Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
documentation:latest:authad [2015/10/02 19:57]
127.0.0.1 external edit
documentation:latest:authad [2019/01/22 23:10] (current)
Line 1: Line 1:
 ====== Active Directory ====== ====== Active Directory ======
  
-^Authentication ^ Users ^ Password ^+ Authentication ​  Users   Password ​ ^
 |  ✔  |  ✔  |  ✔  | |  ✔  |  ✔  |  ✔  |
  
Line 22: Line 22:
  
   * when pwdLastSet = 0 in the user entry, it means that password has been reset, and a form is presented to the user for him to change his password.   * when pwdLastSet = 0 in the user entry, it means that password has been reset, and a form is presented to the user for him to change his password.
-  * when computed virtual attribute '​msDS-User-Account-Control-Computed'​ as 6th flag set to 8, the password is considered expired(support from Windows Server 2003) It is too late for the user to do anything. He must contact his administrator. +  * when computed virtual attribute '​msDS-User-Account-Control-Computed'​ as 6th flag set to 8, the password is considered expired (support from Windows Server 2003)It is too late for the user to do anything. He must contact his administrator. 
-  * a warning before password expiration is possible in AD, but only in GPO (Computer Configuration\Windows Settings\Local Policies\Security Options under Interactive Logon: Prompt user to change password before expiration) However it as no reality in LDAP referential. A "​password warning time before password expiration"​ variable can be specified in LemonLDAP::​NG to do so.+  * a warning before password expiration is possible in AD, but only in GPO (Computer Configuration\Windows Settings\Local Policies\Security Options under Interactive Logon: Prompt user to change password before expiration)However it as no reality in LDAP referential. A "​password warning time before password expiration"​ variable can be specified in LemonLDAP::​NG to do so.
  
 <note important>​Note:​ since AD 2012, each user can have a specific password expiration policy. Then, the "​maximum password age" can have different values. This is currently unsupported in LemonLDAP::​NG because every policy must be computed with their precedence to know which maximum password age to apply.</​note>​ <note important>​Note:​ since AD 2012, each user can have a specific password expiration policy. Then, the "​maximum password age" can have different values. This is currently unsupported in LemonLDAP::​NG because every policy must be computed with their precedence to know which maximum password age to apply.</​note>​
  
-To configure warning before password expiration, you must set two variables in portal section of lemonldap-ng.ini file: +To configure warning before password expiration, you must set two variables in Active Directory parameters in Manager
- +  * **Password max age** : number of seconds after the last password change, before it expires. It must match AD policy 
-  * _pwdExpireWarning : number of seconds between password expiration and the date from which user is warned his password will expire. +  * **Password expire warning** : number of seconds between password expiration and the date from which user is warned his password will expire.
-  ​_pwdMaxAge ​: number of seconds after the last password change, before it expires. It must match AD policy +