Search

20.6. Understanding Password Expiration Controls

download PDF
When a user authenticates to Directory Server using a valid password, and if the password is expired, will expire soon, or needs to be reset, the server sends the following LDAP controls back to the client:
  • Expired control (2.16.840.1.113730.3.4.4): Indicates that the password is expired. Directory Server sends this control in the following situations:
    • The password is expired, and grace logins have been exhausted. The server rejects the bind with an Error 49 message.
    • The password is expired, but grace logins are still available. The bind will be allowed.
    • If passwordMustChange is enabled in the cn=config entry, and a user needs to reset the password after an administrator changed it. The bind is allowed, but any subsequent operation, other than changing the password, results in an Error 53 message.
  • Expiring control (2.16.840.1.113730.3.4.5): Indicates that the password will expire soon. Directory Server sends this control in the following situations:
    • The password will expire within the password warning period set in the passwordWarning attribute in the cn=config entry.
    • If the password policy configuration option is enabled in the passwordSendExpiringTime attribute in the cn=config entry, the expiring control is always returned, regardless of whether the password is within the warning period.
  • Bind response control (1.3.6.1.4.1.42.2.27.8.5.1): The control contains detailed information about the state of the password that is about to expire or will expire soon.

    Note

    Directory Server only sends the bind response control if the client requested it. For example, if you use ldapsearch, you must pass the -e ppolicy parameter to the command to request the bind response control.

    Example 20.1. Requesting the Bind Response Control in a Query

    If you request the bind response control, for example by passing the -e ppolicy parameter to the ldapsearch command, the server returns detailed information about account expiration. For example:
    # ldapsearch -D "uid=user_name,dc=example,dc=com" -xLLL -W \
         -b "dc=example,dc=com" -e ppolicy
    ldap_bind: Success (0); Password expired (Password expired, 1 grace logins remain)
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.