
Key
|
pwm.appProperty.overrides |
Navigation
|
Settings ⇨ Application ⇨ App Property Overrides |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
(Troubleshooting only) Specify an override application properties value. Do not use unless directed to by a support expert. |
Label
|
Hide Configuration Health Warnings |
Key
|
display.hideConfigHealthWarnings |
Navigation
|
Settings ⇨ Application ⇨ Hide Configuration Health Warnings |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
False
|
Enable this option to hide health warnings about configuration issues from the health status monitors. |
Label
|
Site URL |
Key
|
pwm.selfURL |
Navigation
|
Settings ⇨ Application ⇨ Site URL |
Syntax
|
STRING |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
The URL to this application, as seen by users. PWM uses the value in email macros and other user-facing communications. The URL must use a valid fully qualified hostname. Do not use a network address. In simple environments, the URL will be the base of the URL in the browser you are currently using to view this page, however in more complex environments the URL will typically be an upstream proxy, gateway or network device. The URL should include the path to the base application, typically /pwm . |
Auditing
Label
|
System Audit Event Types |
Key
|
audit.system.eventList |
Navigation
|
Settings ⇨ Auditing ⇨ Audit Configuration ⇨ System Audit Event Types |
Syntax
|
OPTIONLIST |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
STARTUP |
Startup |
SHUTDOWN |
Shutdown |
FATAL_EVENT |
Fatal Event |
MODIFY_CONFIGURATION |
Modify Configuration |
INTRUDER_ATTEMPT |
Non-User Intruder Attempt |
INTRUDER_LOCK |
Non-User Intruder Lock |
|
Default
|
FATAL_EVENT
INTRUDER_LOCK
MODIFY_CONFIGURATION
SHUTDOWN
STARTUP
|
Select system event types to record and act upon. |
Label
|
User Audit Event Types |
Key
|
audit.user.eventList |
Navigation
|
Settings ⇨ Auditing ⇨ Audit Configuration ⇨ User Audit Event Types |
Syntax
|
OPTIONLIST |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
AUTHENTICATE |
Authenticate |
AGREEMENT_PASSED |
Agreement Passed |
CHANGE_PASSWORD |
Change Password |
UNLOCK_PASSWORD |
Unlock Password |
RECOVER_PASSWORD |
Recover Password |
SET_RESPONSES |
Set Responses |
SET_OTP_SECRET |
Set OTP |
ACTIVATE_USER |
Activate User |
CREATE_USER |
New User |
UPDATE_PROFILE |
Update Profile |
DELETE_ACCOUNT |
Delete Account |
INTRUDER_USER_LOCK |
Intruder User Lock |
INTRUDER_USER_ATTEMPT |
Intruder User Attempt |
TOKEN_ISSUED |
Token Issued |
TOKEN_CLAIMED |
Token Claimed |
CLEAR_RESPONSES |
Clear Responses |
HELPDESK_SET_PASSWORD |
Helpdesk Set Password |
HELPDESK_UNLOCK_PASSWORD |
Helpdesk Unlock Password |
HELPDESK_CLEAR_RESPONSES |
Helpdesk Clear Responses |
HELPDESK_CLEAR_OTP_SECRET |
Helpdesk Clear OTP |
HELPDESK_DELETE_USER |
Helpdesk Delete User |
HELPDESK_VIEW_DETAIL |
Helpdesk View Detail |
HELPDESK_ACTION |
Helpdesk Action |
HELPDESK_VERIFY_OTP |
Helpdesk Verify OTP |
HELPDESK_VERIFY_OTP_INCORRECT |
Helpdesk Incorrect Verify OTP |
HELPDESK_VERIFY_TOKEN |
Helpdesk Verify Token |
HELPDESK_VERIFY_TOKEN_INCORRECT |
Helpdesk Incorrect Verify Token |
HELPDESK_VERIFY_ATTRIBUTES |
Helpdesk Verify Attributes |
HELPDESK_VERIFY_ATTRIBUTES_INCORRECT |
Helpdesk Incorrect Verify Attributes |
|
Default
|
ACTIVATE_USER
AGREEMENT_PASSED
AUTHENTICATE
CHANGE_PASSWORD
CLEAR_RESPONSES
CREATE_USER
DELETE_ACCOUNT
HELPDESK_ACTION
HELPDESK_CLEAR_OTP_SECRET
HELPDESK_CLEAR_RESPONSES
HELPDESK_DELETE_USER
HELPDESK_SET_PASSWORD
HELPDESK_UNLOCK_PASSWORD
HELPDESK_VERIFY_ATTRIBUTES
HELPDESK_VERIFY_ATTRIBUTES_INCORRECT
HELPDESK_VERIFY_OTP
HELPDESK_VERIFY_OTP_INCORRECT
HELPDESK_VERIFY_TOKEN
HELPDESK_VERIFY_TOKEN_INCORRECT
HELPDESK_VIEW_DETAIL
INTRUDER_USER_LOCK
RECOVER_PASSWORD
SET_OTP_SECRET
SET_RESPONSES
TOKEN_CLAIMED
TOKEN_ISSUED
UNLOCK_PASSWORD
UPDATE_PROFILE
|
Select user event types to record and act upon. |
Label
|
LocalDB Audit Events Storage Max Age |
Key
|
events.audit.maxAge |
Navigation
|
Settings ⇨ Auditing ⇨ Audit Configuration ⇨ LocalDB Audit Events Storage Max Age |
Syntax
|
DURATION |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
15552000
|
Specify the maximum age (in seconds) of the local audit event log. The default is 30 days. |
Label
|
LocalDB Audit Events Storage Max Events |
Key
|
events.audit.maxEvents |
Navigation
|
Settings ⇨ Auditing ⇨ Audit Configuration ⇨ LocalDB Audit Events Storage Max Events |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
1000000
|
Specify the maximum count of events in the local audit event log. The default is 1000000. |
Auditing
Label
|
System Audit Event Email Alerts |
Key
|
email.adminAlert.toAddress |
Navigation
|
Settings ⇨ Auditing ⇨ Audit Forwarding ⇨ System Audit Event Email Alerts |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Define this template to send an email when System Audit events occur to the defined email addresses. |
Label
|
User Audit Event Email Alerts |
Key
|
audit.userEvent.toAddress |
Navigation
|
Settings ⇨ Auditing ⇨ Audit Forwarding ⇨ User Audit Event Email Alerts |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify one or more email addresses that the system sends an email to when the User Audit events occur. |
Label
|
Syslog Audit Server |
Key
|
audit.syslog.servers |
Navigation
|
Settings ⇨ Auditing ⇨ Audit Forwarding ⇨ Syslog Audit Server |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify one or more entries of the connection information for the syslog audit servers. When configured, PWM forwards all audit events to the specified syslog server entered as the first entry. If the first one fails then the others will be tried until there is a successful delivery. The format is <protocol>,<address>,<port>. The value for <protocol> can be either UDP, TCP or TLS. We recommend that UDP is used in the list as the last option because UDP does not report a failure.
Examples:Protocol | Address | Port | Setting | |
UDP | 127.0.0.1 | 514 | udp,127.0.0.1,514 | |
TCP | central-syslog.example.com | 514 | tcp,central-syslog.example.com,514 | |
TLS | secure-syslog.example.com | 6514 | tls,central-syslog.example.com,6514 | |
|
Label
|
Syslog Audit Server Certificates |
Key
|
audit.syslog.certificates |
Navigation
|
Settings ⇨ Auditing ⇨ Audit Forwarding ⇨ Syslog Audit Server Certificates |
Syntax
|
X509CERT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Import the TLS Certificate of syslog service. |
Label
|
Syslog Output Format |
Key
|
audit.syslog.outputFormat |
Navigation
|
Settings ⇨ Auditing ⇨ Audit Forwarding ⇨ Syslog Output Format |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
JSON |
JSON |
CEF |
CEF |
|
Default
|
JSON
|
Select a style for the syslog output syntax. The default JSON syntax can be used for typical syslog servers. The Common Event Format (CEF) can be used for CEF compatible audit servers. |
Captcha functionality uses an implementation of reCAPTCHA to prevent non-human attacks. If this server faces the public internet, it is strongly recommended to enable the CAPTCHA functionality. reCAPTCHA information can be found at http://www.google.com/recaptcha/
Registration at the reCAPTCHA site provides a site key and secret which you must configure here for reCAPTCHA support.
Label
|
reCAPTCHA Site Key |
Key
|
captcha.recaptcha.publicKey |
Navigation
|
Settings ⇨ Captcha ⇨ reCAPTCHA Site Key |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add a public reCAPTCHA key. If blank, PWM does not perform the CAPTCHA verification. |
Label
|
reCAPTCHA Secret |
Key
|
captcha.recaptcha.privateKey |
Navigation
|
Settings ⇨ Captcha ⇨ reCAPTCHA Secret |
Syntax
|
PASSWORD |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
True |
Scope
|
DOMAIN |
Default
|
*hidden*
|
Add a private reCAPTCHA key. If blank, PWM does not perform the CAPTCHA verification. |
Label
|
CAPTCHA Protected Pages |
Key
|
captcha.protectedPages |
Navigation
|
Settings ⇨ Captcha ⇨ CAPTCHA Protected Pages |
Syntax
|
OPTIONLIST |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
LOGIN |
Login Form |
FORGOTTEN_PASSWORD |
Forgotten Password |
FORGOTTEN_USERNAME |
Forgotten Username |
USER_ACTIVATION |
User Activation |
NEW_USER_REGISTRATION |
New User Registration |
|
Default
|
NEW_USER_REGISTRATION
|
Select the pages PWM protects with CAPTCHA. PWM requires the CAPTCHA validation only once per session. Thus, after a user passes the CAPTCHA validation during a session, PWM does not force the user to pass the CAPTCHA again despite the user accessing a second module enabled here. |
Label
|
CAPTCHA Skip Parameter Value |
Key
|
captcha.skip.param |
Navigation
|
Settings ⇨ Captcha ⇨ CAPTCHA Skip Parameter Value |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a parameter with a key of "skipCaptcha" to allow PWM to skip the CAPTCHA request. This is useful for "internal" clients or links where the CAPTCHA is unneccessary.
For example, if the value is 'okay', a request to:
/public/forgottenpassword?skipCaptcha=okay
causes PWM to bypass the CAPTCHA. |
Label
|
CAPTCHA Skip Cookie |
Key
|
captcha.skip.cookie |
Navigation
|
Settings ⇨ Captcha ⇨ CAPTCHA Skip Cookie |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a known browser cookie value in a cookie named 'captcha-key'. This allows PWM to skip the CAPTCHA request if the value of the browser cookie is correct. PWM stores the cookie value in the browser after a successful CAPTCHA check.
If blank, then PWM does not store nor read the browser cookie. If set to 'INSTANCEID', then PWM uses the instanceID. If set to any other value, then PWM uses the literal value. |
Label
|
CAPTCHA Intruder Attempt Trigger |
Key
|
captcha.intruderAttemptTrigger |
Navigation
|
Settings ⇨ Captcha ⇨ CAPTCHA Intruder Attempt Trigger |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
Specify a number of intruder attempts before PWM requires CAPTCHA. If set to 0, PWM ignores the intruder attempt count and it always requires CAPTCHA. PWM considers intruder attempts for the current session and for the source network address.
The recommended value for this setting is 0. Determined network attackers might be able to bypass the CAPTCHA verification altogether if you use this setting. |
Label
|
reCAPTCHA Mode |
Key
|
captcha.recaptcha.mode |
Navigation
|
Settings ⇨ Captcha ⇨ reCAPTCHA Mode |
Syntax
|
SELECT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
V2 |
reCaptcha Version 2 |
V2_INVISIBLE |
reCaptcha Version 2 - Invisible |
|
Default
|
V2
|
Select the reCaptcha mode to use. |
Advanced database configuration settings.
Label
|
Database Key Column Type |
Key
|
db.columnType.key |
Navigation
|
Settings ⇨ Database (Remote) ⇨ Advanced ⇨ Database Key Column Type |
Syntax
|
STRING |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
Template | Value |
default |
VARCHAR |
DB_ORACLE |
VARCHAR2 |
|
Specify the database column type for key columns. PWM uses the column type only during schema creation. All tables are two columns: a key and a value column. For most databases the standard VARCHAR column format is appropriate for the key column. Data stored in the key column generally is US-ASCII keys. |
Label
|
Database Value Column Type |
Key
|
db.columnType.value |
Navigation
|
Settings ⇨ Database (Remote) ⇨ Advanced ⇨ Database Value Column Type |
Syntax
|
STRING |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
Template | Value |
default |
TEXT |
DB_ORACLE |
CLOB |
|
Specify the database column type for value columns. PWM uses the column type only during schema creation. All tables are two columns: a key and a value column. For most databases, the standard TEXT column format is appropriate for the value column. Data stored in the value column generally is UTF-8 formatted XML, JSON, or other text-based value data. |
Label
|
Database Trace Logging |
Key
|
db.debugTrace.enable |
Navigation
|
Settings ⇨ Database (Remote) ⇨ Advanced ⇨ Database Trace Logging |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
False
|
Enable this option to allow PWM to log the database read/write activity and data to the TRACE debug output. Warning! Enabling this option can cause PWM to send security-sensitive information to the debug output, including passwords. |
Settings
Label
|
Database Driver |
Key
|
db.jdbc.driver |
Navigation
|
Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Driver |
Syntax
|
FILE |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
[]
|
Upload the remote database JDBC Driver JAR or ZIP file supplied by the database vendor. The file must be under 10MB in size to upload. PWM stores the file contents as part of the application configuration file. |
Label
|
Database Class |
Key
|
db.classname |
Navigation
|
Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Class |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Add the remote database JDBC driver class name. Consult the database vendor to determine the correct class name for your database.
Database Type | Example Class Name | MS-SQL | com.microsoft.sqlserver.jdbc.SQLServerDriver | MS-SQL using jTDS | net.sourceforge.jtds.jdbc.Driver | Oracle | oracle.jdbc.OracleDriver |
|
Label
|
Database Connection String |
Key
|
db.url |
Navigation
|
Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Connection String |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify the remote database connection string in standard JDBC format. Your database administrator can help you with this setting. This setting configures the Java JDBC database driver with the information required to reach your database server such as IP address, port number, and DB name.
Database Type | Example Connection String | MS-SQL | jdbc:sqlserver://host.example.net:port;databaseName=PWM | MS-SQL using jTDS | jdbc:jtds:sqlserver://host.example.net:port/PWM | Oracle | jdbc:oracle:thin:@//host.example.net:1521/PWM |
|
Label
|
Database User Name |
Key
|
db.username |
Navigation
|
Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database User Name |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify the remote database connection user name. |
Label
|
Database Password |
Key
|
db.password |
Navigation
|
Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Password |
Syntax
|
PASSWORD |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
True |
Scope
|
SYSTEM |
Default
|
*hidden*
|
Specify the remote database connection password. |
Label
|
Database Vendor |
Key
|
db.vendor.template |
Navigation
|
Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Vendor |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
DB_ORACLE |
Oracle |
DB_OTHER |
Other |
|
Default
|
DB_ORACLE
|
Select the vendor of the remote database. |
Email Servers
Label
|
SMTP Server Address |
Key
|
email.smtp.address |
Navigation
|
Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Server Address |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify an SMTP server address that sends the emails PWM generates. Removing this setting prevents PWM from sending any emails. Ensure that the server specified here allows relaying. For best results, use a local SMTP server. |
Label
|
SMTP Connection Type |
Key
|
email.smtp.type |
Navigation
|
Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Connection Type |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
SMTP |
SMTP (Plaintext) |
START_TLS |
StartTLS |
SMTPS |
SMTPS (SSL/TLS) |
|
Default
|
SMTP
|
The type of connection to use for the SMTP session. |
Label
|
SMTP Server Port |
Key
|
email.smtp.port |
Navigation
|
Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Server Port |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
25
|
Specify the network port number for the SMTP server. |
Label
|
SMTP Server Certificates |
Key
|
email.smtp.serverCerts |
Navigation
|
Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Server Certificates |
Syntax
|
X509CERT |
Level
|
0
(Normal)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Certificates used for secure communication with server. If no certificates are specfied, the default Java trust store will be used for certificate validation. |
Label
|
SMTP Server User Name |
Key
|
email.smtp.username |
Navigation
|
Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Server User Name |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify an SMTP user that logs in to the SMTP server so that it can send the emails PWM generates. A blank value here sends SMTP messages without authentication. |
Label
|
SMTP Server Password |
Key
|
email.smtp.userpassword |
Navigation
|
Settings ⇨ Email ⇨ Email Servers ⇨ [profile] ⇨ SMTP Server Password |
Syntax
|
PASSWORD |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
True |
Scope
|
SYSTEM |
Default
|
*hidden*
|
Specify the password for the SMTP user. A blank value here sends SMTP messages without authentication. |
Label
|
Maximum Email Queue Age |
Key
|
email.queueMaxAge |
Navigation
|
Settings ⇨ Email ⇨ Email Settings ⇨ Maximum Email Queue Age |
Syntax
|
DURATION |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
3600
|
Specify the maximum age (in seconds) an email can wait in the send queue. If an email is in the send queue longer than this time, PWM discards it. Emails only persist in the send queue if there is an IO or network error to the SMTP server while sending the email. |
Label
|
SMTP Email Advanced Settings |
Key
|
email.smtp.advancedSettings |
Navigation
|
Settings ⇨ Email ⇨ Email Settings ⇨ SMTP Email Advanced Settings |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Add Name/Value settings to control the behavior of the mail agent. Available settings are defined as part of the JavaMail API. The settings must be in "name=value" format, where name is the key value of a valid JavaMail API setting. |
Label
|
Default System From Address |
Key
|
email.system.fromAddress |
Navigation
|
Settings ⇨ Email ⇨ Email Settings ⇨ Default System From Address |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
[email protected]
|
Specify a system From Address for the email templates. |
Label
|
Default From Address |
Key
|
email.default.fromAddress |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Default From Address |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
[email protected]
|
Specify a default From Address for the email templates. |
Label
|
Change Password Email |
Key
|
email.changePassword |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Change Password Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Change Password Notice <@DefaultEmailFromAddress@>
Subj:Password Change Notification
Body:You have changed your password. If you did not initiate a password change please contact your help desk immediately.
Html:You have changed your password. If you have changed your password, then no action is required. If you did not initiate a password change please contact your help desk.
|
Define this template to send an email to the users when password changes occur. PWM only sends this email when the users change their own passwords. |
Label
|
Help Desk Change Password Email |
Key
|
email.changePassword.helpdesk |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Help Desk Change Password Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Change Password Notice <@DefaultEmailFromAddress@>
Subj:Password Change Notification
Body:Your password has been changed by the heldesk. You should set a new password immediately. If you did not initiate a password change please contact your helpdesk.
Html:Your password has been changed by the helpdesk. You should set a new password immediately. If you did not initiate a password change please contact your helpdesk.
|
Define this template to send an email to users when the Help Desk changes the users' passwords. PWM expands macros for this setting based on the user who is changing their password, not the Help Desk user. |
Label
|
Update Profile Email |
Key
|
email.updateProfile |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Update Profile Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Profile Update <@DefaultEmailFromAddress@>
Subj:Profile Update
Body:Thank you for updating your profile information, @LDAP:givenName@.
Html:Thank you for updating your profile information, @LDAP:givenName@.
|
Define this template to send an email to users after a profile update. |
Label
|
Update Profile Email Verification |
Key
|
email.updateProfile.token |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Update Profile Email Verification |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Profile Update <@DefaultEmailFromAddress@>
Subj:Profile Update
Body:Thank you for updating your profile information. To continue with the update, please copy and paste the following code on the registration form:
%TOKEN%
If you did not request to change your profile, you do not need to take any action.
Html:Thank you for updating your profile. To complete the update, please click here to continue.
If for some reason this link does not work, you can copy and paste the following code on the registration form:
%TOKEN% If you did not request to change your profile, you do not need to take any action.
|
Define this template to send an email to users during the profile email validation. |
Label
|
New User Email |
Key
|
email.newUser |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ New User Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:New User Registration <@DefaultEmailFromAddress@>
Subj:Welcome
Body:Thank you for registering your account, @LDAP:givenName@.
Html:Thank you for registering your account, @LDAP:givenName@.
|
Define this template to send an email to newly created users. |
Label
|
New User Verification Email |
Key
|
email.newUser.token |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ New User Verification Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:New User Registration <@DefaultEmailFromAddress@>
Subj:New User Verification
Body:Thank you for requesting a new account. To continue with your account registration, please copy and paste the following code on the registration form:
%TOKEN%
If you did not request to create a new account, you do not need to take any action.
Html:Thank you for requesting a new account. To continue with your account registration, please click here to continue.
If for some reason this link does not work, you can copy and paste the following code on the registration form:
%TOKEN% If you did not request to create a new account, you do not need to take any action.
|
Define this template to send an email during the new user verification process. You can use %TOKEN% to insert the token value into the email. |
Label
|
Activation Email |
Key
|
email.activation |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Activation Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Activation Notification <@DefaultEmailFromAddress@>
Subj:Account Activated
Body:Thank you for activating your account, @LDAP:givenName@.
Html:Thank you for activating your account, @LDAP:givenName@.
|
Define this template to send an email to users after a successful activation. |
Label
|
Activation Verification Email |
Key
|
email.activation.token |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Activation Verification Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Activation Verification <@DefaultEmailFromAddress@>
Subj:Account Verification
Body:Thank you for requesting your account activation. To continue with your account activation, please copy and paste the following code onto the activation form:
%TOKEN%
If you did not request to create a new account, you do not need to take any action.
Html:Thank you for requesting your account activation. To continue with your account activation, please click here to continue.
If for some reason this link doesn't work, you can copy and paste the following code onto the activation form:
%TOKEN% If you did not request to create a new account, you do not need to take any action.
|
Define this template to send an email during the activation verification process. You can use %TOKEN% to insert the token value into the email. |
Label
|
Forgotten Password Verification Email |
Key
|
email.challenge.token |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Forgotten Password Verification Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Forgotten Password <@DefaultEmailFromAddress@>
Subj:Forgotten Password Verification
Body:Thank you for requesting a password reset. To continue with your password reset, please copy and paste the following code onto the password reset form:
%TOKEN%
If you do not wish to change your password at this time, you do not need to take any action.
Html:Thank you for requesting a password reset. To continue with your password reset, please click here to continue.
If for some reason this link doesn't work, you can copy and paste the following code onto the password reset form:
%TOKEN%
If you do not wish to change your password at this time, you do not need to take any action.
|
Define this template to send an email during the forgotten password verification process. You can use %TOKEN% to insert the token value into the email. |
Label
|
Help Desk Verification Email |
Key
|
email.helpdesk.token |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Help Desk Verification Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Helpdesk <@DefaultEmailFromAddress@>
Subj:Helpdesk Verification
Body:Your helpdesk has sent you a code to verify your identity. Your verification code is:
%TOKEN%
Html:Your helpdesk has sent you a code to verify your identity. Your verification code is: %TOKEN%.
|
Define this template to send an email during the Help Desk verification process. You can use %TOKEN% to insert the token value into the email. |
Label
|
Guest Registration Email |
Key
|
email.guest |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Guest Registration Email |
Syntax
|
EMAIL |
Level
|
2 |
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Guest Registration Agent <@DefaultEmailFromAddress@>
Subj:Welcome
Body:Your account has been created.
Your username is: @User:ID@
Your password is: @User:Password@
Html:Your account has been created.Your username is:@User:ID@ Your password is: @User:Password@
|
Define this template to send an email to newly created guest users. |
Label
|
Guest Registration Update Email |
Key
|
email.updateguest |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Guest Registration Update Email |
Syntax
|
EMAIL |
Level
|
2 |
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Guest Registration Agent <@DefaultEmailFromAddress@>
Subj:Account update notification
Body:Your account has been updated.
Html:Your account has been created.
|
Define this template to send an email to updated guest users. |
Label
|
Send Password Email |
Key
|
email.sendpassword |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Send Password Email |
Syntax
|
EMAIL |
Level
|
2 |
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Password Notifier <@DefaultEmailFromAddress@>
Subj:Password Information
Body:Your new password is:
@User:Password@
Please change your password as soon as possible.
Html:Thank you for requesting a password reset. Your new password is:
@User:Password@
|
Define this template to send an email during forgotten password reset process if you enabled the send password functionality. |
Label
|
Send User Name Email |
Key
|
email.sendUsername |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Send User Name Email |
Syntax
|
EMAIL |
Level
|
2 |
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Username Notifier <@DefaultEmailFromAddress@>
Subj:Username Information
Body:Your username is:
@User:ID@
Html:Your username is:
@User:ID@
|
Define this template to send an email for the forgotten user name process. |
Label
|
Intruder Notice Email |
Key
|
email.intruderNotice |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Intruder Notice Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Intruder Notifier <@DefaultEmailFromAddress@>
Subj:Password Information
Body:Your account has been temporarily disabled due to several incorrect login/password reset attempts. If this activity was not caused by you, please contact your administrator.
Html:Your account has been temporarily disabled due to several incorrect login/password reset attempts. If this activity was not caused by you, please contact your administrator.
|
Define this template to send an email when a userDN intruder lockout occurs. |
Label
|
Delete Account Email |
Key
|
email.deleteAccount |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Delete Account Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Delete Account Notice <@DefaultEmailFromAddress@>
Subj:Account Deletion Notice
Body:Your account has been deleted at your request.
Html:
|
Define this template to send an email to the users after the Account Delete action. |
Label
|
Help Desk Unlock Account Email |
Key
|
email.helpdesk.unlock |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Help Desk Unlock Account Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Unlock Account Notice <@DefaultEmailFromAddress@>
Subj:Account Unlock Notice
Body:Your account has been unlocked by the helpdesk.
Html:
|
Define this template to send an email to users to whose account is unlocked by the help desk. |
Label
|
Unlock Account Email |
Key
|
email.unlock |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Unlock Account Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Unlock Account Notice <@DefaultEmailFromAddress@>
Subj:Account Unlock Notice
Body:Your account has been unlocked.
Html:
|
Define this template to send an email to users who unlock their own account. |
Label
|
Password Expiration Notification Email |
Key
|
email.pwNotice |
Navigation
|
Settings ⇨ Email ⇨ Email Templates ⇨ Password Expiration Notification Email |
Syntax
|
EMAIL |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
EmailItem default:
To:@User:Email@
From:Password Expiration Notice <@DefaultEmailFromAddress@>
Subj:Password Expiration Notice
Body:Your password is about to expire. Your password will expire in @User:DaysUntilPwExpire@ days.
Html:
|
Email sent to users to notify the user of an impending password notification. |
HTTP Client
Label
|
HTTP Proxy |
Key
|
http.proxy.url |
Navigation
|
Settings ⇨ HTTP Client ⇨ HTTP Proxy |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify the URL of the HTTP proxy server. If blank, the system uses no proxy server.- For HTTP proxy server, use "http://serverame:3128" format
- For the authenticated proxy server, use the "http://username:password@servername:3128" format
|
Label
|
HTTP Proxy Exceptions |
Key
|
http.proxy.exceptions |
Navigation
|
Settings ⇨ HTTP Client ⇨ HTTP Proxy Exceptions |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify one or more URLs of proxy exceptions. If an outgoing HTTP request from PWM matches a value in the list the request will be sent direct from the server and not through the configured HTTP Proxy server. - PWM attempts to match each item from the beginning of the requested URL string.
- PWM decodes and parses the redirect URL before checking it against the whitelist.
- If an error occurs when setting a redirect URL, set the debug logs to TRACE and watch the output as the error occurs.
- PWM does not permit wildcards or case mis-matches, the values must match exactly.
- If a fragment has the prefix regex:, PWM treats the remainder of the fragment as a regular expression. Regular expression matches must match the entire URL.
Example | Matches | Not Matched | https://www.example.com | https://www.example.com https://www.example.com/ https://www.example.com/path | http://www.example.com https://mail.example.com | http://www.example.com/p1 | http://www.example.com/p1 http://www.example.com/p1/p2 http://www.example.com/p1?a1=v1 | https://www.example.com/p1 http://www.example.com/p2 | /path1 | /path1 /path1/path2 /path1/path2/?param=v1 | www.example.com/path1/ https://www.example.com/path1 /path2 | regex:^(https?:\/\/)[a-z]*\.example\.com.*?$ | http://www.example.com https://www.example.com http://www.example.com/p1 http://mail.example.com/p1 | www.example.com http://www.example.org |
|
HTTPS Web Server
Label
|
HTTPS Private Key & Certificate |
Key
|
https.server.cert |
Navigation
|
Settings ⇨ HTTPS Server ⇨ HTTPS Private Key & Certificate |
Syntax
|
PRIVATE_KEY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Import the private key and certificate used by the PWM HTTPS web server. If this setting does not have a value, the PWM HTTPS web server uses an auto-generated value based on Settings ⇨ Application ⇨ Site URL and other current configuration data. Changes to this setting require a server restart. |
Label
|
TLS Protocols |
Key
|
https.server.tls.protocols |
Navigation
|
Settings ⇨ HTTPS Server ⇨ TLS Protocols |
Syntax
|
OPTIONLIST |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
SSL_3_0 |
SSL v3.0 |
TLS_1_0 |
TLS v1.0 |
TLS_1_1 |
TLS v1.1 |
TLS_1_2 |
TLS v1.2 |
TLS_1_3 |
TLS v1.3 |
|
Default
|
TLS_1_2
TLS_1_3
|
Select the HTTPS TLS protocols supported by the PWM HTTPS web server. Changes to this setting require a server restart. |
Label
|
TLS Ciphers |
Key
|
https.server.tls.ciphers |
Navigation
|
Settings ⇨ HTTPS Server ⇨ TLS Ciphers |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256
|
Specify the HTTPS TLS ciphers accepted by the PWM HTTPS web server. The value for this setting is an ordered, comma separated list of Java SSE provided cipher names. Changes to this setting require a server restart. |
Intruder Settings
Label
|
Enable PWM Intruder Detection |
Key
|
intruder.enable |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Settings ⇨ Enable PWM Intruder Detection |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to enable the PWM intruder detection system. Your LDAP directory intruder detection settings function independently of this setting. |
Label
|
Enable Bad Password Simulation |
Key
|
security.ldap.simulateBadPassword |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Settings ⇨ Enable Bad Password Simulation |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to enable Bad Password simulation activity when a user enters a forgotten password field. When an identified user attempts to recover a forgotten password but uses incorrect data, PWM attempts to authenticate to the directory using a known bad password value. This is done to allow the LDAP directory to trigger its own defense mechanisms against intruders. |
Intruder System Settings
Label
|
Intruder Record Storage Location |
Key
|
intruder.storageMethod |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder System Settings ⇨ Intruder Record Storage Location |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
DATABASE |
Remote Database |
LOCALDB |
LocalDB |
|
Default
|
LOCALDB
|
Select the data store used for Intruder Records. If you use Database, all application instances share a common view of intruder status. If you use LocalDB, each instance has its own intruder state. LocalDB is likely to have less performance overhead and having a consistent intruder state across all application instances might not be important. The Configure Guide uses a database if configured, if not it uses the LocalDB. |
Intruder Timeouts
Label
|
Intruder User Reset Time |
Key
|
intruder.user.resetTime |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder User Reset Time |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
1800
|
Specify the time period after which PWM clears a bad attempt from the lockout table. PWM marks the user lockout table for a user anytime a user has a failed attempt to authenticate, recover a password, or activate a user account.
Value is in number of seconds. A value of zero disables the user lockout functionality. |
Label
|
Intruder User Maximum Attempts |
Key
|
intruder.user.maxAttempts |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder User Maximum Attempts |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
10
|
Specify the maximum number of attempts a user might make before a lockout occurs. After the user exceeds this value, the user cannot perform any activities until the reset time interval has passed. A value of zero disables the user lockout functionality. |
Label
|
Intruder User Check Time |
Key
|
intruder.user.checkTime |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder User Check Time |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
300
|
Specify the maximum time period between each intruder attempt. When the user exceeds this time period, PWM resets the intruder attempt count to zero. |
Label
|
Intruder Attribute Reset Time |
Key
|
intruder.attribute.resetTime |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Attribute Reset Time |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
1800
|
Specify the time period after which PWM clears a bad attempt from the lockout table. PWM marks the attribute lockout table for a user anytime a non-authenticated user enters a form field.
Value is in number of seconds. A value of zero disables the attribute lockout functionality. |
Label
|
Intruder Attribute Maximum Attempts |
Key
|
intruder.attribute.maxAttempts |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Attribute Maximum Attempts |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
10
|
Specify the maximum number of attempts a user might make before a lockout occurs. After the user exceeds this value, the user cannot perform any activities until the reset time interval has passed. A value of zero disables the user lockout functionality. |
Label
|
Intruder Attribute Check Time |
Key
|
intruder.attribute.checkTime |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Attribute Check Time |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
300
|
Specify the maximum time period between each intruder attempt. When the user exceeds this time period, PWM resets the intruder attempt count to zero. |
Label
|
Intruder Token Destination Reset Time |
Key
|
intruder.tokenDest.resetTime |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Token Destination Reset Time |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
1800
|
Specify the time period after which PWM clears a bad attempt from the lockout table. PWM marks the attribute lockout table for a user anytime it sends a token, and it clears the lockout when the user consumes a token.
Value is in number of seconds. A value of zero disables the attribute lockout functionality. |
Label
|
Intruder Token Destination Attempts |
Key
|
intruder.tokenDest.maxAttempts |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Token Destination Attempts |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
10
|
Specify the maximum number of attempts a token destination can be used before a lockout occurs and the token destination can no longer be sent tokens. After the user exceeds this value, the user cannot perform any activities until the reset time interval has passed. A value of zero disables the token lockout functionality. |
Label
|
Intruder Token Destination Check Time |
Key
|
intruder.tokenDest.checkTime |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Token Destination Check Time |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
300
|
Specify the maximum time period between each intruder attempt. When the user exceeds this time period, PWM resets the intruder attempt count to zero. |
Label
|
Intruder Address Reset Time |
Key
|
intruder.address.resetTime |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Address Reset Time |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
1800
|
Specify the time period after which PWM clears a bad attempt from the lockout table. PWM marks the address lockout table for any source IP address anytime any user has a failed attempt to authenticate, recover a password, or activate a user account from that address.
Depending on how you deployed PWM, it might not be able to correctly identify the IP address of the user.
Value is in number of seconds. A value of zero disables the address lockout functionality. |
Label
|
Intruder Address Maximum Attempts |
Key
|
intruder.address.maxAttempts |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Address Maximum Attempts |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
30
|
Specify the maximum number of attempts any user might make within a particular address. After the users exceed this value, any user from that address cannot perform any activities until the reset time interval has passed. A value of zero disables the address lockout functionality. |
Label
|
Intruder Address Check Time |
Key
|
intruder.address.checkTime |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Intruder Address Check Time |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
300
|
Specify the maximum time period between each intruder attempt. When users exceed this time period, PWM resets the intruder attempt count to zero. A value of zero disables the address lockout functionality. |
Label
|
Maximum Intruder Attempts Per Session |
Key
|
intruder.session.maxAttempts |
Navigation
|
Settings ⇨ Intruder Detection ⇨ Intruder Timeouts ⇨ Maximum Intruder Attempts Per Session |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
8
|
Specify the maximum amount of intruder attempts per session. When the user exceeds this limit, PWM "locks" the session, and no other requests using that session succeed. A value of zero disables the session lockout functionality. |
Localization
Label
|
Locales (Languages) and Flags |
Key
|
knownLocales |
Navigation
|
Settings ⇨ Localization ⇨ Locales (Languages) and Flags |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
en::us
en_CA::ca
ca::catalonia
cs::cz
da::dk
de::de
el::gr
es::es
fi::fi
fr::fr
fr_CA::ca
hu::hu
iw::il
it::it
ja::jp
ko::kr
nl::nl
nb::no
no::no
nn::no
pl::pl
pt_BR::br
pt::pt
ru::ru
sk::sk
sv::se
th::th
tr::tr
zh_CN::cn
zh_TW::tw
|
List of locales available. The code is in two parts separated by two colons (:: ). The first part is the browser locale code, the second field is the iso country code used for the flag value. |
Label
|
Locale Cookie Age |
Key
|
locale.cookie.age |
Navigation
|
Settings ⇨ Localization ⇨ Locale Cookie Age |
Syntax
|
DURATION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
604800
|
Specify the duration of time to remember a user's locale preferences. Anytime PWM overrides a browser's default locale setting, it stores a cookie in the browser remembering that setting for the duration of this setting. |
Setting high debug levels can cause undesired overhead and the application might suffer as a result. Conversely, retaining high-level logs can help aid troubleshooting as well as security forensics.
Label
|
Console (StdOut) Log Level |
Key
|
events.java.stdoutLevel |
Navigation
|
Settings ⇨ Logging ⇨ Console (StdOut) Log Level |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
TRACE |
6 - Trace |
DEBUG |
5 - Debug |
INFO |
4 - Info |
WARN |
3 - Warn |
ERROR |
2 - Error |
FATAL |
1 - Fatal |
Off |
0 - Off |
|
Default
|
INFO
|
Specify the default Log level for stdout. Most servlet containers redirect stdout to a log file. For example, Apache Tomcat logs stdout output to the tomcat/logs/catalina.out file by default. |
Label
|
LocalDB Log Level |
Key
|
events.pwmDB.logLevel |
Navigation
|
Settings ⇨ Logging ⇨ LocalDB Log Level |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
TRACE |
6 - Trace |
DEBUG |
5 - Debug |
INFO |
4 - Info |
WARN |
3 - Warn |
ERROR |
2 - Error |
FATAL |
1 - Fatal |
Off |
0 - Off |
|
Default
|
INFO
|
Specify the level at which to log events in the LocalDB. You can view the log events written to the LocalDB in the administrator event log viewer. |
Label
|
File Log Level |
Key
|
events.fileAppender.level |
Navigation
|
Settings ⇨ Logging ⇨ File Log Level |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
TRACE |
6 - Trace |
DEBUG |
5 - Debug |
INFO |
4 - Info |
WARN |
3 - Warn |
ERROR |
2 - Error |
FATAL |
1 - Fatal |
Off |
0 - Off |
|
Default
|
INFO
|
Specify the level at which to log events to the local File Log. PWM writes log files to the servlet's WEB-INF/logs directory. |
Label
|
Maximum LocalDB Events |
Key
|
events.pwmDB.maxEvents |
Navigation
|
Settings ⇨ Logging ⇨ Maximum LocalDB Events |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
1000000
|
Specify the maximum log events stored in the LocalDB. PWM retains this number of events in the LocalDB database and displays these in the admin event log screen.
PWM consumes approximately 100MB of disk space for each 100,000 log events. |
Label
|
Maximum Age LocalDB Events |
Key
|
events.pwmDB.maxAge |
Navigation
|
Settings ⇨ Logging ⇨ Maximum Age LocalDB Events |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
2419200
|
Specify the maximum age of events stored in the LocalDB.
PWM periodically purges events older than the configured value here. Specify the value in seconds. Default is four weeks (60s * 60m * 24h * 7d * 4w = 2419200). A value of zero causes PWM not to remove events due to age. |
Label
|
Daily Summary Alerts |
Key
|
events.alert.dailySummary.enable |
Navigation
|
Settings ⇨ Logging ⇨ Daily Summary Alerts |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
True
|
Enable this option to send an email alert once a day (at 0:00 GMT) that contains a summary of the day's statistics and health. |
Label
|
Strength Meter Algorithm |
Key
|
password.strengthMeter.type |
Navigation
|
Settings ⇨ Logging ⇨ Strength Meter Algorithm |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
PWM |
Traditional - built in algorithm |
ZXCVBN |
zxcvbn - open source library |
|
Default
|
PWM
|
Choose the calculation algorithm type used for the password strength meter. |
Password Expiration Notification
Label
|
Enable Password Expiration Notification |
Key
|
pwNotify.enable |
Navigation
|
Settings ⇨ Password Expiration Notification ⇨ Enable Password Expiration Notification |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable password expiration notification service. Operation of this service requires that a node service be configured. Status of this service can be viewed on the Administration -> Dashboard -> Password Notification page. The service will nominally execute once per day on the master node server. If a job is missed because of an PWM, LDAP, or database service interruption it will be run within the next 24 hours as soon as service is restored. Running a job more than once will not result in duplicate emails sent to the user. If a user's password expiration time changes since the last job, a new notification will be sent as appropriate. |
Label
|
Storage Mode |
Key
|
pwNotify.storageMode |
Navigation
|
Settings ⇨ Password Expiration Notification ⇨ Storage Mode |
Syntax
|
SELECT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
LDAP |
LDAP Directory |
DB |
Remote Database |
|
Default
|
Template | Value |
default |
LDAP |
DB |
DB |
|
Select storage mode used by node service module. |
Label
|
Expiration Notification User Match |
Key
|
pwNotify.queryString |
Navigation
|
Settings ⇨ Password Expiration Notification ⇨ Expiration Notification User Match |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Users that will receive password expiration notifications. |
Label
|
Expiration Notification Intervals |
Key
|
pwNotify.intervals |
Navigation
|
Settings ⇨ Password Expiration Notification ⇨ Expiration Notification Intervals |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
1
3
7
|
Expiration Notification Day Intervals. The number of days before a user's password expiration before which an email notice will be set. |
Label
|
Job Offset |
Key
|
pwNotify.job.offSet |
Navigation
|
Settings ⇨ Password Expiration Notification ⇨ Job Offset |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
0
|
GMT job offset time. The expiration notice job will normally be executed at 0:00 GMT. This value can be adjusted to change the standard time of day the job is run. |
Password related settings that apply to all users regardless of the password policy or profile appear here. For profile-specific password settings, see Profiles -> Password Policy Profiles.
Label
|
Password Policy Source |
Key
|
password.policy.source |
Navigation
|
Settings ⇨ Password Settings ⇨ Password Policy Source |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
MERGE |
Merge Local and LDAP (default) |
LDAP |
LDAP |
PWM |
Local |
|
Default
|
MERGE
|
Selct where PWM reads the password policy settings. If you select LDAP , PWM attempts to read the policy out of the LDAP directory, and it could ignore many of the following settings. If you select Local Config , then PWM uses the policy settings on this page, and it ignores any policy settings in the LDAP directory. If you select Merge , PWM reads both policies, and where there is any conflict, PWM chooses the most restrictive value of the policy.
The capability to read policy from LDAP is only available with some LDAP directory types. Additionally, PWM uses the password policy as the only "local" policy. Upon a password set operation, the LDAP directory typically enforces whatever policies are configured in the directory itself. |
Label
|
Enable Shared History |
Key
|
password.sharedHistory.enable |
Navigation
|
Settings ⇨ Password Settings ⇨ Enable Shared History |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to use a global shared password history for all users. If enabled, all users share a common password history. This helps prevent users from using common organizational words as passwords. PWM stores the passwords as a salted and encrypted hash in the LocalDB. |
Label
|
Shared History Age |
Key
|
password.sharedHistory.age |
Navigation
|
Settings ⇨ Password Settings ⇨ Shared History Age |
Syntax
|
DURATION |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
2419200
|
Specify the maximum age of the shared history storage. Specify the value in seconds. The default is 28 days. |
Label
|
Password is Case Sensitive |
Key
|
password.policy.caseSensitivity |
Navigation
|
Settings ⇨ Password Settings ⇨ Password is Case Sensitive |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
read |
Read from Directory |
true |
True (Case Sensitive) |
false |
False (Case Insensitive) |
|
Default
|
read
|
Enable this option to control if the password is case sensitive. In most cases, PWM can read this from the directory, but in some cases, the system cannot correctly read this value, so you can override it here. |
Options to enable and configure reporting.
Label
|
Enable Daily Reporting Job |
Key
|
reporting.enable |
Navigation
|
Settings ⇨ Reporting ⇨ Enable Daily Reporting Job |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
False
|
Enable daily reporting job. When enabled, PWM will execute a daily report update job. |
Label
|
Reporting Job Time Offset |
Key
|
reporting.job.timeOffset |
Navigation
|
Settings ⇨ Reporting ⇨ Reporting Job Time Offset |
Syntax
|
DURATION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
0
|
Specify the number of seconds past midnight (GMT) when PWM processes the update job. Setting this option to -1 disables the nightly job processor. |
Label
|
Maximum LDAP Query Size |
Key
|
reporting.ldap.maxQuerySize |
Navigation
|
Settings ⇨ Reporting ⇨ Maximum LDAP Query Size |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
100000
|
Specify the maximum number of records read during a reporting query search. Setting this value to a larger sizes requires more Java heap memory. |
Label
|
Reporting Job Intensity |
Key
|
reporting.job.intensity |
Navigation
|
Settings ⇨ Reporting ⇨ Reporting Job Intensity |
Syntax
|
SELECT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
LOW |
Low |
MEDIUM |
Medium |
HIGH |
High |
|
Default
|
LOW
|
Control the level of intensity of a reporting job execution. Higher levels will complete the report job faster but cause more workload on PWM and the LDAP directory. |
Label
|
Reporting Summary Day Intervals |
Key
|
reporting.summary.dayValues |
Navigation
|
Settings ⇨ Reporting ⇨ Reporting Summary Day Intervals |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
-90
-60
-30
-14
-7
-3
30
60
90
|
Specify day intervals to include in report summary data. |
Label
|
SMS Gateway URL |
Key
|
sms.gatewayURL |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway URL |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify the URL for the SMS gateway. |
Label
|
SMS Gateway Certificates |
Key
|
sms.gatewayCertificates |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway Certificates |
Syntax
|
X509CERT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Certificate for remote SMS service |
Label
|
HTTP(S) Method |
Key
|
sms.gatewayMethod |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ HTTP(S) Method |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
POST |
POST |
GET |
GET |
|
Default
|
POST
|
Select the HTTPS protocol method PWM uses for sending the SMS messages. |
Label
|
SMS Gateway User |
Key
|
sms.gatewayUser |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway User |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify the user name for the SMS gateway. |
Label
|
SMS Gateway Password |
Key
|
sms.gatewayPassword |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway Password |
Syntax
|
PASSWORD |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
True |
Scope
|
SYSTEM |
Default
|
*hidden*
|
Specify the user password for the SMS gateway. |
Label
|
SMS Gateway Authentication Method |
Key
|
sms.gatewayAuthMethod |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway Authentication Method |
Syntax
|
SELECT |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
REQUEST |
Request - Authentication will be part of the request |
HTTP |
HTTP - Use HTTP basic authentication |
|
Default
|
REQUEST
|
Select the method PWM uses for authentication to the SMS gateway. |
Label
|
SMS Request Data |
Key
|
sms.requestData |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Request Data |
Syntax
|
TEXT_AREA |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
user=%USER%&pass=%PASS%&to=%TO%&msg=%MESSAGE%
|
Specify the data PWM submits in order to send an SMS message. You can use certain codes that PWM replaces:- %USER%: authentication user name
- %PASS%: authentication password
- %SENDERID%: sender identification
- %TO%: recipient SMS number
- %REQUESTID%: randomly generated request identifier
- %MESSAGE%: the message to be sent
|
Label
|
SMS Data Content Type |
Key
|
sms.requestContentType |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Data Content Type |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
application/x-www-form-urlencoded
|
Specify the content type for POST data. This is the mime type for the content. This only applies if the HTTPS Method is POST. Common values are:- application/x-www-form-urlencoded: HTTP form data
- text/plain: Plain ASCII data
- text/xml: XML document
Optionally, you can append a character set. For examle:- application/x-www-form-urlencoded; charset=utf-8: HTTP form data in UTF-8 encoding
|
Label
|
SMS Data Content Encoding |
Key
|
sms.requestContentEncoding |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Data Content Encoding |
Syntax
|
SELECT |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
NONE |
None - no encoding |
CSV |
CSV - Escape for comma separated values |
HTML |
HTML - for HTML data |
JAVA |
Java - for Java String representations |
JAVASCRIPT |
Javascript - recommended for JSON formatted documents |
SQL |
SQL - turn single-quotes (') into double single-quotes ('') |
URL |
URL - recommended for GET requests and POST with form data (default) |
XML |
XML - for XML and/or SOAP services |
|
Default
|
URL
|
Select how PWM encodes the data for fields in the SMS message. The data might need encoding or escaping. |
Label
|
SMS Gateway HTTP Request Headers |
Key
|
sms.httpRequestHeaders |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Gateway HTTP Request Headers |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify any additional HTTP request headers for the SMS request. For example: SOAPAction for SOAP messages. Header should be a name/value pair delimitted by a colon (e.g. MyHeader:SomeValue). |
Label
|
Maximum SMS Text Length |
Key
|
sms.maxTextLength |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ Maximum SMS Text Length |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
140
|
Specify the maximum length for the SMS text. Some services allow texts longer than one message (generally 140 bytes). If the text is longer than the configured maximum, PWM makes multiple requests. |
Label
|
SMS Sender ID |
Key
|
sms.senderID |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Sender ID |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify the alphanumerical sender identification. If blank, the provider uses a default or anonymous sender identification. In most cases, the SMS provider must validate the sender ID. Contact your provider for values that you can use as a valid sender identification. |
Label
|
SMS Phone Number Format |
Key
|
sms.phoneNumberFormat |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ SMS Phone Number Format |
Syntax
|
SELECT |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
RAW |
Raw - Use the raw value that is read from the directory with no changes |
PLAIN |
Plain - country code (e.g. 1 for USA) plus subscriber number (e.g. 12312345): 112312345 |
PLUS |
Plus - Same as plain, but with a plus sign as a prefix: +112312345 |
ZEROS |
Zeros - Same as plain, but prefixed with a double zero: 00112312345 |
|
Default
|
ZEROS
|
Select the format that PWM uses for the mobile phone number. |
Label
|
Default SMS Country Code |
Key
|
sms.defaultCountryCode |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ Default SMS Country Code |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
1
|
Specify the default country code for the SMS phone number. For a list of country codes, see http://countrycode.org/. Set to 0 to disable this option. |
Label
|
Request ID Characters |
Key
|
sms.requestId.characters |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ Request ID Characters |
Syntax
|
STRING |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
0123456789abcdef
|
Specify the available characters in the SMS request ID. |
Label
|
Request ID Length |
Key
|
sms.requestId.length |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ Request ID Length |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
6
|
Specify the ength of the SMS request ID. |
Label
|
Response Regular Expressions |
Key
|
sms.responseOkRegex |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ Response Regular Expressions |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify the regular expression that you can use to determine whether PWM sent the SMS successfully to the gateway. If the response matches any of the expressions, PWM considers the transmission successful. If you do not specify any expressions, PWM assumes that all transmissions are successful.
If the response matches none of the expressions, PWM retries the SMS later (default 30 seconds). Use the Maximum SMS Queue Age option to limit the number of retries.
NOTE: The string must match an entire line. Use .* to match anything after the required texts. |
Label
|
Successful HTTP Result Codes |
Key
|
sms.successResultCodes |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ Successful HTTP Result Codes |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
200
|
Specify the HTTP Result codes that PWM consideres as successful send attempts. |
Label
|
Maximum SMS Queue Age |
Key
|
sms.queueMaxAge |
Navigation
|
Settings ⇨ SMS ⇨ SMS Gateway ⇨ Maximum SMS Queue Age |
Syntax
|
DURATION |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
300
|
Specify the maximum age (in seconds) an SMS can wait in the local send queue. If an SMS is in the send queue longer than this time, PWM discards it. The SMS messages only persist in the send queue if there is an IO or network error to the SMS gateway server while sending the message. |
Label
|
Forgotten Password SMS Text |
Key
|
sms.challenge.token.message |
Navigation
|
Settings ⇨ SMS ⇨ SMS Messages ⇨ Forgotten Password SMS Text |
Syntax
|
LOCALIZED_STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Your security code is %TOKEN%
|
Specify the message text of the SMS PWM sends during the forgotten password token process. |
Label
|
Forgotten Password New Password SMS Text |
Key
|
sms.challenge.newpassword.message |
Navigation
|
Settings ⇨ SMS ⇨ SMS Messages ⇨ Forgotten Password New Password SMS Text |
Syntax
|
LOCALIZED_STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Your new password is %TOKEN%
|
Specify the message text of the SMS with new password PWM sends during the forgotten password process. |
Label
|
New User Verification SMS Text |
Key
|
sms.newUser.token.message |
Navigation
|
Settings ⇨ SMS ⇨ SMS Messages ⇨ New User Verification SMS Text |
Syntax
|
LOCALIZED_STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Your account verification code is %TOKEN%
|
Specify the text of the SMS PWM sends during the new user verification process. |
Label
|
Help Desk Verification SMS Text |
Key
|
sms.helpdesk.token.message |
Navigation
|
Settings ⇨ SMS ⇨ SMS Messages ⇨ Help Desk Verification SMS Text |
Syntax
|
LOCALIZED_STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Your security code is %TOKEN%
|
Specify the message text of the SMS PWM sends during the Help Desk token verification process. |
Label
|
Activation Token SMS Text |
Key
|
sms.activation.token.message |
Navigation
|
Settings ⇨ SMS ⇨ SMS Messages ⇨ Activation Token SMS Text |
Syntax
|
LOCALIZED_STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Your activation token is %TOKEN%.
|
Specify the message text of the token SMS PWM sends during an activation process. |
Label
|
Activation SMS Text |
Key
|
sms.activation.message |
Navigation
|
Settings ⇨ SMS ⇨ SMS Messages ⇨ Activation SMS Text |
Syntax
|
LOCALIZED_STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Thank you for activating your account.
|
Specify the message text of the SMS PWM sends after a succesful activation. |
Label
|
Forgotten User Name SMS Text |
Key
|
sms.forgottenUsername.message |
Navigation
|
Settings ⇨ SMS ⇨ SMS Messages ⇨ Forgotten User Name SMS Text |
Syntax
|
LOCALIZED_STRING |
Level
|
1
(Advanced)
|
Macro Support
|
True |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Your username is @User:ID@
|
Specify the text of the SMS PWM sends upon a successful forgotten user name sequence, if you configured it. |
Label
|
Update Profile SMS Verification Text |
Key
|
sms.updateProfile.token.message |
Navigation
|
Settings ⇨ SMS ⇨ SMS Messages ⇨ Update Profile SMS Verification Text |
Syntax
|
LOCALIZED_STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Your verification code is %TOKEN%
|
Specify the text of the SMS PWM sends during the profile update SMS phone number verification. |
Label
|
Security Key |
Key
|
pwm.securityKey |
Navigation
|
Settings ⇨ Security ⇨ Application Security ⇨ Security Key |
Syntax
|
PASSWORD |
Level
|
0
(Normal)
|
Required
|
False |
Confidential
|
True |
Scope
|
SYSTEM |
Default
|
*hidden*
|
Specify a Security Key used for cryptographic functions such as the token verification. PWM requires a value if you enabled tokens for any of modules and configured a token storage method. PWM uses this value similar to how a cryptographic security certificate uses the private key. If configured, this value must be at least 32 characters in length. The longer and more random this value, the more secure its uses are. If multiple instances are in use, you must configure each instance with the same value. Upon initial setup, PWM assigns a random security key to this value that you can change at any time, however, any outstanding tokens or other material generated by an old security key become invalid. |
Label
|
Enable Reverse DNS |
Key
|
network.reverseDNS.enable |
Navigation
|
Settings ⇨ Security ⇨ Application Security ⇨ Enable Reverse DNS |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
True
|
Enable this option to have PWM use its reverse DNS system to record the hostname of the client. In some cases this can cause performance issues so you can disable it if you do not requrie it. |
Label
|
Show Detailed Error Messages |
Key
|
display.showDetailedErrors |
Navigation
|
Settings ⇨ Security ⇨ Application Security ⇨ Show Detailed Error Messages |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
False
|
Enable this option to display detailed error messages. While useful for administrators, especially during configuration, showing detailed error messages to users can be confusing as well as a security hazard. PWM ignores this setting until you close the Configuration Guide. |
Label
|
Maximum Session Duration |
Key
|
session.maxSeconds |
Navigation
|
Settings ⇨ Security ⇨ Application Security ⇨ Maximum Session Duration |
Syntax
|
DURATION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
28800
|
Specify the maximum duration of a session (in seconds). Having a maximum session lifetime prevents certain types of long-term session fixation attacks. |
Label
|
Certificate Validation Mode |
Key
|
security.certificate.validationMode |
Navigation
|
Settings ⇨ Security ⇨ Application Security ⇨ Certificate Validation Mode |
Syntax
|
SELECT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
CA_ONLY |
Root Certificate Only |
CERTIFICATE_CHAIN |
Entire Certificate Chain |
|
Default
|
CA_ONLY
|
Specify how outbound SSL/TLS certificate validation will be performed by PWM. |
Label
|
Enable Form Nonce |
Key
|
security.formNonce.enable |
Navigation
|
Settings ⇨ Security ⇨ Web Security ⇨ Enable Form Nonce |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
True
|
Enable this option to require a nonce (or unique key) for each form to prevent certain types of cross-site scripting (XSS) attacks. |
Label
|
Sticky Session Verification |
Key
|
enableSessionVerification |
Navigation
|
Settings ⇨ Security ⇨ Web Security ⇨ Sticky Session Verification |
Syntax
|
SELECT |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
OFF |
Disabled |
VERIFY |
Enabled |
VERIFY_AND_CACHE |
Enabled - And pre-load browser cache |
|
Default
|
VERIFY
|
Enable this option to verify browser sessions using an HTTP redirect and verification code. This verification proves that the browser can correctly establish a session with the server. Verification proves the browser either supports cookies or URL sessions (if enabled) and the communication channel between browser and application server is 'sticky' when there are multiple server instances. Additionally, it helps prevent some types of XSS attacks.
The pre-loaded browser cache shows a "please wait" screen to the user during the verification. This has the added benefit that the browser "pre-caches" many of the HTTP resources (JavaScript, CSS, images, and so forth) before it loads any actual pages. |
Label
|
Disallowed HTTP Inputs |
Key
|
disallowedInputs |
Navigation
|
Settings ⇨ Security ⇨ Web Security ⇨ Disallowed HTTP Inputs |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
(?s)(?i)<.*script.*
(?s)(?i)<.*xml.*
(?s)(?i)<.*img.*
(?s)(?i)<.*src.*
(?s)(?i)<.*href.*
|
Specify the disallowed values. If any input values (on any HTTP parameter) matches these patterns, PWM strips the matching portion from the input. |
Label
|
Use X-Forwarded-For Header |
Key
|
useXForwardedForHeader |
Navigation
|
Settings ⇨ Security ⇨ Web Security ⇨ Use X-Forwarded-For Header |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
True
|
If present, use the X-Forwarded-For HTTP header value as the client IP address instead of the source IP address of the HTTP connection. Typically, upstream proxies add X-Forwarded-For headers or firewalls and might be the only reliable way to identify the user's source IP address. |
Label
|
Allow Roaming Source Network Address |
Key
|
network.allowMultiIPSession |
Navigation
|
Settings ⇨ Security ⇨ Web Security ⇨ Allow Roaming Source Network Address |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
False
|
Enable this option to allow PWM to access a single HTTP session from different source IP addresses. Some load balancing or proxy network infrastructures might require this, but in most cases disable it. Especially since typical sessions are very short, there is not a practical reason for a user to access the same session from multiple client addresses. |
Label
|
Required HTTP Headers |
Key
|
network.requiredHttpHeaders |
Navigation
|
Settings ⇨ Security ⇨ Web Security ⇨ Required HTTP Headers |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
If specified, any HTTP/S request sent to this PWM application server must include these headers. This feature is useful if you have an upstream security gateway, proxy or web server and wish to only allow sessions from the gateway, and deny direct access to this PWM application server from clients. The settings must be in name=value format. If the upstream security gateway, proxy or web server is not setting these name/value headers, you will no longer be able to access this PWM application server. WARNING:If the client you are using to access this server is not setting the headers configured here, this PWM server will become inaccessible. |
Label
|
Page Leave Notice Timeout |
Key
|
security.page.leaveNoticeTimeout |
Navigation
|
Settings ⇨ Security ⇨ Web Security ⇨ Page Leave Notice Timeout |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
0
|
Specify a timeout period for when a user navigates away from any page. The browser sends a notice to the server. The next time the browser requrest a page, PWM checks the timeout to determine if the last page leave time was greater then the timeout, and if so, it invalidates the user's session. This has the effect of logging out the users that navigate away from PWM without explicitly logging out. If set to zero, you disable this feature. |
Label
|
Prevent HTML Framing |
Key
|
security.preventFraming |
Navigation
|
Settings ⇨ Security ⇨ Web Security ⇨ Prevent HTML Framing |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
Template | Value |
default |
True |
NOVL_IDM |
False |
|
Enable this option to prevent browsers form displaying PWM inside an IFrame. PWM does this by setting the X-Frame-Options HTTP Header to DENY on all pages. |
Label
|
Redirect Whitelist |
Key
|
security.redirectUrl.whiteList |
Navigation
|
Settings ⇨ Security ⇨ Web Security ⇨ Redirect Whitelist |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify a list of partial URL fragments. Any attempt to set the forwardURL or logoutURL via request parameter must match a URL fragment listed here. - PWM attempts to match each item from the beginning of the requested URL string.
- PWM decodes and parses the redirect URL before checking it against the whitelist.
- If an error occurs when setting a redirect URL, set the debug logs to TRACE and watch the output as the error occurs.
- PWM does not permit wildcards or case mis-matches, the values must match exactly.
- If a fragment has the prefix regex:, PWM treats the remainder of the fragment as a regular expression. Regular expression matches must match the entire URL.
Example | Matches | Not Matched | https://www.example.com | https://www.example.com https://www.example.com/ https://www.example.com/path | http://www.example.com https://mail.example.com | http://www.example.com/p1 | http://www.example.com/p1 http://www.example.com/p1/p2 http://www.example.com/p1?a1=v1 | https://www.example.com/p1 http://www.example.com/p2 | /path1 | /path1 /path1/path2 /path1/path2/?param=v1 | www.example.com/path1/ https://www.example.com/path1 /path2 | regex:^(https?:\/\/)[a-z]*\.example\.com.*?$ | http://www.example.com https://www.example.com http://www.example.com/p1 http://mail.example.com/p1 | www.example.com http://www.example.org |
|
Label
|
HTTP Content Security Policy Header |
Key
|
security.cspHeader |
Navigation
|
Settings ⇨ Security ⇨ Web Security ⇨ HTTP Content Security Policy Header |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
default-src 'self'; object-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src https://www.recaptcha.net/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ 'self' 'unsafe-eval' 'nonce-%NONCE%'; frame-src https://www.recaptcha.net/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ ; report-uri @PwmContextPath@/public/api?processAction=cspReport
|
Set the HTTP Content-Security-Policy header. This header instructs the browser to limit the locations from which it loads fonts, scripts, and CSS files. |
Basic Authentication
Label
|
Enable Basic Authentication |
Key
|
basicAuth.enable |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ Basic Authentication ⇨ Enable Basic Authentication |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enables Basic Authentication. |
Label
|
Force Basic Authentication |
Key
|
forceBasicAuth |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ Basic Authentication ⇨ Force Basic Authentication |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this options to force basic authentication. If false, then the system presents the form page for unauthenticated users, however, if a basic auth header is present the system always uses it. |
Label
|
CAS ClearPass URL |
Key
|
cas.clearPassUrl |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ CAS SSO ⇨ CAS ClearPass URL |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
For CAS authentication integration, enter the ClearPass url here. If blank, CAS authentication integration will be disabled.
You will also need to edit the WEB-INF/web.xml file to enable CAS integration. Uncomment the section for the CAS servlet filters, and modify the CAS servlet parameters as appropriate for your configuration. |
Label
|
CAS ClearPass Encryption Key |
Key
|
cas.clearPass.key |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ CAS SSO ⇨ CAS ClearPass Encryption Key |
Syntax
|
FILE |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
[]
|
ClearPass encryption key |
Label
|
CAS ClearPass Algorithm |
Key
|
cas.clearPass.alg |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ CAS SSO ⇨ CAS ClearPass Algorithm |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
The algorithm used by the encryption key |
Label
|
SSO Authentication Header Name |
Key
|
security.sso.authHeaderName |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ HTTP SSO ⇨ SSO Authentication Header Name |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the name of the HTTP header that configures PWM to use an upstream server to allow automatic logins with a only a user name, a password is not required. This setting controls the name of the HTTP header. When used, PWM prompts users for their passwords to access certain functionality. |
Integration with an OAuth identity server for SSO to this application.
Label
|
OAuth Login URL |
Key
|
oauth.idserver.loginUrl |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Login URL |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the OAuth server login URL. This is the URL to redirect the user to for authentication. |
Label
|
OAuth Scope |
Key
|
oauth.idserver.scope |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Scope |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the optional OAuth scope. The OAuth identity service provider(IdP) provides this value. The scope provided, if any, must contain the user attribute to be read for authentication. |
Label
|
OAuth Token / Code Resolve Service URL |
Key
|
oauth.idserver.codeResolveUrl |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Token / Code Resolve Service URL |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the OAuth Code Resolve Service URL. The system uses this web service URL to resolve the artifact returned by the OAuth identity server. |
Label
|
OAuth Profile/UserInfo Service URL |
Key
|
oauth.idserver.attributesUrl |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Profile/UserInfo Service URL |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the URL of the web service provided by the identity server to return attribute data about the user. |
Label
|
OAuth Server Certificate |
Key
|
oauth.idserver.serverCerts |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Server Certificate |
Syntax
|
X509CERT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Import the certificate for the OAuth web service server. |
Label
|
OAuth Client ID |
Key
|
oauth.idserver.clientName |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Client ID |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the OAuth client ID. The OAuth identity service provider(IdP) provides this value. |
Label
|
OAuth Shared Secret |
Key
|
oauth.idserver.secret |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth Shared Secret |
Syntax
|
PASSWORD |
Level
|
2 |
Required
|
False |
Confidential
|
True |
Scope
|
DOMAIN |
Default
|
*hidden*
|
Specify the OAuth shared secret. The OAuth identity service provider (IdP) provides this value. |
Label
|
OAuth User Name/DN Login Attribute |
Key
|
oauth.idserver.dnAttributeName |
Navigation
|
Settings ⇨ Single Sign On (SSO) Client ⇨ OAuth ⇨ OAuth User Name/DN Login Attribute |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the attribute to request from the OAuth server PWM uses as the user name for local authentication. PWM resolves this value the same as if the user had typed the password at the local authentication page. |
Session Management
Label
|
Node Service Enabled |
Key
|
nodeService.enable |
Navigation
|
Settings ⇨ System ⇨ Session Management ⇨ Node Service Enabled |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
True
|
Enable or Disable the node service. The node service allows PWM to detect and identify when multiple application nodes are similar configured and can share user sessions. |
Label
|
Node Service Storage Mode |
Key
|
nodeService.storageMode |
Navigation
|
Settings ⇨ System ⇨ Session Management ⇨ Node Service Storage Mode |
Syntax
|
SELECT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
LDAP |
LDAP Directory |
DB |
Remote Database |
|
Default
|
Template | Value |
default |
LDAP |
DB |
DB |
|
Data storage system used for node service. If LDAP is selected, a test user (LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Test User) must be configured and the response storage attribute (LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Test User) must be writable by the proxy user. If DATABASE is selected then a database must be configured and available for PWM to operate. |
Label
|
Login Session Mode |
Key
|
security.loginSession.mode |
Navigation
|
Settings ⇨ System ⇨ Session Management ⇨ Login Session Mode |
Syntax
|
SELECT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
LOCAL |
Local |
CRYPTCOOKIE |
Encrypted Cookie |
|
Default
|
CRYPTCOOKIE
|
Select the mode PWM uses to manage the login session state. Local mode is the most secure and reliable, but it does not allow for server fail-over. |
Label
|
Module Session Mode |
Key
|
security.moduleSession.mode |
Navigation
|
Settings ⇨ System ⇨ Session Management ⇨ Module Session Mode |
Syntax
|
SELECT |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Options
|
Stored Value | Display |
LOCAL |
Local |
CRYPTCOOKIE |
Encrypted Cookie |
|
Default
|
CRYPTCOOKIE
|
Select the mode PWM uses to manage the module session state. Local mode is the most secure and reliable, but it does not allow for server fail-over. |
Telemetry
Label
|
Enable Anonymous Statistics Publishing |
Key
|
pwm.publishStats.enable |
Navigation
|
Settings ⇨ Telemetry ⇨ Enable Anonymous Statistics Publishing |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
False
|
Enable this option to periodically share anonymous statistics of PWM. The published statistics are:- Version/Build Information
- Cumulative Statistics
- Which settings are non-default (but not the actual setting values)
- Operating system name and version
Enabling this setting helps PWM developers know which features are used most often. |
Label
|
Enable Version Checking |
Key
|
pwm.versionCheck.enable |
Navigation
|
Settings ⇨ Telemetry ⇨ Enable Version Checking |
Syntax
|
BOOLEAN |
Level
|
0
(Normal)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
True
|
Allow periodically checks for new versions. If a new version is detected, an item will be shown on the health check. No information about this installation is sent to the cloud server during the check. |
Label
|
Site Description |
Key
|
pwm.publishStats.siteDescription |
Navigation
|
Settings ⇨ Telemetry ⇨ Site Description |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
This optional value can be included if you want to identify your site when the anonymous statistics are published. You could use your organizations name or other descriptive value. |
Options for email and SMS tokens sent to users. Chose a token method appropriate to your environment.
Label
|
Token Storage Method |
Key
|
token.storageMethod |
Navigation
|
Settings ⇨ Tokens ⇨ Token Storage Method |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
STORE_LOCALDB |
LocalDB |
STORE_DB |
Database |
STORE_CRYPTO |
Crypto |
STORE_LDAP |
LDAP |
|
Default
|
Template | Value |
DB |
STORE_DB |
LOCALDB |
STORE_LOCALDB |
default |
STORE_CRYPTO |
|
Select the storage method PWM uses to save issued tokens.Method | Description | LocalDB | Stores the tokens in the local embedded LocalDB database. Tokens are not common across multiple application instances. | DB | Store the tokens in a configured, remote database. Tokens work across multiple application instances. | Crypto | Use crypto to create and read tokens, they are not stored locally. Tokens work across multiple application instances if they have the same Security Key. Crypto tokens ignore the length and character rules and might be too long to use for SMS purposes. | LDAP | Use the LDAP directory to store tokens. Tokens work across multiple application instances. You cannot use LDAP tokens as New User Registration tokens. |
|
Label
|
Token Characters |
Key
|
token.characters |
Navigation
|
Settings ⇨ Tokens ⇨ Token Characters |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
ABCDEFGHJKLMNPQRSTUVWXY3456789
|
Specify the available characters for the email token. |
Label
|
Token Length |
Key
|
token.length |
Navigation
|
Settings ⇨ Tokens ⇨ Token Length |
Syntax
|
NUMERIC |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
16
|
Specify the length of the email token |
Label
|
Token Maximum Lifetime |
Key
|
token.lifetime |
Navigation
|
Settings ⇨ Tokens ⇨ Token Maximum Lifetime |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
3600
|
Specify the default lifetime an token is valid (in seconds). The default is one hour. This default may be overridden by module specific settings. |
Label
|
Token LDAP attribute name |
Key
|
token.ldap.attribute |
Navigation
|
Settings ⇨ Tokens ⇨ Token LDAP attribute name |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
pwmToken
|
Specify the attribute that PWM uses when you enable the LDAP Token Storage Method to store and search for tokens. |
Label
|
Enable Token Destination Value Masking |
Key
|
token.valueMasking.enable |
Navigation
|
Settings ⇨ Tokens ⇨ Enable Token Destination Value Masking |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to mask token destination display values (email addresses and telephone numbers). |
General URL settings for the application.
Label
|
Forward URL |
Key
|
pwm.forwardURL |
Navigation
|
Settings ⇨ URL Settings ⇨ Forward URL |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify a URL that PWM forwards users to after the users complete any activity which does not require a log out.
You can override this setting for any given user session by adding a forwardURL parameter to any HTTP request. If blank, the system forwards the user to the PWM menu. |
Label
|
Logout URL |
Key
|
pwm.logoutURL |
Navigation
|
Settings ⇨ URL Settings ⇨ Logout URL |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the URL to redirect user to upon logout. If users access the site through a web authentication gateway, set the Logout URL to the gateway's Logout URL. If you are using a gateway and do not include the proper logout URL here, then users encounter authentication errors, intruder lockouts, and other problems. If things are working properly then the users see the gateway log out screen when logging out.
You can set the Logout URL to any appropriate relative or absolute URL. At the time the user's browser requests this URL, the local session has already been invalidated.
You can always override this setting for any given user session by adding a logoutURL parameter to any HTTP request during the session. |
Label
|
Home URL |
Key
|
pwm.homeURL |
Navigation
|
Settings ⇨ URL Settings ⇨ Home URL |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the URL to redirect the user to upon clicking the home button. If blank, the home button returns the user to the application context URL. |
Label
|
Intro URL |
Key
|
pwm.introURL |
Navigation
|
Settings ⇨ URL Settings ⇨ Intro URL |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
/private/ |
/private |
/public/ |
/public |
|
Default
|
/private/
|
URL to redirect user to upon accessing the base context of this server (/pwm ). The value must start with a slash (/ ) character, and it will be prepended by the base application path. |
Label
|
Domain Hostnames |
Key
|
domain.hosts |
Navigation
|
Settings ⇨ URL Settings ⇨ Domain Hostnames |
Syntax
|
STRING_ARRAY |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
A list of explicit fully qualified DNS hostnames to be used for this domain. If this application is accessed by a client using an exact hostname specified here, then this domain will be used to service the client. Example: "password.acme.com". |
Auditing
Label
|
User History Storage Location |
Key
|
events.user.storageMethod |
Navigation
|
Settings ⇨ User History ⇨ User History Storage Location |
Syntax
|
SELECT |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
DATABASE |
Remote Database |
LDAP |
LDAP |
|
Default
|
Template | Value |
default |
LDAP |
DB |
DATABASE |
|
Select the data store you want to use for the user-specific audit history. This is the event history the users see in the Account Information module as well as the Help Desk operator's user detail panel. |
Label
|
User History Events |
Key
|
events.user.eventList |
Navigation
|
Settings ⇨ User History ⇨ User History Events |
Syntax
|
OPTIONLIST |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
AUTHENTICATE |
Authenticate |
AGREEMENT_PASSED |
Agreement Passed |
CHANGE_PASSWORD |
Change Password |
UNLOCK_PASSWORD |
Unlock Password |
RECOVER_PASSWORD |
Recover Password |
SET_RESPONSES |
Set Responses |
SET_OTP_SECRET |
Set OTP |
ACTIVATE_USER |
Activate User |
CREATE_USER |
New User |
UPDATE_PROFILE |
Update Profile |
INTRUDER_USER_LOCK |
Intruder User Lock |
INTRUDER_USER_ATTEMPT |
Intruder User Attempt |
TOKEN_ISSUED |
Token Issued |
TOKEN_CLAIMED |
Token Claimed |
CLEAR_RESPONSES |
Clear Responses |
HELPDESK_SET_PASSWORD |
Helpdesk Set Password |
HELPDESK_UNLOCK_PASSWORD |
Helpdesk Unlock Password |
HELPDESK_CLEAR_RESPONSES |
Helpdesk Clear Responses |
HELPDESK_CLEAR_OTP_SECRET |
Helpdesk Clear OTP |
HELPDESK_VIEW_DETAIL |
Helpdesk View Detail |
HELPDESK_ACTION |
Helpdesk Action |
HELPDESK_VERIFY_OTP |
Helpdesk Verify OTP |
|
Default
|
ACTIVATE_USER
CHANGE_PASSWORD
CLEAR_RESPONSES
CREATE_USER
HELPDESK_ACTION
HELPDESK_CLEAR_OTP_SECRET
HELPDESK_CLEAR_RESPONSES
HELPDESK_SET_PASSWORD
HELPDESK_UNLOCK_PASSWORD
HELPDESK_VERIFY_OTP
INTRUDER_USER_LOCK
RECOVER_PASSWORD
SET_OTP_SECRET
SET_RESPONSES
UNLOCK_PASSWORD
UPDATE_PROFILE
|
Select the event types you want to store on the user-specific audit history. |
Label
|
User History Maximum Events |
Key
|
events.ldap.maxEvents |
Navigation
|
Settings ⇨ User History ⇨ User History Maximum Events |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
20
|
Specify the maximum number of events to hold in the event history attribute for a user. |
Label
|
Interface Theme |
Key
|
interface.theme |
Navigation
|
Settings ⇨ User Interface ⇨ Look & Feel ⇨ Interface Theme |
Syntax
|
SELECT |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
basic |
basic |
pwm |
pwm |
autumn |
autumn |
blue |
blue |
matrix |
matrix |
midnight |
midnight |
red |
red |
sterile |
sterile |
tulips |
tulips |
water |
water |
embed |
-Embedded- |
|
Default
|
pwm
|
Select a theme to change the look and feel of PWM. PWM provides the included themes primarily as inspiration to those wishing to make customizations.
If you select Embedded , the system uses the follow settings to contain the contents of the default CSS theme: Themes are expected to be available at the url paths: /pwm/public/resources/[theme]/style.css /pwm/public/resources/[theme]/mobileStyle.css You can add additional themes using Settings ⇨ User Interface ⇨ Look & Feel ⇨ Custom Resource Bundle. You can overwrite the default theme by specifying the URL parameter theme . For example: https://www.example.com:/pwm?theme=sterile |
Label
|
Embedded CSS Stylesheet |
Key
|
display.css.customStyle |
Navigation
|
Settings ⇨ User Interface ⇨ Look & Feel ⇨ Embedded CSS Stylesheet |
Syntax
|
TEXT_AREA |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Change the content of the embedded CSS Stylesheet. The setting Settings ⇨ User Interface ⇨ Look & Feel ⇨ Interface Theme must be set to Embedded for this setting to be useful. PWM serves the contents of this setting from the virtual URL of /public/resources/themes/embed/style.css . |
Label
|
Embedded Mobile CSS Stylesheet |
Key
|
display.css.customMobileStyle |
Navigation
|
Settings ⇨ User Interface ⇨ Look & Feel ⇨ Embedded Mobile CSS Stylesheet |
Syntax
|
TEXT_AREA |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Change the content of the embedded mobile CSS Stylesheet. The setting Settings ⇨ User Interface ⇨ Look & Feel ⇨ Interface Theme must be set to Embedded for this setting to be useful. PWM serves the contents of this setting from the virtual URL of /public/resources/themes/embed/mobileStyle.css . |
Label
|
Embedded JavaScript |
Key
|
display.js.custom |
Navigation
|
Settings ⇨ User Interface ⇨ Look & Feel ⇨ Embedded JavaScript |
Syntax
|
TEXT_AREA |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Enter custom JavaScript that PWM will embed onto all user HTML pages. The PWM JavaScript environment is not documented and may change from version to version. Using this feature should be done only in an environment where development resources are available to maintaine the custom JavaScript over time.
A few general tips:- The custom JavaScript will execute after the body onload event and after most of the PWM libraries have loaded.
- The custom JavaScript will load on every page view. Your code can identify the current page by examinng the
data-jsp-name attribute of the application-info html element. This element will appear on all pages. - Referencing any JavaScript or other URLs externally is not permitted by the default
Content-Security-Policy . Instead include any scripts, images or css files you need locally by using Settings ⇨ User Interface ⇨ Look & Feel ⇨ Custom Resource Bundle.
|
Label
|
Custom Resource Bundle |
Key
|
display.custom.resourceBundle |
Navigation
|
Settings ⇨ User Interface ⇨ Look & Feel ⇨ Custom Resource Bundle |
Syntax
|
FILE |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
[]
|
Upload a custom ZIP file containing static HTTP resources that PWM serves from the HTTP path /public/resources/ that it adds to the configuration. The maximum ZIP file size is 10MB. Files included are types of HTML, text, images, and so forth. PWM does not perform any server side processing when serving these files. |
Label
|
Enable Showing Masked Fields |
Key
|
display.showHidePasswordFields |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Enable Showing Masked Fields |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to allow the users to toggle the show/hide masked (hidden) data input fields, where appropriate. This setting applies to all HTML masked password fields, regardless of the actual data type. |
Label
|
Mask Password Fields |
Key
|
display.maskPasswordFields |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Mask Password Fields |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to mask sensitive input fields with standard "password" masking. If set to false, PWM displays sensitive fields as normal text input fields. |
Label
|
Mask Response Fields |
Key
|
display.maskResponseFields |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Mask Response Fields |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to mask Challenge/Response answer input fields with standard "password" masking. If set to false, PWM displays response fields as normal text input fields. This setting applies to both setup responses and forgotten password response entry screens. |
Label
|
Mask Token Input Fields |
Key
|
display.maskTokenFields |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Mask Token Input Fields |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to mask token input fields with standard "password" masking. When enabled, multi-line tokens (such as crypto-format tokens) will not be easily input by users. |
Label
|
Show Cancel Button |
Key
|
display.showCancelButton |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Show Cancel Button |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to show a "Cancel" button to the users, where appropriate. Pressing the cancel button sends the user to the forwardURL (or logoutURL if they have modified their password). The cancel button appears on the change password screen only if the password is not expired. The Cancel button only appears if the browser has JavaScript enabled. |
Label
|
Show Token Entry Success Pages |
Key
|
display.tokenSuccessPage |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Show Token Entry Success Pages |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to show a page to users after they enter their tokens successfully. |
Label
|
Show Success Pages |
Key
|
display.showSuccessPage |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Show Success Pages |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to display a "success" page to the user informing the user the action completed successfully. You can bypass this page by changing this setting to false. |
Label
|
Show Login Page Options |
Key
|
display.showLoginPageOptions |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Show Login Page Options |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to have the login page display the "Forgotten Password" and other options (if you enabled those components). |
Label
|
Show Logout Button |
Key
|
display.logoutButton |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Show Logout Button |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to show a logout button in the header and other menus as appropriate to authenticated users and administrators. |
Label
|
Show Home Button |
Key
|
display.homeButton |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Show Home Button |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to show a "home" button in the header and other menus as appropriate to authenticated users and administrators. |
Label
|
Show Idle Timeout Counter |
Key
|
display.idleTimeout |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Show Idle Timeout Counter |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to show the user's remaining idle time, and when that time reaches zero, PWM redirects the user to the logout page. |
Label
|
Show Strength Meter |
Key
|
password.showStrengthMeter |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Show Strength Meter |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
True
|
Enable this option to allow the users to see the password strength meter on the change password screen. |
Label
|
Idle Timeout Seconds |
Key
|
idleTimeoutSeconds |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Idle Timeout Seconds |
Syntax
|
DURATION |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
300
|
Specify the number of seconds after which PWM unauthenticates an authenticated session. Minimum value is 60 seconds. |
Label
|
Reporting User Match |
Key
|
reporting.ldap.userMatch |
Navigation
|
Settings ⇨ User Interface ⇨ UI Features ⇨ Reporting User Match |
Syntax
|
USER_PERMISSION |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
UserPermission: All Users: [Profile: 'all']
|
Select users to include in the reporting job. |
Label
|
External Token Destination Server URLs |
Key
|
external.destToken.urls |
Navigation
|
Settings ⇨ Web Services ⇨ REST Clients ⇨ External Token Destination Server URLs |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the URL of an external server. PWM provides this RESTful client API to allow flexibility in reading of the destination token addresses and how PWM displays them to the users.
When you populate this setting with a valid URL, just before PWM sends a token to a user, it makes an HTTP POST request. The body of the post includes the user's originally generated destination token addresss as well as additional user information. An example of the request data is provided here (it might vary depending on what data is available, and at what point the system issues the token):
{
"tokenDestination":{
"email":"[email protected]",
"sms":"555-555-5555"
},
"userInfo":{
"userDN":"_default|CN\u003dAllison Blake,OU\u003dNYC,OU\u003dPeople,DC\u003dad,DC\u003dism,DC\u003dexample,DC\u003dcom"
"userID":"ablake",
"userEmailAddress":"[email protected]",
"passwordExpirationTime":"2383-02-20T09:10:33Z",
"passwordLastModifiedTime":"2014-01-21T09:10:33Z",
"requiresNewPassword":false,
"requiresResponseConfig":true,
"requiresUpdateProfile":true,
"passwordStatus":{
"expired":false,
"preExpired":false,
"violatesPolicy":false,
"warnPeriod":false
},
"passwordPolicy":{
"MaximumNumeric":"0",
"MinimumSpecial":"0",
"AllowLastCharSpecial":"true",
"ADComplexity":"false",
"RegExNoMatch":"",
"AllowSpecial":"true",
"MaximumSpecial":"0",
"MinimumLowerCase":"0",
"MaximumRepeat":"0",
"MinimumUnique":"0",
"MinimumNumeric":"0",
"MinimumLength":"2",
"DisallowedValues":"test\npassword",
"CaseSensitive":"true",
"RegExMatch":"",
"DisallowCurrent":"false",
"MaximumUnique":"0",
"AllowFirstCharSpecial":"true",
"MinimumLifetime":"0",
"ExpirationInterval":"0",
"UniqueRequired":"false",
"MaximumSequentialRepeat":"0",
"ChallengeResponseEnabled":"false",
"AllowNumeric":"true",
"EnforceAtLogin":"false",
"AllowFirstCharNumeric":"true",
"EnableWordlist":"true",
"MaximumLength":"64",
"DisallowedAttributes":"sn\ncn\ngivenName",
"AllowLastCharNumeric":"true",
"PolicyEnabled":"true",
"MaximumUpperCase":"0",
"MinimumUpperCase":"0",
"ChangeMessage":"",
"MaximumLowerCase":"0"
},
"passwordRules":[
"Password is case sensitive.",
"Must be at least 2 characters long.",
"Must not include any of the following values: test password",
"Must not include part of your name or user name.",
"Must not include a common word or commonly used sequence of characters."
]
}
}
The web service must then respond with a body that includes a value for the tokenDestination values provided in the request, as well as a display value. For example:
{
"email":"[email protected]",
"sms":"555-555-5555",
"displayValue":"e****@example.org or 555-555-****"
}
PWM substitutes the returned values for email and SMS for the original values, and if the system displays the destination to the user, it uses the displayValue of the actual destination email or SMS value. If an error occurs during the web service call, PWM shows the user an error. |
Label
|
External Password Check REST Server URLs |
Key
|
external.pwcheck.urls |
Navigation
|
Settings ⇨ Web Services ⇨ REST Clients ⇨ External Password Check REST Server URLs |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
PWM provides this RESTful client API to allow additional password rule checking to the application.
When you populate this setting with a valid URL, PWM makes an HTTP POST request during the password validation operation. The body of the post includes the user's desired password as well as additional user information. The following is an example of the request data (it might vary depending on what data is available, and at what point the system invokes the API):
{
"password":"password1234",
"userInfo":{
"userDN":"_default|cn\u003dablake,ou\u003dusers,o\u003dexample",
"userID":"ablake",
"userEmailAddress":"[email protected]",
"passwordExpirationTime":"2014-03-04T00:06:03Z",
"passwordLastModifiedTime":"2014-02-02T00:06:03Z",
"requiresNewPassword":false,
"requiresResponseConfig":false,
"requiresUpdateProfile":false,
"passwordStatus":{
"expired":false,
"preExpired":false,
"violatesPolicy":false,
"warnPeriod":false
},
"passwordPolicy":{
"MaximumNumeric":"0",
"MinimumSpecial":"0",
"AllowLastCharSpecial":"true",
"ADComplexity":"false",
"RegExNoMatch":"",
"AllowSpecial":"true",
"MaximumSpecial":"0",
"MinimumLowerCase":"0",
"MinimumUnique":"0",
"MinimumNumeric":"1",
"MinimumLength":"8",
"DisallowedValues":"test\npassword",
"CaseSensitive":"true",
"RegExMatch":"",
"DisallowCurrent":"false",
"AllowFirstCharSpecial":"true",
"MinimumLifetime":"0",
"ExpirationInterval":"2592000",
"UniqueRequired":"false",
"MaximumSequentialRepeat":"0",
"AllowNumeric":"true",
"AllowFirstCharNumeric":"true",
"EnableWordlist":"true",
"MaximumLength":"12",
"DisallowedAttributes":"sn\ncn\ngivenName",
"AllowLastCharNumeric":"true",
"PolicyEnabled":"true",
"MaximumUpperCase":"0",
"MinimumUpperCase":"0",
"ChangeMessage":"Please change your password to meet the corporate policy",
"MaximumLowerCase":"0"
},
"passwordRules":[
"Password is case sensitive.",
"Must be at least 8 characters long.",
"Must be no more than 12 characters long.",
"Must include at least 1 number.",
"Must not include any of the following values: test password",
"Must not include part of your name or user name.",
"Must not include a common word or commonly used sequence of characters."
]
}
}
The web service must then respond with a body that includes a true/false status for an error state, as well as an errorMessage value to display to the user.
{
"error": true,
"errorMessage":"password check output - from rest api"
}
|
Label
|
External Macro REST Server URLs |
Key
|
external.macros.urls |
Navigation
|
Settings ⇨ Web Services ⇨ REST Clients ⇨ External Macro REST Server URLs |
Syntax
|
STRING_ARRAY |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Specify the URL of the external macro server. PWM provides this RESTful client API to allow additional macro functions. PWM uses each URL listed by the macro engine with a format such that @External1:value@ corresponds to the first URL, and @External2:value@ corresponds to the second URL and so on. PWM passes the value as part of the JSON data sent to the web service. The system passes the user information only if the user is authenticated at the time of the invocation. The macro declartion sends the input value. The following is an example of the body of the HTTP POST request made by this application.
{
"input":"macroInput",
"userInfo":{
"userDN":"_default|cn\u003dablake,ou\u003dusers,o\example",
"userID":"ablake",
"userEmailAddress":"[email protected]",
"passwordExpirationTime":"2014-03-04T00:06:03Z",
"passwordLastModifiedTime":"2014-02-02T00:06:03Z",
"requiresNewPassword":false,
"requiresResponseConfig":false,
"requiresUpdateProfile":false,
"passwordStatus":{
"expired":false,
"preExpired":false,
"violatesPolicy":false,
"warnPeriod":false
},
"passwordPolicy":{
"MaximumNumeric":"0",
"MinimumSpecial":"0",
"AllowLastCharSpecial":"true",
"ADComplexity":"false",
"RegExNoMatch":"",
"AllowSpecial":"true",
"MaximumSpecial":"0",
"MinimumLowerCase":"0",
"MinimumUnique":"0",
"MinimumNumeric":"1",
"MinimumLength":"8",
"DisallowedValues":"test\npassword",
"CaseSensitive":"true",
"RegExMatch":"",
"DisallowCurrent":"false",
"AllowFirstCharSpecial":"true",
"MinimumLifetime":"0",
"ExpirationInterval":"2592000",
"UniqueRequired":"false",
"MaximumSequentialRepeat":"0",
"AllowNumeric":"true",
"AllowFirstCharNumeric":"true",
"EnableWordlist":"true",
"MaximumLength":"12",
"DisallowedAttributes":"sn\ncn\ngivenName",
"AllowLastCharNumeric":"true",
"PolicyEnabled":"true",
"MaximumUpperCase":"0",
"MinimumUpperCase":"0",
"ChangeMessage":"Please change your password to meet the corporate policy",
"MaximumLowerCase":"0"
},
"passwordRules":[
"Password is case sensitive.",
"Must be at least 8 characters long.",
"Must be no more than 12 characters long.",
"Must include at least 1 number.",
"Must not include any of the following values: test password",
"Must not include part of your name or user name.",
"Must not include a common word or commonly used sequence of characters."
]
}
}
The web service must then respond with a body that includes a value for the tokenDestination values provided in the request, as well as a display value. For example:
{
"output":"macro api output"
}
The system uses the output value as the macro substituion value. |
Label
|
External Remote Responses REST Server URL |
Key
|
external.remoteResponses.url |
Navigation
|
Settings ⇨ Web Services ⇨ REST Clients ⇨ External Remote Responses REST Server URL |
Syntax
|
STRING |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
PWM provides this RESTful client API to allow a remote service to provide Challenge/Response validation during forgotten password.
When you configure the setting Modules ⇨ Public ⇨ Forgotten Password ⇨ Profiles ⇨ [profile] ⇨ Definition ⇨ Verification Methods to use Remote Responses, PWM invokes the URL configured here. The request includes user information and a verification session identifier. The remote service is responsible for returning instructions to the user, an error message, a list of prompts to present to the user, and the status of the verification process.
HTTP Request POST JSON Body example:
{
"responseSessionID":"65634ab0-0112-41a1-93b1-e9e8178bbc29",
"userInfo":{
"userDN":"cn=testuser,ou=users,o=data",
"ldapProfile":"default",
"userID":"testuser",
"userEmailAddress":"[email protected]",
"passwordExpirationTime":"2000-01-01T01:01:01Z",
"passwordLastModifiedTime":"2000-01-01T01:01:01Z",
"requiresNewPassword":false,
"requiresResponseConfig":false,
"requiresUpdateProfile":false,
"requiresInteraction":false,
"passwordStatus":{
"expired":false,
"preExpired":false,
"violatesPolicy":false,
"warnPeriod":false
},
"passwordPolicy":{
"MinimumNumeric":"0",
"AllowNumeric":"TRUE",
"MaximumSpecial":"0",
"AllowLastCharSpecial":"TRUE",
"MinimumLength":"5",
"AllowFirstCharNumeric":"TRUE",
"MaximumUpperCase":"0",
"MinimumLowerCase":"0",
"UniqueRequired":"FALSE",
"PolicyEnabled":"true",
"ADComplexityMaxViolations":"2",
"MaximumLength":"12",
"DisallowedValues":"",
"MinimumUnique":"0",
"MinimumLifetime":"0",
"CaseSensitive":"TRUE",
"AllowLastCharNumeric":"TRUE",
"ExpirationInterval":"2592000",
"AllowFirstCharSpecial":"TRUE",
"MinimumSpecial":"0",
"MaximumSequentialRepeat":"0",
"MinimumUpperCase":"0",
"DisallowedAttributes":"",
"MaximumLowerCase":"0",
"ChangeMessage":"Please change your password to meet the corporate policy",
"MaximumNumeric":"0",
"AllowSpecial":"TRUE"
},
"passwordRules":[
"Password is case sensitive.",
"Must be at least 5 characters long.",
"Must be no more than 12 characters long."
]
},
"userResponses":{
"identifier1":"user answer value"
}
}
HTTP Response JSON body example:
{
"displayInstructions":"please enter the data for the requested prompts",
"verificationState":"INPROGRESS",
"userPrompts":[
{
"displayPrompt":"User Prompt #1",
"identifier":"identifier1"
}
{
"displayPrompt":"User Prompt #2",
"identifier":"identifier2"
}
],
"errorMessage":"error message"
}
Permitted values for verificationState are INPROGRESS, FAILED and COMPLETE. |
Label
|
Remote Form Data Service |
Key
|
external.remoteData.url |
Navigation
|
Settings ⇨ Web Services ⇨ REST Clients ⇨ Remote Form Data Service |
Syntax
|
REMOTE_WEB_SERVICE |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
[]
|
PWM provides this RESTful client API to allow a remote service to provide form data validation during form editing.
When you configure a form field to use a Remote REST API as it's source, PWM invokes the URL configured here. The request includes user information, form configuration data and a verification session identifier. The remote service is responsible for returning an error boolean, an error message to display to the user, and a detailed error message for administrator logging.
HTTP Request POST JSON Body example:
{
"formInfo":{
"module":"NewUser",
"moduleProfileID":"cc3",
"mode":"verify",
"sessionID":"j651u3tc47bCFig7sy0LIxlwHYvXbZ4WHanVMUgRaIMEof7A8c3ahr5M5g9OemZw0UAHqLhb"
},
"formValues":{
"mail":"[email protected]",
"givenName":"john",
"sn":"doe",
"remote1":"value1"
},
"formConfigurations":[
{
"name":"mail",
"minimumLength":1,
"maximumLength":64,
"type":"email",
"source":"ldap",
"required":true,
"confirmationRequired":false,
"readonly":false,
"unique":true,
"multivalue":false,
"labels":{
"":"Email Address"
},
"regexErrors":{
"":"Email Address has invalid characters"
},
"description":{
"":""
},
"regex":"^[a-zA-Z0-9 .,'@]*$",
"placeholder":"[email protected]",
"javascript":"",
"selectOptions":{
}
},
{
"name":"givenName",
"minimumLength":1,
"maximumLength":64,
"type":"text",
"source":"ldap",
"required":true,
"confirmationRequired":false,
"readonly":false,
"unique":false,
"multivalue":false,
"labels":{
"":"First Name"
},
"regexErrors":{
"":""
},
"description":{
"":""
},
"regex":"^[a-zA-Z0-9 .,'@]*$",
"placeholder":"",
"javascript":"",
"selectOptions":{
}
},
{
"name":"sn",
"minimumLength":1,
"maximumLength":64,
"type":"text",
"source":"ldap",
"required":true,
"confirmationRequired":false,
"readonly":false,
"unique":false,
"multivalue":false,
"labels":{
"":"Last Name"
},
"regexErrors":{
"":""
},
"description":{
"":""
},
"regex":"^[a-zA-Z0-9 .,'@]*$",
"placeholder":"",
"javascript":"",
"selectOptions":{
}
},
{
"name":"remote1",
"minimumLength":0,
"maximumLength":255,
"type":"text",
"source":"remote",
"required":false,
"confirmationRequired":false,
"readonly":false,
"unique":false,
"multivalue":false,
"labels":{
"":"remote1"
},
"regexErrors":{
"":""
},
"description":{
"":""
},
"regex":"",
"placeholder":"",
"javascript":"",
"selectOptions":{
}
}
]
}
HTTP Response JSON body example:
{
"error":true,
"errorMsg":"Field remote1 Has the wrong value.",
"errorDetail":"Incorrect Data",
"formValues":{}
}
Permitted values for mode are verify, read and write. When set to read mode, the form fields must be included in a formValues element. |
Label
|
Enable REST Web Server |
Key
|
external.webservices.enable |
Navigation
|
Settings ⇨ Web Services ⇨ REST Services ⇨ Enable REST Web Server |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
default |
False |
NOVL_IDM |
True |
|
Enable this option to allow public use of web services. When false, PWM requires the form nonce for all web services. The form nonce is difficult (though not impossible) for a client to retreive programmatically. Therefore it is difficult, though not impossible to use the web services. When true, PWM does not require the form nonce to invoke the web services. |
Label
|
Public REST Web Services |
Key
|
webservices.public.enable |
Navigation
|
Settings ⇨ Web Services ⇨ REST Services ⇨ Public REST Web Services |
Syntax
|
OPTIONLIST |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Options
|
Stored Value | Display |
Health |
Health - /health |
ForgottenPassword |
Forgotten Password - /forgottenpassword |
Statistics |
Statistics - /statistics |
|
Default
|
|
Web Services which are enabled for public (unauthenticated) usage. |
Label
|
Web Service Non-LDAP Users and Passwords |
Key
|
webservices.external.secrets |
Navigation
|
Settings ⇨ Web Services ⇨ REST Services ⇨ Web Service Non-LDAP Users and Passwords |
Syntax
|
NAMED_SECRET |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Define Users and Passwords that are able to authenticate to and use the REST web services. For each user, a list of available services and a password can be defined. Invoking the REST web services using these users does not require an LDAP user and instead relies on the configured LDAP proxy user. In most cases this is the prefered appraoch for REST clients to authenticate. Usernames defined here will preempt LDAP username resolution. |
Label
|
Web Services LDAP Authentication Permissions |
Key
|
webservices.queryMatch |
Navigation
|
Settings ⇨ Web Services ⇨ REST Services ⇨ Web Services LDAP Authentication Permissions |
Syntax
|
USER_PERMISSION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
Template | Value |
default |
|
NOVL_IDM |
UserPermission: All Users: [Profile: 'all'] |
|
Add an LDAP filter that contains the users permitted to execute REST web services. |
Label
|
Web Services LDAP Third Party Permissions |
Key
|
webservices.thirdParty.queryMatch |
Navigation
|
Settings ⇨ Web Services ⇨ REST Services ⇨ Web Services LDAP Third Party Permissions |
Syntax
|
USER_PERMISSION |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
|
Add an LDAP filter that contains the users permitted to execute REST web services and specify a third party via the 'username' parameter. |
Label
|
Allow Challenge REST Service to Read Answers |
Key
|
webservices.enableReadAnswers |
Navigation
|
Settings ⇨ Web Services ⇨ REST Services ⇨ Allow Challenge REST Service to Read Answers |
Syntax
|
BOOLEAN |
Level
|
2 |
Required
|
False |
Confidential
|
False |
Scope
|
DOMAIN |
Default
|
False
|
Enable this option to allow PWM to use web services to read stored Challenge/Response answers of users. The read responses are available in whatever hashing method format you selected. |
Word Lists
Label
|
Word List File URL |
Key
|
pwm.wordlist.location |
Navigation
|
Settings ⇨ Word Lists ⇨ Word List File URL |
Syntax
|
STRING |
Level
|
1
(Advanced)
|
Required
|
False |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
|
Specify a word list file URL for dictionary checking to prevent users from using commonly used words as passwords. Using word lists is an important part of password security. Word lists are used by intruders to guess common passwords. The default word list included contains commonly used English passwords.
The first time a startup occurs with a new word list setting, it takes some time to compile the word list into a database. See the status screen and logs for progress information. The word list file format is one or more text files containing a single word per line, enclosed in a ZIP file. The String !#comment: at the beginning of a line indicates a comment.
The value must be a valid URL, using the protocol "file" (local file system), "http", or "https". |
Label
|
Word List Case Sensitivity |
Key
|
wordlistCaseSensitive |
Navigation
|
Settings ⇨ Word Lists ⇨ Word List Case Sensitivity |
Syntax
|
BOOLEAN |
Level
|
1
(Advanced)
|
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
False
|
Enable this option to treat the word list as case sensitive for all matches. Changing this value causes PWM to recompile the word list. |
Label
|
Word List Word Size Check |
Key
|
password.wordlist.wordSize |
Navigation
|
Settings ⇨ Word Lists ⇨ Word List Word Size Check |
Syntax
|
NUMERIC |
Level
|
2 |
Required
|
True |
Confidential
|
False |
Scope
|
SYSTEM |
Default
|
0
|
Specify the minimum number of characters in the password that PWM checks against the Word List dictionary. For example, if the password the system checks is "wordlist" and this setting is set to 6, then the combinations "wordli", "wordlis", "wordlist", "ordlis", "ordlist", and "rdlist" are all checked against the configured dictionary. If any of these values are equal to any word in the Word List dictionary, then the system considers the password to match the Word List and rejects it. If this value is set to zero or the password to check is smaller than the value specified here, then the system checks the entire password against the Word List but not any smaller parts of it. |