19.5. Understanding Password Expiration Controls

When a user authenticates to Directory Server using a valid password, and if the password is expired, will expire soon, or needs to be reset, the server sends the following LDAP controls back to the client:
  • Expired control (2.16.840.1.113730.3.4.4): Indicates that the password is expired. Directory Server sends this control in the following situations:
    • The password is expired, and grace logins have been exhausted. The server rejects the bind with an Error 49 message.
    • The password is expired, but grace logins are still available. The bind will be allowed.
    • If passwordMustChange is enabled in the cn=config entry, and a user needs to reset the password after an administrator changed it. The bind is allowed, but any subsequent operation, other than changing the password, results in an Error 53 message.
  • Expiring control (2.16.840.1.113730.3.4.5): Indicates that the password will expire soon. Directory Server sends this control in the following situations:
    • The password will expire within the password warning period set in the passwordWarning attribute in the cn=config entry.
    • If the password policy configuration option is enabled in the passwordSendExpiringTime attribute in the cn=config entry, the expiring control is always returned, regardless of whether the password is within the warning period.
  • Bind response control (1.3.6.1.4.1.42.2.27.8.5.1): The control contains detailed information about the state of the password that is about to expire or will expire soon.

    Note

    Directory Server only sends the bind response control if the client requested it. For example, if you use ldapsearch, you must pass the -e ppolicy parameter to the command to request the bind response control.

    Example 19.1. Requesting the Bind Response Control in a Query

    If you request the bind response control, for example by passing the -e ppolicy parameter to the ldapsearch command, the server returns detailed information about account expiration. For example:
    # ldapsearch -D "uid=user_name,dc=example,dc=com" -xLLL -W \
         -b "dc=example,dc=com" -e ppolicy
    ldap_bind: Success (0); Password expired (Password expired, 1 grace logins remain)