Advanced Password Services (APS) Guide › Daily Processing (APSExpire) › APSExpire Utility

APSExpire Utility

APSExpire is a command line utility that can be run as an AT process on Windows or a cron job on Unix. This means that the execution of APSExpire will take place on a timed, periodic basis. APSExpire examines users to determine if any of the following events applies:

• The user is not initialized (smapsNextAction is not set).
• A user's password will expire within a number of days.
• A user's password has expired, but a grace period or grace logins remain.
• A user's password has expired, no grace period or grace logins remain and the user record will be disabled.
• A user's account has remained inactive for too long and will be disabled shortly.
• A user's account has remained inactive for too long and will be disabled now.
• A user's account is eligible for purging (deletion).

Each execution of APSExpire processes a single User Directory or part of a User Directory, defined as a job in a special APSExpire section of the APS Configuration file. (See Chapter APS Configuration File (APS.CFG) for options on how to define these processing jobs).

When executed, APSExpire will search the specified directory for users who either have a blank smapsNextAction or a value for smapsNextAction that is prior to the current date and time. For each user found, APSExpire determines what actually must be done for that user.

There will be occasions where no action should be taken for the user. When this occurs, a new value for smapsNextAction will be calculated, the user record modified, and APSExpire will continue to the next user entry.

The key to APSExpire is the value of smapsNextAction. APSExpire will only process those user records with a value of before right now or blank. If the smapsNextAction attribute for a user is wrong for any reason, APSExpire will "pick up" the user record at the wrong time. If the date is too early, little will happen, since a new date will be calculated and stored back, essentially correcting itself.

If the date is too late, APSExpire will not process the record until the later date. This may cause the user record to not be processed in a timely manner.

Note that all of the "real time" functionality (expiring passwords and user accounts) can also take place in "Just In Time" mode. That is, if one of these events is detected during user login, APS will take action immediately. Thus, if the Next Action date is not correct, it only affects the asynchronous action of APS, it does not create a security hole; the event will be processed the next time that the user logs in or when the Action Date comes up.

Every time APS handles a user's record, it recalculates smapsNextAction, based on the current settings in APS.cfg and other dates in the user's record (such as the last login date). APS figures out the next thing that has to be done for the user and saves the date of that event.

Sometimes, during normal processing, conditions change that impact this Next Action date. This could be for three different reasons:

• The user record is modified outside of APS, usually by user maintenance applications.

  The recommended way to handle this is to blank out the smapsNextAction field for the user. The next time that APSExpire runs for that directory, a new value will be calculated.

• A setting in APS.cfg has changed. This means that the settings used for a calculation have changed and some or all users need to have the date recalculated.

  Depending on the change, the amount of work in this case can be different. If the change causes dates to be moved farther into the future (such as Password Expiration changes from 60 to 90), a site does not have to do anything, since, after 60 days, all of the users with invalid dates will be examined, a new date calculated and then stored. The data will clean itself up.

  However, if the date moves closer to today (such as Password Expiration changes from 90 to 60), there will be user records with a date too far into the future. A site can take one of two actions:

  • Do nothing. Existing users will not be processed until the date shows up and there will be inconsistencies, but the data will eventually clean itself up.
  • Run APSExpire with the -A option to process all users. APSExpire will recalculate the next action date for all users defined in the processing job.
• Several settings exist within APS.cfg, each with a different override. Something about a user's record changes such that a different override applies to the record. This is essentially the same as point 1 above. However, the case may not be as obvious because the override may be based on conditions entirely independent of APS variables.

Sites will need to examine these cases and blank out smapsNextAction if such a change is made to a record.