Previous Topic: set password-force-change Command

Next Topic: set password-history Command

set password-grace-logins Command

The set password-grace-logins command sets the maximum number of times that the user can log in with their password after it has expired.

If the client is an LDAP client and the bind contains the Behera password-policy control, then if the password contained in the bind has expired, the bind-confirm returns an LDAP control containing the number of grace logins remaining.

If the client is not aware of the Behera password policy request control, grace logins will work, but the client will not be able to track how many grace logins are left.

CA Directory uses the operational attributes dxPwdGraceLogins and dxPwdGraceUseTime to maintain the grace login history.

This command has the following format:

set password-grace-logins = number-logins | 0 ;
number-logins

Specifies the number of times a user can log in with an expired password.

0

(Default) Disables this feature.

More information:

Set the Number of Grace Logins