This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Grace Logins
Grace Logins

Version management

Difference between version and

At line 1 added 36 lines
!!! Overview
[{$pagename}] is an [EDirectory] concept for [Password Grace Authentication] that allows a limited number of logins to be performed following the point that [Password Expiration] has been reached.
!! [Edirectory Password Policy] and [{$pagename}]
The [Edirectory Password Policy], to enable [Password Grace Authentications], you would modify the [Password Policy] under [Password Life Time] that is enabled for the user.
%%warning
You [MUST] set the [Limit the number of grace logins allowed|LoginGraceLimit] to some value to make the [Number of days before password expires|PasswordExpirationTime] to prevent users from logging in after the password expires.
%%
!! Limit the number of grace logins allowed (0-254)
When the [password] expires, this value indicates how many times a user is allowed to log in to [eDirectory] by using the expired password.
* 0 - A value of "0" will not allow any [{$pagename}].
* 1 - If the value is 1 or more, the user has a chance to log in additional times before being forced to change the password. However, if the user does not change the password before all the [{$pagename}] are used, he or she is effectively locked out and is unable to log in to [eDirectory].
! [{$pagename}] NOT Enabled
[eDirectory 9.0.3.0 (40005.12)] and several earlier versions of the documentation appear to have a conflict in this area. The documentation clearly states:
* If [{$pagename}] are not enabled (the check box "Limit the number of grace logins allowed" is NOT checked), the user cannot log in after a password has expired, and he or she requires administrator assistance to reset the password.
* Also, if you have not selected the Limit [Grace Logins] option, unlimited [Grace Logins] are allowed.
So if "unlimited [Grace Logins]" are allowed then how can "the user cannot login after a password has expired" also be true?
!! Attributes
There are several attributes added to the user entries when you set [{$pagename}]
* [PasswordExpirationTime] - the time at which the password is expired.
* [LoginGraceLimit] - The number of times a user may login beyond the [PasswordExpirationTime]
* [LoginGraceRemaining] - The number of Grave Logins they currently have remaining.
Once [LoginGraceRemaining] becomes "0", the user will not be able to login and will receive [Password Expired] as the [LDAP Result Code]
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Managing Passwords by Using Password Policies|https://www.netiq.com/documentation/edirectory-9/edir_admin/data/b1j5v27h.html |target='_blank'] - based on information obtained 2017-05-15
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop