Overview#

PasswordExpirationTime has an OID of 2.16.840.1.113719.1.1.4.1.68 and is the value when Password Expiration occurs. (Not considering Grace Logins)

The value is set on a user whenever a Password Modify Operation happens or whenever a Edirectory Password Policy is set for "Number of days before password expires" which will set the PasswordExpirationTime value on the user.

PasswordExpirationTime can be set to an "earlier" time than the calculated setting form the Edirectory Password Policy and the value will be honored. PasswordExpirationTime can NOT be se to a later value.

Some setting similaer to:

• loginGraceLimit: 1
• loginGraceRemaining: 0

How is the password expiration time calculated when using the NMAS Universal Password?#

The determination of whether a user's NMAS Universal Password has expired is not totally based on using the date and time value for the PasswordExpirationTime Attribute Value for a user. It is used but is first calculated dynamically on login then compared to it.

The Universal Password Password Expired Algorithm performs the following calculations:

• Lookup the entity's associated Edirectory Password Policy PasswordExpirationInterval Attribute Value
• Examine the entity's nspmPassword attribute timestamp (PwdChangedTime).
• Add the PasswordExpirationInterval to the nspmPassword modification timestamp (PwdChangedTime) on the entity.
• If this value less than PasswordExpirationTime Attribute Value? then the PasswordExpirationTime value is updated.
• Compare PasswordExpirationTime value to the current server time to determine if the Password Expired.

PasswordExpirationTime is calculated#

PasswordExpirationTime is calculated by adding the passwordExpirationInterval to the pwdChangedTime.

PasswordExpirationTime is calculated when there is a Password Modify Operation (determined from the PwdChangedTime) and and it is recalculated during login if the passwordExpirationInterval has been changed to a shorter amount of time or if the Edirectory Password Policy has been changed.

Password Reset and PasswordExpirationTime#

Edirectory Administrative Password Changes may affect the values for PasswordExpirationTime.

LDAP Attribute Definition#

The PasswordExpirationTime AttributeTypes is defined as:

• OID of 2.16.840.1.113719.1.1.4.1.68
• NAME: PasswordExpirationTime
• DESC:
• OBSOLETE flag (only if present)
• Supertype:
  • (only if present)
• EQUALITY:
• ORDERING:
• SYNTAX: 1.3.6.1.4.1.1466.115.121.1.24 GeneralizedTime
• SINGLE-VALUE
• NO-USER-MODIFICATION (only if present)
• USAGE: UserApplications
• Extended Flags:
  • X-ORIGIN:
  • X-NDS_NAME: Password Expiration Time
  • X-NDS_NONREMOVABLE: 1
• Used as MUST in:
• Used as MAY in:
  • inetOrgPerson
  • ndsLoginProperties
  • nspmPasswordAux
  • Template

More Information#

There might be more information for this subject on one of the following:

• 2.16.840.1.113719.1.1.4.1.68
• 2.16.840.1.113719.1.1.6.1.33
• 2.16.840.1.113719.1.64.6.1.1
• EDirectory Password Expiration
• Edirectory Administrative Password Changes
• Grace Logins
• InetOrgPerson
• NdsLoginProperties
• NspmPasswordAux
• Password Expiration
• Password Expired
• Password Life Time

---

• [#1] - How NMAS calculates and modifies the password expiration time when using the Universal Password - based on information obtained 2020-03-29