Red Hat Directory Server 8.0 Administrator's Guide
Attribute Name Definition
user's password will expire after an interval
given by the passwordMaxAge attribute.
Making passwords expire helps protect the
directory data because the longer a password
is in use, the more likely it is to be discovered.
This attribute is off by default.
passwordMaxAge This attribute indicates the number of seconds
after which user passwords expire. To use
this attribute, enable password expiration
using the passwordExp attribute. This
attribute is a dynamic parameter in that its
maximum value is derived by subtracting
January 18, 2038, from today's date. The
attribute value must not be set to the
maximum value or too close to the maximum
value. If the value is set to the maximum
value, Directory Server may fail to start
because the number of seconds will go past
the epoch date. In such an event, the error log
will indicate that the password maximum age
is invalid. To resolve this problem, correct the
passwordMaxAge attribute value in the
dse.ldif file. A common policy is to have
passwords expire every 30 to 90 days. By
default, the password maximum age is set to
8640000 seconds (100 days).
passwordWarning This attribute indicates the number of seconds
before a warning message is sent to users
whose password is about to expire.
Depending on the LDAP client application,
users may be prompted to change their
password when the warning is sent. By
default, the directory sends the warning 86400
seconds (1 day) before the password is about
to expire. However, a password never expires
until the warning message has been sent.
Therefore, if users don't bind to the Directory
Server for longer than the passwordMaxAge,
they will still get the warning message in time
to change their password.
passwordMinAge This attribute indicates the number of seconds
that must pass before a user can change their
password. Use this attribute in conjunction
with the passwordInHistory attribute to
Chapter 7. Managing User Accounts and Passwords
248