cancel
Showing results for 
Search instead for 
Did you mean: 

Password Policy

UnboundID PedroT
0 Kudos

In password policies, note that when expire-without-warning is 'false' and grace-logins is '0' users may bind to directory server successfully when the password is expired, that is, the time (pwdChangedTime + maxPasswordAge) has passed. Users may continue to bind
successfully to directory server under these conditions for the length of time specified by password-expiration-warning-interval, after which the password expires and must be reset.

The clock that counts down from password-expiration-warning-interval starts with the first successful bind after the password has expired. This means that users can bind successfully to directory after their password has expired for the length of time specified by password-expiration-interval after the password has expired.

By way of example, if a users' password expired on Jan. 1, 2011 and the password-expiration-warning-interval is 1 day, and the user has not BINDed to directory server since the password expired, the next time the user BINDs with valid credentials starts a 24-hour clock (1 day password-expiration-warning-interval) during which time the user may BIND successfully. After 24 hours has passed the users' password must be reset.

This is slightly different from the behavior outlined in the older draft documents at: http://tools.ietf.org/html/draft-behera-ldap-password-policy-10 and http://tools.ietf.org/html/draft-vchu-ldap-pwd-policy-00 and can be avoided by setting expire-without-warning to 'true'.