Overview#
Grace Logins is an EDirectory concept for Password Grace Authentication that allows a limited number of logins to be performed following the point that Password Expiration has been reached.Edirectory Password Policy and Grace Logins#
The Edirectory Password Policy, to enable Password Grace Authentications, you would modify the Password Policy under Password Life Time that is enabled for the user.
You MUST set the Limit the number of grace logins allowed to some value to make the Number of days before password expires to prevent users from logging in after the password expires.
Limit the number of grace logins allowed (0-254)#
When the password expires, this value indicates how many times a user is allowed to log in to eDirectory by using the expired password.- 0 - A value of "0" will not allow any Grace Logins.
- 1 - If the value is 1 or more, the user has a chance to log in additional times before being forced to change the password. However, if the user does not change the password before all the Grace Logins are used, he or she is effectively locked out and is unable to log in to eDirectory.
Grace Logins NOT Enabled #
eDirectory 9.0.3.0 (40005.12) and several earlier versions of the documentation appear to have a conflict in this area. The documentation clearly states:- If Grace Logins are not enabled (the check box "Limit the number of grace logins allowed" is NOT checked), the user cannot log in after a password has expired, and he or she requires administrator assistance to reset the password.
- Also, if you have not selected the Limit Grace Logins option, unlimited Grace Logins are allowed.
Attributes#
There are several attributes added to the user entries when you set Grace Logins- PasswordExpirationTime - the time at which the password is expired.
- LoginGraceLimit - The number of times a user may login beyond the PasswordExpirationTime
- LoginGraceRemaining - The number of Grave Logins they currently have remaining.
Once LoginGraceRemaining becomes "0", the user will not be able to login and will receive Password Expired as the LDAP Result Code
More Information#
There might be more information for this subject on one of the following:- Common Edirectory Bind Errors
- Grace Logins
- Password Expiration
- Password Grace Authentication
- Password Life Time
- PasswordExpirationTime
- [#1] - Managing Passwords by Using Password Policies
- based on information obtained 2017-05-15
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!