Overview#
Password Expiration is concept of the a
Password Policy to limit the length of time that a
user can continue to use the same
password.
Mandated Regular Password Changes are a long-standing security practice which has been questioned as if it is effective by the following:
all recommend that passwords
SHOULD NOT be arbitrarily expired after some
interval.
Password Expiration is a
LDAP concept of the a server or
DSA that can be used to limit the length of time that a user can continue to use the same
password.
Some
LDAP Server Implementations implement the
Password Modify Extended Operation supportedExtension. This can allow as the
password expiration time draws near, the user may receive warning messages in the form of
supportedControl in the
bind Response.
Typically, Once the password has expired, and there are no Grace Logins left, the entry will no longer be allowed to perform Authentication.
Once the user's password has expired, it may be necessary for an administrator to perform a Password Reset before the account may be used. Alternately, if the password policy is configured appropriately, the user may also be able to perform a Password Change for their own expired password using the Password Modify Extended Operation or by using a Password Management Application.
AD Determining Password Expiration explains how the Password Expiration works in
Microsoft Active Directory
Several
LDAP Server Implementations follow the
draft-behera-ldap-password-policy as a
Password Management Methodologies.
eDirectory Password Expiration explains how
eDirectory determines Password Expiration.
Edirectory Administrative Password Changes are applied to to a user's password, the password is normally expired. (ie
Password Reset)
There might be more information for this subject on one of the following: