In a grace login system, passwords expire but users can use an expired password a limited number of times. This gives them the opportunity to change the password.
If the number of grace logins is exceeded, the account behaves as if it were expired.
The number of grace logins remaining is sent back to the binding client in the presence of the password policy request control.
To set the number of grace logins, use the following command:
set password-grace-logins = number-logins | 0 ;
If you use this command with an LDAP client that is aware of the Behera password policy request control, the client is informed of the number of logins remaining. Otherwise, the command works, but the client is not notified of the number of logins remaining.
Copyright © 2009 CA. All rights reserved. | Email CA about this topic |