RSA ClearTrust tracks two attributes in the user object to determine password expiration:
- The password creation date - ctscPasswordCreationDate
- The password expiration date - ctscPasswordExpirationDate
It also uses an attribute in the password policy object of the administrative group,
ctscPolicyTimeOffset, to store the password lifetime. Depending on how the expiration date is set in the user object, ClearTrust may calculate the password expiration differently.
For users who have a password expiration date set only through a password policy, the
password creation date attribute of the user object -
ctscPasswordCreationDate - is used. ClearTrust calculates the password expiration dynamically based on the password creation date and the value of the password policy objects lifetime stored in the
ctscPolicyTimeOffset attribute. If the users password has expired, the Entitlements Manager will display the date that the password expired. If the password is active, the date displayed in the Entitlements Manager will represent the date the password was created plus the number of days specified in the current password policy.
If you explicitly set a password expiration date in the Entitlements Manager for a specific user, the
password expiration date attribute of the user object -
ctscPasswordExpirationDate - is used. The expiration date will supercede any other settings you have defined for that user for the lifetime of the password. Any modification to the "Password Expires" field in the Entitlements Manager will enable this functionality. This expiration date is unrelated to any current password policy for that user's administrative group.
The following user attributes are set in ldap for each condition
The user's password expiration is being calculated by a password policy
- ctscUserKeywords=NotExpired
- ctscUserKeywords=PasswordPolicy
- ctscPasswordCreationDate={This date is added to the ctscPolicyTimeOffset in the Password Policy to determine if the password has expired.}
- ctscPasswordExpirationDate={This date is not used in the calculation, but holds the expiration date calculated from the policy when the user was created. If the password policy has changed this date is not accurate.}
The user's password expiration has been set manually from the users screen
- ctscUserKeywords=NotExpired
- ctscUserKeywords=Forced
- ctscPasswordCreationDate={This date is not used in the calculation, but is the date the password was last set.}
- ctscPasswordExpirationDate={This date is used to calculate the expiration of the password It is the absolute date when the password will expire.}
The user's password was set to "expire now" from the users screen
- ctscUserKeywords=NormalForcedExpiration
- ctscUserKeywords=Forced
- ctscPasswordCreationDate={This date is not used in the calculation, but is the date the password was last set.}
- ctscPasswordExpirationDate={This date is not used in the calculation, but instead holds the date the password was set to expire now.}
If you have previously set an explicit password expiration date on a user object and wish to return this user to the expiration date configured in the password policy, follow this procedure:
- Expire the user's password
- Give the user a new password so the password status displays as Active
If you have access to LDAP, you can identify users with explicit password expiration dates by the presence of a "ctsUserKeywords" attribute with the value "Forced".
