You are here

Luminis IV -- How To Create An Account With A Password That Never Expires

Submitted by peter.aganyo on Sun, 10/05/2014 - 17:00

The password age in luminis platform 4 (LP4) is set using a global setting:


LP4 does not provide a way to set the password age (lifespan) for individual accounts. This means that if you have a service account that you use to monitor the health and performance of Luminis Platform, you would have to reset this service account password and update your code with the new password each time. Or, since LP4 does not keep track of password history, you could avoid having to update your code by resetting the password for this service account twice; once to some different value (LP4 would not allow you to reset to the same password -- new password cannot be the same as current password), then to the same value as before the first reset. This does present several challenges:

1. When the external application breaks you may not immediately tell that the issue is an expired password.

2. As there are no interactive logins, there's no prior warning that the password would be expiring soon.

3. Time to troubleshoot, find the password, reset the password etc

At UMDNJ(now Rutgers) , we were determined to find a better way. Our determination led us to keenly review the password reset, login process, and the LDAP attributes affected at each stage. Our conclusions may not be 100% accurate but they helped us set our service account password to never expire.

1. The LDAP attribute pdsLoginSuccess (date) does not exist in a newly created account; the attribute holds the timestamp of the moment a user successfully logs into their account. If you have security.ias.password.must_change_on_first_login set to true and this attribute does not exist for a particular account, the user will be forced to reset their password when they next log in.

2. Any time the attribute pdsCredentialExpired is set to true for a particular account, the user is forced to reset their password when they next log in. Setting this attribute to false does not necessarily mean that the user won't be forced to change their password at the next login.

3. Of all the important findings we made, this was the most important one: REMOVING pdsAccountCredentialChanged (date) MEANS LP4 CANNOT CALCULATE THE AGE OF THE PASSWORD. If LP4 does not know the age of a password, it cannot enforce whatever lifespan setting you have; therefore the password for such an account never expires.


Ensure you have a tool for manually (and carefully) editing the LDAP and that you have an account with enough permissions to do so.

1. Create a new account and set your desired password
2. Create a pdsLoginSuccess and set its value to a timestamp like one of any existing account
3. Ensure pdsCredentialExpired is set to false
4. Remove the pdsAccountCredentialChanged attribute

Luminis Version:


Hack Type: