How To Force Users To Change Their LDAP Password-Linux


This tutorial shows you how to force users to change their Lightweight Directory Access Protocol – LDAP password using the chage command.

A system administrator’s life is not an easy one. Maintaining system integrity, maintaining security, troubleshooting issues. There are so many spinning plates.

When it comes to security you need your users to choose a strong password and you need them to change it periodically.

User Password Expiry Information

To find out about a user’s password expiry information run the following command:

chage -l

The returned information is as follows:

  • When the password was last changed
  • When the password expires
  • How many days of inactivity before the password expires
  • When the account expires
  • Minimum number of days between password changes
  • Maximum number of days between password changes
  • Number of days warning before the password expires.

How To Force A User To Change Their LDAP Password Every 60 Days

You can force a user to change their password after a set number of days by using the following command:

sudo chage -M 60

You will need to use sudo to elevate your permissions to run this command or switch to a user who has the appropriate permissions using the su command.

If you now run the chage -l command you will see that the expiry date is set and the maximum number of days is 60.

You can, of course, specify the number of days that suits your own security policy.

Recommended for you: How To Change Hostname In Ubuntu 17.10 Without Restarting The System

How To Set The Expiry Date For An Account

Imagine, guest user John and Patrice are visiting at your office for a few days.

You can create each of them an account using the following adduser command:

sudo adduser john

sudo adduser patrice

Now that they have accounts you can set their initial passwords using the passwd command as follows:

sudo passwd john

sudo passwd patrice

Imagine that John and Patrice are leaving on the 1st January 2018.

You can set the expiry date for the accounts as follows:

sudo chage -E 2018-01-01 john

sudo chage -E 2018-01-01 patrice

If you run the chage -l command now you should see that the account will indeed expire on the 1st January 2018.

After an account is expired, an administrator can clear the expiration date by running the following command:

sudo chage -E -1 john

Set The Number Of Days After The LDAP Password Expires Before The Account Is Locked

You can set the number of days after a password expires when an account becomes locked. For example, if John’s password expired on Monday and the number of inactive days is 3 then John’s account will be locked on Saturday.

To set the number of inactive days run the following command:

sudo chage -I 6 john

The above command will give John 6 days to access his account and change the password before the account becomes locked.

An administrator can clear the lock by running the following command:

sudo chage -I -1 john

How To Warn A User Their LDAP Password Is About To Expire

You can warn a user every time they log in that their password is going to expire.

For example, if you want John to be told that his password is going to expire in the next 10 days run the following command:

sudo chage -W 10 John

How To Prevent A User Changing Their LDAP Password Too Often

If a user changes their password every day it probably isn’t a good thing. In order to change your password every day and remember it, you must be using some sort of pattern.

To prevent a user changing their LDAP password too often you can set a minimum number of days before they can change the password.

sudo chage -m 6 john

It is up to you whether you enforce this option. Most people are lethargic when changing passwords as opposed to being obsessed with it.

You can remove the limit by specifying the following command:

sudo chage -m 0 john

This is how we can force users to change their LDAP Password. If you found this tutorial helpful then Like and Share. If you got something else then feel free to comment.

Leave a Reply