Support Home Communities Home   Search Today's Posts Mark Forums Read

 
 
LinkBack Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #4  
Old 26-Sep-2009, 06:43 AM
alekz's Avatar
Senior Member
  
Join Date: Dec 2007
Location: Sweden
Posts: 428
alekz 0 reputation points
Default Re: Password Policy change question
Hello AB,

I have done some testing by creating a new policy and assigning it to a
user.


Number of days before password expires: 1
Limit the number of grace logins allowed: 6
Minimum number of characters in password: 4
Maximum number of characters in password: 12
Allow numeric characters in password: true
Disallow numeric as first character: false
Disallow numeric as last character: false
Allow the password to be case sensitive: true
Allow non-alphanumeric characters in the password: true
Disallow non-alphanumeric character as first character: false
Disallow non-alphanumeric character as last character: false
Allow non-US ASCII characters: true

Before trying to login I deleted all the password.+ attributes from the
object using LDAP.
I can confirm the following:

After login as the user with the above policy:

passwordExpirationTime is *not* set on the object (the user didn't have
this attribute before)
passwordAllowChange is set
passwordExpirationInterval is set
passwordMinimumLength is set
passwordRequired is set
passwordUniqueRequired is set
loginGraceLimit is set
loginGraceRemaining is set

Deleting any of the attributes above that were set and logging in again
causes them to be set again.

After changing the password as the logged in user the
passwordExpirationTime attribute was set.

Changing the passwordExpirationTime attribute to the current time and
then logging in prompted the user to change the password, i.e. the
passwordExpirationTime won over the policy setting as you said it would.

Deleting the attribute and the logging in again didn't recreate the
attribute, it seems it's only recreated when user changes the password.

I then tested to change the policy:

Number of days before password expires: 10
Limit the number of grace logins allowed: 7

After logging in the passwordExpirationTime was *not* updated to the new
policy value, as expected.
passwordExpirationInterval was *not* updated.
loginGraceLimit was updated to 7 from 6.
loginGraceRemaining was still at 6.

Deleting the passwordExpirationTime using LDIF seems as the to go for me
after altering the password policy.

Thanks :-)

ab@novell.com wrote:
> Yes... NMAS will update the legacy attributes like passwordExpirationTime
> for you.
>
> Good question, and I'm not 100% sure but I think it will leave the
> passwordExpirationAttribute as it currently is, and I think that is the
> case because the attribute, when set to be MORE restrictive than the UP
> policy's calculation (the way it really works), then the legacy attribute
> wins. Normally, without this attribute, the login calculates whether or
> not the password is expired using the timestamp from the password itself
> and then adding in the expiration time from the policy. The result is an
> up-to-date calculation, but as it's based on a timestamp there would be no
> way for an administrator to expire a password sooner on a one-by-one basis
> without assigning another policy, so the legacy password can be set to
> expire sooner and that is enforced. For this reason, since thirty days
> comes before sixty days, I do not think it will work as you may be hoping.
> With that said, if you simply go through with LDAP or something and
> remove all of the passwordExpirationTime values then those will be re-set
> the next time the user logs in or changes a password via NMAS.
>
> You are correct in that there is no crazy process that goes through and
> does a lot of stuff.
>
> Good luck.
>
>
>
>
>
> alekz wrote:
>> Hi!
>
>> If I have a policy that dictates that a user must change his password
>> every 30 days, then NMAS will set the passwordexpirationtime attribute
>> to todays date + 30 days if the user would change his password today right?
>
>> If I then go and change the policy and set the expiration time to 60
>> days what would happen when the user would login 30 days from now?
>
>> I'm assuming here that changing the policy doesn't mean that a process
>> kicks off that goes through the entire directory and updates the
>> passwordexpirationtime attribute?
>
>
>> Would NMAS check the policy and the timestamp of the password and say
>> OK, you have thirty more days to go before you have to change your
>> password, or would it read the passwordexpirationtime and say STOP, your
>> password has expired. Which wins here?
>
>> Hope you understand my question,
>> Thanks
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -6. The time now is 03:33 AM.
Contact Us - NOVELL FORUMS - Archive - Privacy Statement - Top

© 2007 Novell, Inc. All Rights Reserved.

Search Engine Friendly URLs by vBSEO 3.3.0 RC2