This procedure describes how to give users grace authentications, allowing users to change passwords that have expired.
The grace authentications are intended to be managed by an application that handles password policy request and response controls. The procedure shows a simple example of how to use the control in an application.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
Make sure that users have access to an application that uses password policy request and response controls.
The application should ensure that users handle grace authentications properly.
Allow the application to use the password policy controls.
The following commands set an ACI to allow members of a Password Managers role to use the password policy controls:
$ cat ctrl.ldif dn: oid=188.8.131.52.184.108.40.206.220.127.116.11,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 18.104.22.168.22.214.171.124.126.96.36.199 cn: Password Policy Controls aci: (targetattr != "aci") (version 3.0; acl "Password Policy Controls"; allow( read, search, compare, proxy ) roledn = "ldap:///cn=Password Managers,dc=example,dc=com";) $ ldapmodify -a -D cn=admin,cn=Administrators,cn=config -w - -f ctrl.ldif Enter bind password: adding new entry oid=188.8.131.52.184.108.40.206.220.127.116.11,cn=features,cn=config $
The entry under cn=features,cn=config has the sole purpose of allowing you to manage access to operations that use the password policy request and response controls.
Set pwdGraceAuthNLimit in the password policy to the number of authentications to allow after the password has expired.
Make sure that the application guides the end user to change the expired password promptly before grace authentications are exhausted.
The DS5–compatibility-mode password policy is deprecated. You must switch to DS6–mode password policy in this version.