The Active Directory module is based on the <ahref="../../documentation/2.0/authldap.html"class="wikilink1"title="documentation:2.0:authldap">LDAP module</a>, with these features:
The configuration is the same as the <ahref="../../documentation/2.0/authldap.html"class="wikilink1"title="documentation:2.0:authldap">LDAP module</a>.
AD password policy does not follow the LDAP <abbrtitle="Request for Comments">RFC</abbr>, but Microsoft has implemented its own policy.
LemonLDAP::NG implements partially the policy:
</p>
<ul>
<liclass="level1"><divclass="li"> when pwdLastSet = 0 in the user entry, it means that password has been reset, and a form is presented to the user for him to change his password.</div>
</li>
<liclass="level1"><divclass="li"> when computed virtual attribute 'msDS-User-Account-Control-Computed' as 6th flag set to 8, the password is considered expired. (support from Windows Server 2003) It is too late for the user to do anything. He must contact his administrator.</div>
</li>
<liclass="level1"><divclass="li"> a warning before password expiration is possible in AD, but only in GPO (Computer Configuration\Windows Settings\Local Policies\Security Options under Interactive Logon: Prompt user to change password before expiration) However it as no reality in LDAP referential. A “password warning time before password expiration” variable can be specified in LemonLDAP::NG to do so.</div>
</li>
</ul>
<p>
<p><divclass="noteimportant">Note: since AD 2012, each user can have a specific password expiration policy. Then, the “maximum password age” can have different values. This is currently unsupported in LemonLDAP::NG because every policy must be computed with their precedence to know which maximum password age to apply.
</div></p>
</p>
<p>
To configure warning before password expiration, you must set two variables in Active Directory parameters in Manager:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>Password expire warning</strong> : number of seconds between password expiration and the date from which user is warned his password will expire.</div>
</li>
<liclass="level1"><divclass="li"><strong>Password max age</strong> : number of seconds after the last password change, before it expires. It must match AD policy</div>