Overview#

Password Grace Authentication is a concept within Password Management which allows limited Authentications beyond a Password Expired condition

Password Policy Administrators MAY deploy a Password Policy that which enforces Password Periodic Changes - thus forcing users to change their passwords periodically.

As a side effect, there needs to be a way in which users are made aware of this need to perform a Password Change before a Password Expired condition exists.

One or both of the following methods handle this:

• A warning may be returned to the user sometime before his password is due to expire. If the user fails to heed this warning before the expiration time, his account will be locked.
• The user may perform Authentication a preset number of times after her Password Expired condition exists. If she fails to change her password during one of her Password Grace Authentications then a Password Locked condition exists.

draft-behera-ldap-password-policy#

draft-behera-ldap-password-policy implements the following Attributes for Password Grace Authentication

• pwdGraceAuthNLimit
• pwdGraceExpiry
• pwdGraceUseTime

eDirectory and grace Logins#

Password Grace Authentication is implemented within eDirectory using grace Logins

More Information#

There might be more information for this subject on one of the following:

• Draft-behera-ldap-password-policy
• Grace Logins
• Password Validity Policy