Passwordexpirationtime, Passwordexpwarned, Passwordgracelimit (password expiration) – Red Hat 8.1 User Manual

password expires using the passwordMaxAge attribute.

For more information on password policies, see the "Managing Users and Passwords" chapter in the
Directory Server Administrator's Guide.

Parameter

Description

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

passwordExp: on

2.3.1.115. passwordExpirationTime

This attribute specifies the length of time that passes before the user’s password expires.

Parameter

Description

Entry DN

cn=config

Valid Values

Any date, in integers

Default Value

none

Syntax

GeneralizedTime

Example

passwordExpirationTime: 200909011953

2.3.1.116. passwordExpWarned

This attribute is used to indicate that a password expiration warning has been sent to the user.

Parameter

Description

Entry DN

cn=config

Valid Values

true | false

Default Value

none

Syntax

DirectoryString

Example

passwordExpWarned: true

2.3.1.117. passwordGraceLimit (Password Expiration)

This attribute is only applicable if password expiration is enabled. After the user's password has
expired, the server allows the user to connect for the purpose of changing the password. This is called
a grace login. The server allows only a certain number of attempts before completely locking out the
user. This attribute is the number of grace logins allowed. A value of 0 means the server does not allow
grace logins.

Parameter

Description

Entry DN

cn=config

Valid Values

0 (off) to any reasonable integer

Default Value

0

Syntax

Integer

Example

passwordGraceLimit: 3

2.3.1.118. passwordGraceUserTime

This attribute counts the number of attempts the user has made with the expired password.

This is an operational attribute, meaning its value is managed by the server and the attribute is not
returned in default searches.

Parameter

Description

Entry DN

cn=config

Valid Values

none to any reasonable integer

Default Value

none

Syntax

Integer

Example

passwordGraceUserTime: 1

2.3.1.119. passwordHistory (Password History)

Enables password history. Password history refers to whether users are allowed to reuse passwords.
By default, password history is disabled, and users can reuse passwords. If this attribute is set to on,
the directory stores a given number of old passwords and prevents users from reusing any of the

50

Chapter 2. Core Server Configuration Reference