Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
20.6. Understanding Password Expiration Controls
When a user authenticates to Directory Server using a valid password, and if the password is expired, will expire soon, or needs to be reset, the server sends the following LDAP controls back to the client:
- Expired control (
2.16.840.1.113730.3.4.4): Indicates that the password is expired. Directory Server sends this control in the following situations:- The password is expired, and grace logins have been exhausted. The server rejects the bind with an
Error 49message. - The password is expired, but grace logins are still available. The bind will be allowed.
- If
passwordMustChangeis enabled in thecn=configentry, and a user needs to reset the password after an administrator changed it. The bind is allowed, but any subsequent operation, other than changing the password, results in anError 53message.
- Expiring control (
2.16.840.1.113730.3.4.5): Indicates that the password will expire soon. Directory Server sends this control in the following situations:- The password will expire within the password warning period set in the
passwordWarningattribute in thecn=configentry. - If the password policy configuration option is enabled in the
passwordSendExpiringTimeattribute in thecn=configentry, the expiring control is always returned, regardless of whether the password is within the warning period.
- Bind response control (
1.3.6.1.4.1.42.2.27.8.5.1): The control contains detailed information about the state of the password that is about to expire or will expire soon.Note
Directory Server only sends the bind response control if the client requested it. For example, if you useldapsearch, you must pass the-e ppolicyparameter to the command to request the bind response control.Example 20.1. Requesting the Bind Response Control in a Query
If you request the bind response control, for example by passing the-e ppolicyparameter to theldapsearchcommand, the server returns detailed information about account expiration. For example:ldapsearch -D "uid=user_name,dc=example,dc=com" -xLLL -W \ -b "dc=example,dc=com" -e ppolicy# ldapsearch -D "uid=user_name,dc=example,dc=com" -xLLL -W \ -b "dc=example,dc=com" -e ppolicy ldap_bind: Success (0); Password expired (Password expired, 1 grace logins remain)Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}