20.5. Understanding Password Expiration Controls
- Expired control (
2.16.840.1.1137126.96.36.199): Indicates that the password is expired. Directory Server sends this control in the following situations:
- The password is expired, and grace logins have been exhausted. The server rejects the bind with an
- The password is expired, but grace logins are still available. The bind will be allowed.
passwordMustChangeis enabled in the
cn=configentry, and a user needs to reset the password after an administrator changed it. The bind is allowed, but any subsequent operation, other than changing the password, results in an
- Expiring control (
2.16.840.1.1137188.8.131.52): Indicates that the password will expire soon. Directory Server sends this control in the following situations:
- The password will expire within the password warning period set in the
passwordWarningattribute in the
- If the password policy configuration option is enabled in the
passwordSendExpiringTimeattribute in the
cn=configentry, the expiring control is always returned, regardless of whether the password is within the warning period.
- Bind response control (
184.108.40.206.220.127.116.11.18.104.22.168): The control contains detailed information about the state of the password that is about to expire or will expire soon.
NoteDirectory Server only sends the bind response control if the client requested it. For example, if you use
ldapsearch, you must pass the
-e ppolicyparameter to the command to request the bind response control.
Example 20.1. Requesting the Bind Response Control in a QueryIf you request the bind response control, for example by passing the
-e ppolicyparameter to the
ldapsearchcommand, the server returns detailed information about account expiration. For example:
# ldapsearch -D "uid=user_name,dc=example,dc=com" -xLLL -W \ -b "dc=example,dc=com" -e ppolicy ldap_bind: Success (0); Password expired (Password expired, 1 grace logins remain)