How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How does password expiration work in DS (All versions)?

Last updated Jun 10, 2021

The purpose of this article is to provide information on how password expiration works in DS. It assumes you have warnings enabled.


1 reader recommends this article

Password expiration

If you set up password expiration, the warning gets triggered when the user authenticates during the password expiration warning interval and the ds-pwp-warned-time attribute is set. If the user does not authenticate before the password expiry time, the ds-pwp-password-expiration-time value will keep increasing until the user password is changed and the expiry time is reset.

In the following examples, the password policy will expire a password one hour after it has been changed and warn 30 minutes before expiry time: 

  • The first example demonstrates what happens if the user does not authenticate before their password expires and explains why you might see the password expiry time continually increasing.
  • The second example demonstrates the expected outcome where the user authenticates before their password expires and within the warning period.

Scenario 1 - User does not authenticate before password expiry

In this example, the user does not authenticate before their password expires; this causes the password expiry time to keep increasing and the user to be locked out:

  • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
  • DS 7:;$ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
  • Pre-DS 7: $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "cn=Directory Manager" --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time

Example response:dn: uid=user.6,ou=People,dc=example,dc=com pwdChangedTime: 20170208115546.098Z ds-pwp-password-expiration-time: 20170208125546.098Z

Note

Notice that for some accounts, the ds-pwp-password-expiration-time attribute keeps changing once the password-expiration-warning-interval has passed, which means the password never expires.

When the expiry time is reached and the user attempts to authenticate, the user is locked out:

  • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin uid=user.6 cn
  • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin uid=user.6 cn
  • Pre-DS 7: $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin uid=user.6 cn

Example response:The simple bind attempt failed Result Code: 49 (Invalid Credentials)

The password expiry time continues to increase to keep the account locked until the password is reset:

  • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
  • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
  • Pre-DS 7: $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "cn=Directory Manager" --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time

Example response:dn: uid=user.6,ou=People,dc=example,dc=com pwdChangedTime: 20170208115546.098Z ds-pwp-password-expiration-time: 20170208133604.100Z

Once the password is changed, the expiry time is reset to one hour:

  • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
  • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time
  • Pre-DS 7: $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "cn=Directory Manager" --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time

Example response:dn: uid=user.6,ou=People,dc=example,dc=com pwdChangedTime: 20170208131848.246Z ds-pwp-password-expiration-time: 20170208141848.246Z

Scenario 2 - User authenticates before password expires and within warning period of 30 minutes

In this example, the user authenticates before their password expires and within the warning period; this triggers the notification they see warning that their password is due to expire.

DS 7.1 and later $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208141848.246Z pwdChangedtime: 20170208131848.246Z $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin1 uid=user.6 cn # Your password will expire in 30 minutes, 0 seconds dn: uid=user.6,ou=People,dc=example,dc=com cn: Abagail Abadines $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208142000.923Z pwdChangedtime: 20170208131848.246Z ds-pwp-warned-time: 20170208135000.923Z

DS 7

$ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208141848.246Z pwdChangedtime: 20170208131848.246Z $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin1 uid=user.6 cn # Your password will expire in 30 minutes, 0 seconds dn: uid=user.6,ou=People,dc=example,dc=com cn: Abagail Abadines $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN dc=example,dc=com --bindDN uid=admin --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208142000.923Z pwdChangedtime: 20170208131848.246Z ds-pwp-warned-time: 20170208135000.923Z

Pre-DS 7

$ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "cn=Directory Manager" --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208141848.246Z pwdChangedtime: 20170208131848.246Z $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "uid=user.6,ou=People,dc=example,dc=com" --bindPassword cangetin1 uid=user.6 cn # Your password will expire in 30 minutes, 0 seconds dn: uid=user.6,ou=People,dc=example,dc=com cn: Abagail Abadines $ ./ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN "cn=Directory Manager" --bindPassword password uid=user.6 ds-pwp-password-expiration-time pwdChangedtime ds-pwp-warned-time dn: uid=user.6,ou=People,dc=example,dc=com ds-pwp-password-expiration-time: 20170208142000.923Z pwdChangedtime: 20170208131848.246Z ds-pwp-warned-time: 20170208135000.923Z

See Also

FAQ: Passwords in DS

How does DS (All versions) store password values?

Passwords

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.