You are here

Change individual user password expiration?

Submitted by bwalker_dccc on Tue, 04/26/2011 - 13:25

Hi, we have an account which we use via WebMetrics for monitoring our Luminis platform and whether it is up or down. Our password expiration is set globally via configman:

security.ias.password.max_days_lifespan=365

But recently when the password on this account expired, WebMetrics started complaining that the system was down (which it wasn't). Is there a way to use something like

cptool set user <user> <property>=<value>

to set the user's password expiration to something other than what is specified for the system?

Thanks in advance!

Luminis Version:

I'm not aware of any cptool options that would accomplish what you are looking for but you could use a ldapmodify script that is run as a scheduled job to prevent the credentials from expiring. We do not expire passwords within our portal since we use EAS to AD but I would imagine the two LDAP entries that you might need to update are pdsAccountCredentialChanged and possibly pdsCredentialExpired.

While I haven't tested this in our environment, I believe if you routinely update the date value of pdsAccountCredentialChanged, to keep it under your 365 day setting, you can prevent the credentials from expiring. In the event the credentials do get expired you can change pdsCredentialExpired to true.

Tom
https://link.jwu.edu
Johnson and Wales University

"In the event the credentials do get expired you can change pdsCredentialExpired to true."

Should be:

"In the event the credentials do get expired you can change pdsAccountCredentialExpired to false."

Peter

"In the event the credentials do get expired you can change pdsAccountCredentialExpired to false."

There is no such LDAP entry on an individual account (unless this is a change in Luminis 5). There is an entry for pdsCredentialExpired and what the other admin was saying was that if setting it to "false" didn't work, set it to "true".

Now if you are saying that entry is elsewhere in the LDAP I would be very interested to know where that is located. Is that a global account setting?

I think I may have stumbled upon an undocumented solution to your question, if you're still looking for a permanent solution.

Please let me know if you are interested.

Peter