EDirectory Password Expiration


EDirectory Password Expiration within eDirectory.

Most entries are and SHOULD be controlled a Universal Password Policy.

EDirectory Password Expiration is determined by the value of the passwordExpirationInterval on the Universal Password Policy which applies to the entry.

The conditions that control the "Password Expired" mechanism are defined within the Universal Password Policy. The important values within the nspmPasswordPolicy Password Policy are shown below: (showing typical values)

  • Number of days before password expires (0-365): 30 Days
  • Limit the number of grace logins allowed (0-254): 02 Attempt(s)
In addition to the Universal Password Policy the passwordRequired attribute must be set to: TRUE

A password is considered Password Expired when the PasswordExpirationTime has passed and the LoginGraceRemaining=0.

However, ONLY once an entry has been assigned to a Universal Password Policy and then changes the password thereafter will the EDirectory server will set (or update) attribute values on the entry:

How EDirectory Password Expiration is performed#

Then when the user performs a bind Request the server reads the entry's value for passwordExpirationTime and decides whether the Password Expired.

There is NOT a "live" calculation on the entry's pwdChangedTime / passwordExpirationInterval. The live operation only looks at the LDAP Entry passwordExpirationTime.

When using Universal Password Policies then the policy will be enforced such that you cannot extend the passwordExpirationTime beyond what the policy says is valid. You can, however, set the passwordExpirationTime to be earlier than the Universal Password Policy and the password will expire at the earlier time.



More Information#

There might be more information for this subject on one of the following: