28.5. Changing Password Expiration Date with Immediate Effect

IdM applies the password policy rules when an existing password changes or when a user enters a new password. See Section 28.4, “Modifying Password Policy Attributes”.
To enforce an immediate change of the expiration date of a user password, reset the krbPasswordExpiration attribute value in LDAP. For example, for a single user:
  1. Use the ldapmodify utility:
    # ldapmodify -D "cn=Directory Manager" -w secret -h server.example.com -p 389 -vv
    dn: uid=user_name,cn=users,cn=accounts,dc=example,dc=com
    changetype: modify
    replace: krbPasswordExpiration
    krbPasswordExpiration: 20160203203734Z
    The krbPasswordExpiration format follows this template:
    • Year (2016)
    • Month (02)
    • Day (03)
    • Current time in hours, minutes, and seconds (20:37:34)
    • Time zone (Z)
  2. Press Ctrl+D to confirm and send the changes to the server.
To edit multiple entries at once, use the -f option with ldapmodify to reference an LDIF file.