PasswordExpirationTime is not AD#67
Open
giuseppemainardi wants to merge 3 commits intoConsortiumGARR:masterfrom
Open
PasswordExpirationTime is not AD#67giuseppemainardi wants to merge 3 commits intoConsortiumGARR:masterfrom
giuseppemainardi wants to merge 3 commits intoConsortiumGARR:masterfrom
Conversation
…untu-Linux-with-Apache-+-Jetty.md The current How-To guide mentions the passwordExpirationTime parameter. However, this is an eDirectory (LDAP) attribute and is not present in Active Directory (AD). Technical Details - Current Issue: passwordExpirationTime cannot be used in an AD because it is an eDirectory (LDAP) attribute. - AD Alternative: pwdLastSet, it is very similar but it only stores the last change timestamp. Alone, it cannot be used to evaluate for how long the password will be valid. To calculate the expiration date, we also need the MaxPasswordAge value in the Domain policy. But this is not a value that the IDP can read nor release. - Possible Solutions: =1=the msDS-UserPasswordExpiryTimeComputed constructed attribute. This attribute allows the retrieval of the already-calculated expiration date directly from the Domain Controller. =2=pwdLastSet, if the goal is to warn the user about a close expiration date, it could be enough to show the value in pwdLastSet.
…untu-Linux-with-Apache-+-Jetty.md
The current How-To guide mentions the passwordExpirationTime parameter. However, this is an eDirectory (LDAP) attribute and is not present in Active Directory (AD). Same thing for loginGraceRemaining.
Technical Details
Current Issue: passwordExpirationTime and loginGraceRemaining cannot be used in an AD because are eDirectory (LDAP) attributes.
AD Alternative for passwordExpirationTime: pwdLastSet, it is very similar but it only stores the last change timestamp. Alone, it cannot be used to evaluate how long the password will be valid for. To calculate the expiration date, we also need the MaxPasswordAge value in the Domain policy. But this is not a value that the IDP can read nor release.
Possible Solutions:
the msDS-UserPasswordExpiryTimeComputed constructed attribute. This attribute allows the retrieval of the already-calculated expiration date directly from the Domain Controller.
pwdLastSet, if the goal is to warn the user about a close expiration date, it could be enough to show the value in pwdLastSet.
AD Alternative for loginGraceRemaining (number of grace logins available to a user after her password has expired): None perfectly fitting because Active Directory does not allow access after the password expiration date.
Imperfect Solution: pwdLastSet can warn the user about the password age, and could prevent expiration before the deadline.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The current How-To guide mentions the passwordExpirationTime parameter.
However, this attribute belongs to eDirectory (LDAP) and is not present in Active Directory (AD). Same thing for loginGraceRemaining.
In Active Directory does not exsist perfect substitutes for them, but some suggestions are made in the code, for some AD attributes with similar purposes.