How To Force Users To Change Their Linux LDAP Password
This tutorial shows you How To Force Users To Change Their Linux LDAP Password (Lightweight Directory Access Protocol ) using the chage command. A system administrator’s life is not an easy one. Maintaining system integrity, maintaining security, troubleshooting issues. There are so many spinning plates. When it comes to security you need your users to choose a strong password and you need them to change it periodically.
User Password Expiry Information
To find out about a user’s password expiry information run the following command:
The returned information is as follows:
- When the password was last changed
- When the password expires
- How many days of inactivity before the password expires
- When the account expires
- Minimum number of days between password changes
- Maximum number of days between password changes
- A number of days warning before the password expires.
How To Force A User To Change Their Linux LDAP Password Every 60 Days
You can force a user to change their password after a set number of days by using the following command:
sudo chage -M 60
You will need to use sudo to elevate your permissions to run this command or switch to a user who has the appropriate permissions using the su command.
If you now run the chage -l command you will see that the expiry date is set and the maximum number of days is 60.
You can, of course, specify the number of days that suits your own security policy.
How To Set The Expiry Date For An Account
Imagine, guest user John and Patrice are visiting your office for a few days.
You can create each of them an account using the following adduser command:
sudo adduser john sudo adduser patrice
Now that they have accounts you can set their initial passwords using the passwd command as follows:
sudo passwd john sudo passwd patrice
Imagine that John and Patrice are leaving on the 1st January 2018.
You can set the expiry date for the accounts as follows:
sudo chage -E 2018-01-01 john sudo chage -E 2018-01-01 patrice
If you run the chage -l command now you should see that the account will indeed expire on the 1st January 2018.
After an account is expired, an administrator can clear the expiration date by running the following command:
sudo chage -E -1 john
Set The Number Of Days After The Linux LDAP Password Expires Before The Account Is Locked
You can set the number of days after a password expires when an account becomes locked. For example, if John’s password expired on Monday and the number of inactive days is 3 then John’s account will be locked on Saturday.
To set the number of inactive days run the following command:
sudo chage -I 6 john
The above command will give John 6 days to access his account and change the password before the account becomes locked.
An administrator can clear the lock by running the following command:
sudo chage -I -1 john
How To Warn A User Their Linux LDAP Password Is About To Expire
You can warn a user every time they log in that their password is going to expire.
For example, if you want John to be told that his password is going to expire in the next 10 days run the following command:
sudo chage -W 10 John
How To Prevent A User Changing Their Linux LDAP Password Too Often
If a user changes their password every day it probably isn’t a good thing. In order to change your password every day and remember it, you must be using some sort of pattern.
To prevent a user from changing their LDAP password too often you can set a minimum number of days before they can change the password.
sudo chage -m 6 john
It is up to you whether you enforce this option. Most people are lethargic when changing passwords as opposed to being obsessed with it.
You can remove the limit by specifying the following command:
sudo chage -m 0 john
This is how we can force users to change their Linux LDAP Password. If you found this tutorial helpful then Like and Share. If you got something else then feel free to comment.