Environment
Novell Client 2 SP3 for Windows
eDirectory
iManager "Passwords" tool
eDirectory
iManager "Passwords" tool
Situation
How to increase the time before the user's password expires without requiring the user to change their password
Force periodic password changes
Days between forced changes
Change password expiration date
Force periodic password changes
Days between forced changes
Change password expiration date
Resolution
Extending the password expiration date requires that the user change their password before the change takes effect.
Cause
The functionality was explained in the ConsoleOne documentation as follows:
"Once this object changes its password and each time it changes the password thereafter, the system resets the expiration date forward the number of days specified in the Days Between Forced Changes field. The expiration date is stored in the Password Expiration Time property of this object."
When the password is changed/set, the policy is read, and the "password interval" and "password expiration time" attributes of the user object are updated. Then, when the user logs in, the Novell Clients reads the "password expiration time" and decides whether the password is expired. There is not a "live" calculation for "date of last password expiration/change plus days between forced password changes" so changing the number of days before the password expires does not take effect until the next password change.
"Once this object changes its password and each time it changes the password thereafter, the system resets the expiration date forward the number of days specified in the Days Between Forced Changes field. The expiration date is stored in the Password Expiration Time property of this object."
When the password is changed/set, the policy is read, and the "password interval" and "password expiration time" attributes of the user object are updated. Then, when the user logs in, the Novell Clients reads the "password expiration time" and decides whether the password is expired. There is not a "live" calculation for "date of last password expiration/change plus days between forced password changes" so changing the number of days before the password expires does not take effect until the next password change.
Additional Information
As a workaround, the administrator could go into each user object and change the expiration date on the user object's "Restrictions" tab, "Password Restrictions" page.
Alternatively, the administrator could do an LDAP export, change the "password expiration time" attribute, then LDAP import the changes back into eDirectory.
Alternatively, the administrator could do an LDAP export, change the "password expiration time" attribute, then LDAP import the changes back into eDirectory.