How does password expiration work in DS (All versions)?
The purpose of this article is to provide information on how password expiration works in DS. It assumes you have warnings enabled.
1 reader recommends this article
Password expiration
If you set up password expiration, the warning gets triggered when the user authenticates during the password expiration warning interval and the ds-pwp-warned-time attribute is set. If the user does not authenticate before the password expiry time, the ds-pwp-password-expiration-time value will keep increasing until the user password is changed and the expiry time is reset.
In the following examples, the password policy will expire a password one hour after it has been changed and warn 30 minutes before expiry time:
- The first example demonstrates what happens if the user does not authenticate before their password expires and explains why you might see the password expiry time continually increasing.
- The second example demonstrates the expected outcome where the user authenticates before their password expires and within the warning period.
Scenario 1 - User does not authenticate before password expiry
In
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
- DS 7:;$ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
- DS 6.x: $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "cn=Directory Manager" --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
Example response:dn: uid=user.6,ou=People,dc=example,dc=com pwdChangedTime: 20170208115546.098Z ds-pwp-password-expiration-time: 20170208125546.098Z
Note
Notice that for some accounts, the ds-pwp-password-expiration-time attribute keeps changing once the password-expiration-warning-interval has passed, which means the password never expires.
When the expiry time is reached and the user attempts to authenticate, the user is locked out:
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin uid=user.6 cn
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin uid=user.6 cn
- DS 6.x: $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin uid=user.6 cn
Example response:The simple bind attempt failed Result Code: 49 (Invalid Credentials)
The password expiry time continues to increase to keep the account locked until the password is reset:
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
- DS 6.x: $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "cn=Directory Manager" --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
Example response:dn: uid=user.6,ou=People,dc=example,dc=com pwdChangedTime: 20170208115546.098Z ds-pwp-password-expiration-time: 20170208133604.100Z
Once the password is changed, the expiry time is reset to one hour:
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
- DS 6.x: $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "cn=Directory Manager" --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
Example response:dn: uid=user.6,ou=People,dc=example,dc=com pwdChangedTime: 20170208131848.246Z ds-pwp-password-expiration-time: 20170208141848.246Z
Scenario 2 - User authenticates before password expires and within warning period of 30 minutes
In this example, the user authenticates before their password expires and within the warning period; this triggers the notification they see warning that their password is due to expire.
DS 7.1 and later $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208141848.246Z pwdChangedtime: 20170208131848.246Z $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin1 uid=user.6 cn # Your password will expire in 30 minutes, 0 seconds dn: uid=user.6,ou=People,dc=example,dc=com cn: Abagail Abadines $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208142000.923Z pwdChangedtime: 20170208131848.246Z ds-pwp-warned-time: 20170208135000.923Z
DS 7
$ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208141848.246Z pwdChangedtime: 20170208131848.246Z $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin1 uid=user.6 cn # Your password will expire in 30 minutes, 0 seconds dn: uid=user.6,ou=People,dc=example,dc=com cn: Abagail Abadines $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208142000.923Z pwdChangedtime: 20170208131848.246Z ds-pwp-warned-time: 20170208135000.923ZDS 6.x
$ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "cn=Directory Manager" --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208141848.246Z pwdChangedtime: 20170208131848.246Z $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin1 uid=user.6 cn # Your password will expire in 30 minutes, 0 seconds dn: uid=user.6,ou=People,dc=example,dc=com cn: Abagail Abadines $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "cn=Directory Manager" --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208142000.923Z pwdChangedtime: 20170208131848.246Z ds-pwp-warned-time: 20170208135000.923ZSee Also
How does DS (All versions) store password values?
Related Training
N/A
Related Issue Tracker IDs
N/A