|Applies To||RSA Product Set: Access Manager, ClearTrust|
RSA Product/Service Type: Authorization Server (AServer)
RSA Version/Condition: 5.0.1 - 6.2
|Issue||How does RSA ClearTrust calculate users' password expiration date?|
RSA ClearTrust password expiration date does not appear to match the password policy.
|Cause||RSA ClearTrust tracks two attributes in the user object to determine password expiration:|
For users who have a password expiration date set only through a password policy, the password creation date attribute of the user object - ctscPasswordCreationDate - is used. ClearTrust calculates the password expiration dynamically based on the password creation date and the value of the password policy objects lifetime stored in the ctscPolicyTimeOffset attribute. If the users password has expired, the Entitlements Manager will display the date that the password expired. If the password is active, the date displayed in the Entitlements Manager will represent the date the password was created plus the number of days specified in the current password policy.
If you explicitly set a password expiration date in the Entitlements Manager for a specific user, the password expiration date attribute of the user object - ctscPasswordExpirationDate - is used. The expiration date will supercede any other settings you have defined for that user for the lifetime of the password. Any modification to the "Password Expires" field in the Entitlements Manager will enable this functionality. This expiration date is unrelated to any current password policy for that user's administrative group.
The following user attributes are set in ldap for each condition
|Resolution||If you have previously set an explicit password expiration date on a user object and wish to return this user to the expiration date configured in the password policy, follow this procedure:|
|Workaround||A new password policy has been created for the administrative group|
A users password date was manually changed in the user screen
A users password was set to expire now
|Legacy Article ID||a20173|