Password Lifetime

Advanced Password Services (APS) Guide › Administration and Operations › Password Lifetime

Password Lifetime

The following graphic demonstrates how certain APS settings affect the lifetime of a password.

APS5

There are three settings which affect password lifetime.

Password Expiration controls the maximum amount of time that can pass between password changes (or since the user account was created).
If Password Expiration is not set (or zero), the user's password has an infinite lifetime (never expires).

Password Expiration can be overridden at the user level using the smapsExpirePasswordDays attribute in an LDAP entry.
Expiration Warning controls how long before actual expiration we start to warn the user that their password will expire.
If Expiration Warning is zero or not set, no password warnings will be issued.
Expiration Grace controls the amount of time after the password has actually expired that we will allow the user to still login, though the user will have to change their password before accessing the system.
Once the Expiration Grace period has expired without a password change, the user will be disabled when they login.

If Expiration Grace is not set or zero, the user account will be disabled immediately upon password expiration (subject to the Grace Logins setting, as described below).

A fourth setting, Grace Logins, can also affect this process.

The following tables describe what happens at each of the "Login Points" shown in the diagram.

Note that APS may redirect the user or take other actions that have nothing or little to do with password lifetimes (i.e. Force Password Change, User Expiration). These actions are not reflected in the tables below.

Also, if a particular redirect is undefined, APS will not perform the redirect and may ignore the lifetime setting (e.g. if there is no Expire Change Redirect, then APS will ignore the Expiration Grace period).


Expiration Grace set no Grace Login Setting
Login	Action
A	Normal login. APS does not redirect.
B	User will be redirected to the Warning Redirect setting.
C	User will be redirected to the Expire Change Redirect page. If AZRedirect is configured, user cannot access site without changing password.
D	User will be redirected to the Expire Change Redirect page. If AZRedirect is configured, user cannot access site without changing password.
E	User will be redirected to the Expire Change Redirect page. If AZRedirect is configured, user cannot access site without changing password.
F	User will be redirected to the Disabled Redirect page. If the Reset Password setting is in effect, further attempts will be rejected without any APS redirect (bad credentials).
Expiration Grace set Grace Login set to 3
Login	Action
A	Normal login. APS does not redirect.
B	User will be redirected to the Warning Redirect setting.
C	User will be redirected to the Expire Change Redirect page. Even if AZRedirect is configured, user will be allowed to access the site without changing password, since this is not the last Grace Login.
D	User will be redirected to the Expire Change Redirect page. Even if AZRedirect is configured, user will be allowed to access the site without changing password, since this is not the last Grace Login.
E	User will be redirected to the Expire Change Redirect page. Even if AZRedirect is configured, user will not be allowed to access the site without changing password (since this is the last allowed Grace Login)
F	The user will be disabled and redirected to the Disabled Redirect page. If the Reset Password setting is in effect, further attempts will be rejected without any APS redirect (bad credentials).
Expiration Grace set Grace Login set to 4
Login	Action
A	Normal login. APS does not redirect.
B	User will be redirected to the Warning Redirect setting.
C	User will be redirected to the Expire Change Redirect page. Even if AZRedirect is configured, user will be allowed to access the site without changing password, since this is not the last Grace Login.
D	User will be redirected to the Expire Change Redirect page. Even if AZRedirect is configured, user will be allowed to access the site without changing password, since this is not the last Grace Login.
E	User will be redirected to the Expire Change Redirect page. Even if AZRedirect is configured, user will be allowed to access the site without changing password, since this is not the last Grace Login.
F	User will be disabled and redirected to the Disabled Redirect page. If the Reset Password setting is in effect, further attempts will be rejected without any APS redirect (bad credentials). Note that even though the user has another Grace Login remaining, the Expiration Grace period has expired, so the user will be disabled.
Expiration Grace NOT set (or zero) Grace Login set to 3
Login	Action
A	Normal login. APS does not redirect.
B	User will be redirected to the Warning Redirect setting.
C	User will be redirected to the Expire Change Redirect page even though there is no Expiration Grace (since there is a Grace Login defined). Even if AZRedirect is configured, user will be allowed to access the site without changing password, since this is not the last Grace Login.
D	User will be redirected to the Expire Change Redirect page even though there is no Expiration Grace (since there is a Grace Login defined). Even if AZRedirect is configured, user will be allowed to access the site without changing password, since this is not the last Grace Login.
E	User will be redirected to the Expire Change Redirect page. Even if AZRedirect is configured, user will not be allowed to access the site without changing password (since this is the last allowed Grace Login)
F	On the FOURTH authentication attempt, the user will be disabled and redirected to the Disabled Redirect page. If the Reset Password setting is in effect, further attempts will be rejected without any APS redirect (bad credentials). Note that since the password has expired, there is no Expiration Grace and all Grace Logins are used, the user will be disabled.