User's password expiration time does not reflect a UP policy interval change

  • 3005835
  • 09-Jun-2006
  • 26-Apr-2012


Novell eDirectory for All Platforms
Novell Modular Authentication Service (NMAS) version 2.40
Novell Modular Authentication Service (NMAS) version 3.1.0
Novell eDirectory 8.8 for All Platforms


The Universal Password (UP) policy in the tree is set to 365 days.  It later is changed to 90 days to reflect a new corporate standard.  However, when users login after this change their password expiration time still shows 300 days or more.


When Universal Passwords are enabled a users's password expiration time is calculated as follows:
1. Take the days shown in the UP password policy.
2. Add this to the modification timestamp of the nspmpassword (UP) attribute on the user.
3. Take the sum of 1 and 2 and place this value into the user's expiration time attribute.
4. Compare this time to the server's time to determine if the password has expired.
However, when the policy's interval has been changed the following must be applied for this change to be reflected in each user authenticating thru the policy:
1. Apply NMAS 3.1 to each NMAS server authenticating users.
2. Make sure in iManager that the following is checked: Verify whether existing passwords comply with the password policy.  This can be found via the Passwords Role - Password Policies Task - Select Policy - Universal Password Tab - Configuration Options - Authentication section.
3. Have the user login via a NMAS aware client such as the NetWare client.
The password expiration interval will be updated to reflect the new password interval settings.

Additional Information

1. The user's interval will only be updated if it is larger than the policy's interval.
2. If the user logs in via a non-NMAS client such as an LDAP client this interval will need to be manually changed by a method such as a ldif modification.
3. If eDirectory 8.8 is installed as well on the NMAS server, then LDAP can be foreced to authenticate over NMAS and this value will not need to be manually changed for these clients.