<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is an [EDirectory] concept for [Password Grace Authentication] that allows a limited number of logins to be performed following the point that [Password Expiration] has been reached.

!! [Edirectory Password Policy] and [{$pagename}]
The [Edirectory Password Policy], to enable [Password Grace Authentications], you would modify the [Password Policy] under [Password Life Time] that is enabled for the user.

%%warning
You [MUST] set the [Limit the number of grace logins allowed|LoginGraceLimit] to some value to make the [Number of days before password expires|PasswordExpirationTime] to prevent users from logging in after the password expires.
%%

!! Limit the number of grace logins allowed (0-254)
When the [password] expires, this value indicates how many times a user is allowed to log in to [eDirectory] by using the expired password.

* 0 - A value of &quot;0&quot; will not allow any [{$pagename}].
* 1 - If the value is 1 or more, the user has a chance to log in additional times before being forced to change the password. However, if the user does not change the password before all the [{$pagename}] are used, he or she is effectively locked out and is unable to log in to [eDirectory]. 

! [{$pagename}] NOT Enabled 
[eDirectory 9.0.3.0 (40005.12)] and several earlier versions of the documentation appear to have a conflict in this area. The documentation clearly states:
* If [{$pagename}] are not enabled (the check box &quot;Limit the number of grace logins allowed&quot; is NOT checked), the user cannot log in after a password has expired, and he or she requires administrator assistance to reset the password. 
* Also, if you have not selected the Limit [Grace Logins] option, unlimited [Grace Logins] are allowed.
So if &quot;unlimited [Grace Logins]&quot; are allowed then how can &quot;the user cannot login after a password has expired&quot; also be true?

!! Attributes
There are several attributes added to the user entries when you set [{$pagename}]
* [PasswordExpirationTime] - the time at which the password is expired.
* [LoginGraceLimit] - The number of times a user may login beyond the [PasswordExpirationTime]
* [LoginGraceRemaining] - The number of Grave Logins they currently have remaining.

Once [LoginGraceRemaining] becomes &quot;0&quot;, the user will not be able to login and will receive [Password Expired] as the [LDAP Result Code]


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Managing Passwords by Using Password Policies|https://www.netiq.com/documentation/edirectory-9/edir_admin/data/b1j5v27h.html |target='_blank'] - based on information obtained 2017-05-15
</pre>