<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] within [eDirectory].

Most entries are and [SHOULD] be controlled a [Universal Password Policy|NspmPasswordPolicy].

[EDirectory] [Password Expiration] is determined by the value of the [passwordExpirationInterval] on the [Universal Password Policy|NspmPasswordPolicy] which applies to the entry.

The conditions that control the &quot;[Password Expired]&quot; mechanism are defined within the [Universal Password Policy|NspmPasswordPolicy]. The important values within the [nspmPasswordPolicy] [Password Policy] are shown below: (showing typical values)
* Number of days before password expires (0-365):       30 Days
* Limit the number of grace logins allowed (0-254):     02 Attempt(s) 
In addition to the [Universal Password Policy|NspmPasswordPolicy] the [passwordRequired] attribute must be set to: __TRUE__

A [password] is considered [Password Expired] when the [PasswordExpirationTime] has passed and the [LoginGraceRemaining]=0.

However, __ONLY__ once an entry has been assigned to a [Universal Password Policy|NspmPasswordPolicy] and then changes the password thereafter will the [EDirectory] server will set (or update) attribute values on the entry:
* [passwordExpirationTime] - forward the number of days specified in Password Policy value for the Days Between Forced Changes field ([passwordExpirationInterval]).
* [passwordExpirationInterval] - to the value of the Password Policy's [passwordExpirationInterval] (This is done for non-[Universal Password] client's backward compatibility)

!! How [{$pagename}] is performed
Then when the user performs a [bind Request] the server reads the entry's value for [passwordExpirationTime] and decides whether the [Password Expired]. 

There is __NOT__ a &quot;live&quot; calculation on the entry's [pwdChangedTime] / [passwordExpirationInterval]. The live operation only looks at the [LDAP Entry] [passwordExpirationTime].

When using [Universal Password Policies|NspmPasswordPolicy] then the policy will be enforced such that you cannot extend the [passwordExpirationTime] beyond what the policy says is valid. You can, however, set the [passwordExpirationTime] to be earlier than the [Universal Password Policy|NspmPasswordPolicy] and the password will expire at the earlier time.

!! Category
%%category [eDirectory]%%


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>