Anonymous_User Absent Member.
Absent Member.
392 views

Password expiration time


I would like to find a way to set the time that passwords expire. I was
thinking something like a cron job to run a script to just set the
expiration time. I am not sure how to script this so any help would be
greatly appreciated.


--
jknudson
------------------------------------------------------------------------
jknudson's Profile: https://forums.netiq.com/member.php?userid=5875
View this thread: https://forums.netiq.com/showthread.php?t=48704

Labels (1)
0 Likes
9 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Password expiration time

Could you provide some additional background on the business case behind
this? Typically the expiration is defined by the system based on the
password policy (or equivalent on the user object for the older NDS
Password stuff) combined with the time the password was last-set. While
you could do something with cron, that seems like a lot of work to
duplicate what is happening (unless I am misunderstanding, as is likely)
and could also be a pain point when eDirectory overrides things set
manually with things enforced by policy.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password expiration time


we have a program that also uses their nds authentication. so if the
expiration time is during the day the program just quits working at that
time. I would like to set it to a time before they come to work so it
does not cause issues during the day. does that make sense? thanks!


--
jknudson
------------------------------------------------------------------------
jknudson's Profile: https://forums.netiq.com/member.php?userid=5875
View this thread: https://forums.netiq.com/showthread.php?t=48704

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password expiration time

Yes, that is often the comment, to which I usually respond as follows:

Since you are considering finding and implementing a way to modify the
expiration so that it happens first thing in the morning, which means that
you need to account for different start times in a global organization, or
even in a smaller shop you still have the risk of the employee being out
one day (weekend/holiday/sick) or coming in late on that day (emergency,
sick, whatever), what if you didn't have the password expired in the first
place? I do not mean get rid of the password expiration interval, but I
mean let the user know to change their password BEFORE it is no longer any
good.

What most larger organizations do, then, is not reset the expiration time
forward a few minutes/hours/days to decrease the chances of a password
expiring in the middle of the day, but rather they implement an IDM job or
driver, or a Cool Solution, or something of their own making, to notify
users before the password expires, usually a few times.... a couple weeks
ahead of time, one week ahead of time, then a few days ahead of time,
often CC-ing the helpdesk/administrator account so that there is a nice
record.

Upsides:
Passwords never need to completely expire like rotten cheese.
Passwords can be changed when the user has had time to think about a good
new password, not at the last minute when they're just trying to get in as
quickly as possible, and using sticky notes to make that happen.
You can easily, at the same time (in the e-mail), remind users to change
passwords in applications, tablets, phones, VPN clients, other
workstations, etc. This avoids locking out the user with intruder
lockouts two minutes after the changed password.
This solution is 100% reliable.

Downsides:
You still need to do something to make this work, though it's a simpler
something than what you're proposing currently which would change the
expiration time forward some arbitrary amount.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password expiration time


Thanks for your response, I do give my users 5 logins before they truly
expire and notify them that it is time. As far as them being gone that
is fine as the next time they login it will prompt for the change. I was
thinking just an ldap script or something just to change the time may
work. The issue is not how I am expiring the password just the time that
it occurs.

Thanks,
Jason


ab;234618 Wrote:
> Yes, that is often the comment, to which I usually respond as follows:
>
> Since you are considering finding and implementing a way to modify the
> expiration so that it happens first thing in the morning, which means
> that
> you need to account for different start times in a global organization,
> or
> even in a smaller shop you still have the risk of the employee being
> out
> one day (weekend/holiday/sick) or coming in late on that day
> (emergency,
> sick, whatever), what if you didn't have the password expired in the
> first
> place? I do not mean get rid of the password expiration interval, but
> I
> mean let the user know to change their password BEFORE it is no longer
> any
> good.
>
> What most larger organizations do, then, is not reset the expiration
> time
> forward a few minutes/hours/days to decrease the chances of a password
> expiring in the middle of the day, but rather they implement an IDM job
> or
> driver, or a Cool Solution, or something of their own making, to notify
> users before the password expires, usually a few times.... a couple
> weeks
> ahead of time, one week ahead of time, then a few days ahead of time,
> often CC-ing the helpdesk/administrator account so that there is a nice
> record.
>
> Upsides:
> Passwords never need to completely expire like rotten cheese.
> Passwords can be changed when the user has had time to think about a
> good
> new password, not at the last minute when they're just trying to get in
> as
> quickly as possible, and using sticky notes to make that happen.
> You can easily, at the same time (in the e-mail), remind users to
> change
> passwords in applications, tablets, phones, VPN clients, other
> workstations, etc. This avoids locking out the user with intruder
> lockouts two minutes after the changed password.
> This solution is 100% reliable.
>
> Downsides:
> You still need to do something to make this work, though it's a simpler
> something than what you're proposing currently which would change the
> expiration time forward some arbitrary amount.
>
> Good luck.



--
jknudson
------------------------------------------------------------------------
jknudson's Profile: https://forums.netiq.com/member.php?userid=5875
View this thread: https://forums.netiq.com/showthread.php?t=48704

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password expiration time


In an overly simplistic overview, you export the password expiration
time attribute as LDIF or CSV file (if you are using ICE or iManager),
run the resulting file through a script to parse the time value, keeping
in mind that the data is in GMT, take the last 6 digits (which would be
the hhmmss) and change that to midnight + 1 minute (or whatever) - by
taking your time zone difference in mind, and then import the changed
file back. That way, you change only the time and not the date.


--
--
-eDirectory Rules!-

Peter
www.DreamLAN.com
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=48704

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password expiration time

On Mon, 30 Sep 2013 20:36:49 +0000, jknudson wrote:

> Thanks for your response, I do give my users 5 logins before they truly
> expire and notify them that it is time. As far as them being gone that
> is fine as the next time they login it will prompt for the change. I was
> thinking just an ldap script or something just to change the time may
> work. The issue is not how I am expiring the password just the time that
> it occurs.


Password expiration is kinda funny in the way it works. You actually set
the interval as the number of seconds since the last password change, not
the time it is actually going to expire. Additionally, if you're using
Universal Password policies (and you should be...), then the policy will
be enforced such that you cannot extend a password expiration beyond what
the policy says is valid.

You can, however, set the expiration to be earlier than the policy, and
that will work fine.

I wouldn't personally try to maintain this with LDAP, though I suppose
you probably could if your scripting skills are up to the task. I'd do it
in an IDM policy, watching for changes in the password expiration time
attribute, and modifying them to be some designated time on the day prior
to the calculated expiration. If you don't have to deal with users in
more than one timezone, that would be pretty easy to do. If you do have
to deal with multiple timezones, and you want a specific time, you'll
have to also know where the user is so you can calculate the correct time
in GMT for them. That's harder, but still possible.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password expiration time


Sounds good. Just one time zone. We are using the IDM bundle edition
3.6. Can you point me to some documentation on doing this?
Thanks,
Jason


--
jknudson
------------------------------------------------------------------------
jknudson's Profile: https://forums.netiq.com/member.php?userid=5875
View this thread: https://forums.netiq.com/showthread.php?t=48704

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password expiration time

On Wed, 02 Oct 2013 19:55:31 +0000, jknudson wrote:

> Sounds good. Just one time zone. We are using the IDM bundle edition
> 3.6. Can you point me to some documentation on doing this?


It might be best to take this up over in the idm.engine-drivers forum.
But a rule like:

<rule>
<description>Reformat Password Expiration</description>
<comment xml:space="preserve">Force password expiration time to
00:00:01 of the day that the password expires.</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-op-attr name="Password Expiration Time" op="available"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="pwd-expire-year" scope="policy">
<arg-string>
<token-convert-time dest-format="yyyy" src-format="!CTIME" src-
tz="UTC">
<token-op-attr name="Password Expiration Time"/>
</token-convert-time>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="pwd-expire-month" scope="policy">
<arg-string>
<token-convert-time dest-format="MM" src-format="!CTIME" src-
tz="UTC">
<token-op-attr name="Password Expiration Time"/>
</token-convert-time>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="pwd-expire-day" scope="policy">
<arg-string>
<token-convert-time dest-format="dd" src-format="!CTIME" src-
tz="UTC">
<token-op-attr name="Password Expiration Time"/>
</token-convert-time>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="pwd-expire-time" scope="policy">
<arg-string>
<token-text xml:space="preserve">00:00:01</token-text>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="new-pwd-expire-time" scope="policy">
<arg-string>
<token-local-variable name="pwd-expire-year"/>
<token-text xml:space="preserve">/</token-text>
<token-local-variable name="pwd-expire-month"/>
<token-text xml:space="preserve">/</token-text>
<token-local-variable name="pwd-expire-day"/>
<token-text xml:space="preserve"> </token-text>
<token-local-variable name="pwd-expire-time"/>
</arg-string>
</do-set-local-variable>
<do-set-src-attr-value name="Password Expiration Time">
<arg-value type="time">
<token-convert-time dest-format="!CTIME" dest-tz="UTC" src-
format="YYYY/mm/dd HH:mm:ss">
<token-local-variable name="new-pwd-expire-time"/>
</token-convert-time>
</arg-value>
</do-set-src-attr-value>
<do-reformat-op-attr name="Password Expiration Time">
<arg-value type="time">
<token-convert-time dest-format="!CTIME" dest-tz="UTC" src-
format="YYYY/mm/dd HH:mm:ss">
<token-local-variable name="new-pwd-expire-time"/>
</token-convert-time>
</arg-value>
</do-reformat-op-attr>
</actions>
</rule>

should be pretty close to what you're looking for.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Password expiration time


Thanks for the information!

Jason


--
jknudson
------------------------------------------------------------------------
jknudson's Profile: https://forums.netiq.com/member.php?userid=5875
View this thread: https://forums.netiq.com/showthread.php?t=48704

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.