Overview#
EDirectory Password Expiration within eDirectory.Most entries are and SHOULD be controlled a Universal Password Policy.
EDirectory Password Expiration is determined by the value of the passwordExpirationInterval on the Universal Password Policy which applies to the entry.
The conditions that control the "Password Expired" mechanism are defined within the Universal Password Policy. The important values within the nspmPasswordPolicy Password Policy are shown below: (showing typical values)
- Number of days before password expires (0-365): 30 Days
- Limit the number of grace logins allowed (0-254): 02 Attempt(s)
A password is considered Password Expired when the PasswordExpirationTime has passed and the LoginGraceRemaining=0.
However, ONLY once an entry has been assigned to a Universal Password Policy and then changes the password thereafter will the EDirectory server will set (or update) attribute values on the entry:
- passwordExpirationTime - forward the number of days specified in Password Policy value for the Days Between Forced Changes field (passwordExpirationInterval).
- passwordExpirationInterval - to the value of the Password Policy's passwordExpirationInterval (This is done for non-Universal Password client's backward compatibility)
How EDirectory Password Expiration is performed#
Then when the user performs a bind Request the server reads the entry's value for passwordExpirationTime and decides whether the Password Expired.There is NOT a "live" calculation on the entry's pwdChangedTime / passwordExpirationInterval. The live operation only looks at the LDAP Entry passwordExpirationTime.
When using Universal Password Policies then the policy will be enforced such that you cannot extend the passwordExpirationTime beyond what the policy says is valid. You can, however, set the passwordExpirationTime to be earlier than the Universal Password Policy and the password will expire at the earlier time.