From 6bc647dad284d56671845e4daf206a9d4b393cf9 Mon Sep 17 00:00:00 2001 From: giuseppemainardi <87700812+giuseppemainardi@users.noreply.github.com> Date: Thu, 29 Jan 2026 17:15:44 +0100 Subject: [PATCH 1/2] Update HOWTO-Install-and-Configure-a-Shibboleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md The current How-To guide mentions the passwordExpirationTime parameter. However, this is an eDirectory (LDAP) attribute and is not present in Active Directory (AD). Technical Details - Current Issue: passwordExpirationTime cannot be used in an AD because it is an eDirectory (LDAP) attribute. - AD Alternative: pwdLastSet, it is very similar but it only stores the last change timestamp. Alone, it cannot be used to evaluate for how long the password will be valid. To calculate the expiration date, we also need the MaxPasswordAge value in the Domain policy. But this is not a value that the IDP can read nor release. - Possible Solutions: =1=the msDS-UserPasswordExpiryTimeComputed constructed attribute. This attribute allows the retrieval of the already-calculated expiration date directly from the Domain Controller. =2=pwdLastSet, if the goal is to warn the user about a close expiration date, it could be enough to show the value in pwdLastSet. --- ...oleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/idem-fedops/HOWTO-Shibboleth/Identity Provider/Debian-Ubuntu/HOWTO-Install-and-Configure-a-Shibboleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md b/idem-fedops/HOWTO-Shibboleth/Identity Provider/Debian-Ubuntu/HOWTO-Install-and-Configure-a-Shibboleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md index 60811e2..c567107 100644 --- a/idem-fedops/HOWTO-Shibboleth/Identity Provider/Debian-Ubuntu/HOWTO-Install-and-Configure-a-Shibboleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md +++ b/idem-fedops/HOWTO-Shibboleth/Identity Provider/Debian-Ubuntu/HOWTO-Install-and-Configure-a-Shibboleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md @@ -1000,7 +1000,7 @@ This Storage service will memorize User Consent data on a persistent SQL databas idp.authn.LDAP.trustCertificates = /opt/shibboleth-idp/credentials/ldap-server.crt # List of attributes to request during authentication - idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining + idp.authn.LDAP.returnAttributes = pwdLastSet,badPwdCount idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org idp.authn.LDAP.subtreeSearch = false From be545460c8a45d1d466a81ef17da787b7f908ea5 Mon Sep 17 00:00:00 2001 From: giuseppemainardi <87700812+giuseppemainardi@users.noreply.github.com> Date: Fri, 30 Jan 2026 08:46:01 +0100 Subject: [PATCH 2/2] Update HOWTO-Install-and-Configure-a-Shibboleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md The current How-To guide mentions the passwordExpirationTime parameter. However, this is an eDirectory (LDAP) attribute and is not present in Active Directory (AD). Same thing for loginGraceRemaining. Technical Details Current Issue: passwordExpirationTime and loginGraceRemaining cannot be used in an AD because are eDirectory (LDAP) attributes. AD Alternative for passwordExpirationTime: pwdLastSet, it is very similar but it only stores the last change timestamp. Alone, it cannot be used to evaluate how long the password will be valid for. To calculate the expiration date, we also need the MaxPasswordAge value in the Domain policy. But this is not a value that the IDP can read nor release. Possible Solutions: the msDS-UserPasswordExpiryTimeComputed constructed attribute. This attribute allows the retrieval of the already-calculated expiration date directly from the Domain Controller. pwdLastSet, if the goal is to warn the user about a close expiration date, it could be enough to show the value in pwdLastSet. AD Alternative for loginGraceRemaining (number of grace logins available to a user after her password has expired): None perfectly fitting because Active Directory does not allow access after the password expiration date. Imperfect Solution: pwdLastSet can warn the user about the password age, and could prevent expiration before the deadline. --- ...oleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/idem-fedops/HOWTO-Shibboleth/Identity Provider/Debian-Ubuntu/HOWTO-Install-and-Configure-a-Shibboleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md b/idem-fedops/HOWTO-Shibboleth/Identity Provider/Debian-Ubuntu/HOWTO-Install-and-Configure-a-Shibboleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md index c567107..a05a3a9 100644 --- a/idem-fedops/HOWTO-Shibboleth/Identity Provider/Debian-Ubuntu/HOWTO-Install-and-Configure-a-Shibboleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md +++ b/idem-fedops/HOWTO-Shibboleth/Identity Provider/Debian-Ubuntu/HOWTO-Install-and-Configure-a-Shibboleth-IdP-v5.x-on-Debian-Ubuntu-Linux-with-Apache-+-Jetty.md @@ -1000,7 +1000,7 @@ This Storage service will memorize User Consent data on a persistent SQL databas idp.authn.LDAP.trustCertificates = /opt/shibboleth-idp/credentials/ldap-server.crt # List of attributes to request during authentication - idp.authn.LDAP.returnAttributes = pwdLastSet,badPwdCount + idp.authn.LDAP.returnAttributes = pwdLastSet idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org idp.authn.LDAP.subtreeSearch = false