The set password-grace-logins command sets the maximum number of times that the user can log in with their password after it has expired.
If the client is an LDAP client and the bind contains the Behera password-policy control, then if the password contained in the bind has expired, the bind-confirm returns an LDAP control containing the number of grace logins remaining.
If the client is not aware of the Behera password policy request control, grace logins will work, but the client will not be able to track how many grace logins are left.
CA Directory uses the operational attributes dxPwdGraceLogins and dxPwdGraceUseTime to maintain the grace login history.
This command has the following format:
set password-grace-logins = number-logins | 0 ;
Specifies the number of times a user can log in with an expired password.
(Default) Disables this feature.
Copyright © 2009 CA. All rights reserved. | Email CA about this topic |