While it was once a common practice, and still is in some environments, password expiration is no longer recommended.
You should force a user to change their password if you have reason to believe that it is weak or has been exposed in a data breach, but forcing arbitrary password changes is frustrating for users and does not meaningfully improve security.
Nevertheless, PingDirectory server provides full support for password expiration. Use the following configuration properties to enable password expiration and customize its behavior:
- The maximum length of time that a user can continue using the same password. If this is configured with a value of zero seconds (which is the default), then password expiration is disabled.
- The length of time before an upcoming password expiration that the server should start warning about that expiration. A value of zero seconds disables the warning. By default, the server starts warning about an upcoming expiration five days in advance.
- Indicates whether the server should allow a user’s password to expire even if they have not been warned about an upcoming expiration. If this is false (which is the default), then the server ensures that the user receives at least one warning about the upcoming expiration, even if the expiration time has already passed. After it has issued the warning, the server grants the user the full duration of the password expiration warning interval before the password actually expires.
- Indicates whether the server allows a user to change their password even after it has expired. This is false by default, and an administrator is required to reset the user’s password before the account becomes usable again. However, if this is changed to true, then the user is allowed to use the password modify extended operation over an unauthenticated connection, providing their current password in addition to the desired new password.
- The maximum number of grace logins that the server grants to a user. A grace login allows a user to authenticate with an expired user, but only for the purpose of changing their password. Any other operations that they attempt are rejected. By default, the server does not allow any grace logins.
The server offers a pair of response controls that are related to password expiration, both of which are described in draft-vchu-ldap-pwd-policy:
- The password expiring response control is included in the response to a successful bind operation in cases where the user’s password is about to expire.
- The password expired response control is included in the response to a bind operation in cases where the user’s password has expired. If the bind response includes a result code of success, then the user is permitted to change their password, but is not be allowed to do anything else until they have done that. If the bind response has a non-success result code, then an administrative password reset is required to restore access to the user’s account.
If the user includes the password policy request control, as described in draft-behera-ldap-password-policy in the bind request, then the server includes the password policy response control in the bind response instead of the password expiring or password expired control. The password policy response control value can be used to indicate whether the user’s password is expired or is about to expire, so the additional control is not necessary.
See the config/sample-dsconfig-batch-files/enable-password-expiration.dsconfig batch file for more information about enabling password expiration.