change ds-cfg-max-password-age

This topic has 4 replies, 2 voices, and was last updated 7 months, 2 weeks ago by Andy Cory.

  • Author
    Posts
  • #17452
     sixart
    Participant

    Hi,

    if I change the attribute ds-cfg-max-password-age in my password policy, attribute ds-pwp-password-expiration-time change automatically in all entry of my rootDN or this attribute not change??

    Regards,
    Dario

    #17462
     Ludo
    Moderator

    The ds-pwp-password-expiration-time is a virtual, computed attribute and will reflect the time the password is due to expire based on the policy. A change in the policy will be reflected immediately.

    #17463
     sixart
    Participant

    Hi Ludo,
    thanks for the reply.

    I have OpenDJ 3.0.1 and when installed it I configured ds-cfg-max-password-age with “7889400 s” (3 months).
    After that, I updated it with “15778800 s” (6 months), but I noticed that the value ds-pwp-password-expiration-time in many entry didn’t change, or it didn’t change correctly.

    How can I update/recalculate these values?

    Regards,
    Dario

    #27571
     dpirvuti
    Participant

    I’m in the same situation on DS 6.5

    I have a set of users for which passwords expires on Feb 12, 2020 based on a policy defined with max-password-age of 12 w 6 d.

    I need to give them a grace period of extra 50 days.

    When I go in dsconfig and change the max-password-age value to 21 w 3 d and apply the change, the user ds-pwp-password-expiry-time remains Feb 12, 2020 (as browsed from Apache DS).

    Please advise

    #27610
     Andy Cory
    Participant

    Just to be sure this is not some caching or refresh issue with Apache DS, can you confirm the ‘ds-pwp-password-expiry-time’ has not been recalculated by running ‘ldapsearch’? A quick sanity check test on a DS 6.5 instance I’m using for a current project showed the attribute being recalculated correctly when I change the policy. It did show up in Apache DS too, I just had to refresh – if that didn’t work for you an ldapsearch should be a cleaner test. (It’s worth just double-checking the ‘ds-pwp-password-policy-dn’ attribute of your test user though, just to be sure that the password policy that you think applies actually does apply!)

    -Andy

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?