change ds-cfg-max-password-age

This topic has 4 replies, 2 voices, and was last updated 2 years, 4 months ago by Andy Cory.

  • Author
  • #17452


    if I change the attribute ds-cfg-max-password-age in my password policy, attribute ds-pwp-password-expiration-time change automatically in all entry of my rootDN or this attribute not change??



    The ds-pwp-password-expiration-time is a virtual, computed attribute and will reflect the time the password is due to expire based on the policy. A change in the policy will be reflected immediately.


    Hi Ludo,
    thanks for the reply.

    I have OpenDJ 3.0.1 and when installed it I configured ds-cfg-max-password-age with “7889400 s” (3 months).
    After that, I updated it with “15778800 s” (6 months), but I noticed that the value ds-pwp-password-expiration-time in many entry didn’t change, or it didn’t change correctly.

    How can I update/recalculate these values?



    I’m in the same situation on DS 6.5

    I have a set of users for which passwords expires on Feb 12, 2020 based on a policy defined with max-password-age of 12 w 6 d.

    I need to give them a grace period of extra 50 days.

    When I go in dsconfig and change the max-password-age value to 21 w 3 d and apply the change, the user ds-pwp-password-expiry-time remains Feb 12, 2020 (as browsed from Apache DS).

    Please advise

     Andy Cory

    Just to be sure this is not some caching or refresh issue with Apache DS, can you confirm the ‘ds-pwp-password-expiry-time’ has not been recalculated by running ‘ldapsearch’? A quick sanity check test on a DS 6.5 instance I’m using for a current project showed the attribute being recalculated correctly when I change the policy. It did show up in Apache DS too, I just had to refresh – if that didn’t work for you an ldapsearch should be a cleaner test. (It’s worth just double-checking the ‘ds-pwp-password-policy-dn’ attribute of your test user though, just to be sure that the password policy that you think applies actually does apply!)


Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?