Administration Guide
14. Managing User Authentication
14.1. Managing the Password Policy
14.1.1. Configuring the Global Password Policy
14.1.1.1. Configuring a Global Password Policy Using the Console
14.1.1.2. Configuring a Global Password Policy Using the Command Line
14.1.2. Configuring a Local Password Policy
14.1.2.1. Configuring a Subtree/User Password Policy Using the Console
14.1.2.2. Configuring Subtree/User Password Policy Using the Command Line
14.1.2.3. Manually Setting Default Password Syntax Checking for Local Password Policies
14.1.3. Setting User Passwords
14.1.4. Setting Password Administrators
14.1.5. Changing Passwords Stored Externally
14.1.6. ShadowAccount
14.1.6. ShadowAccount

The values of ShadowAccount defined in 10rfc2307.ldif are closely related to the Password Policy.
The value of ShadowAccount:
shadowLastChange - Indicates the number of days between January 1, 1970 and the day when the user password was last changed. (single-valued)
shadowExpire - Indicates the date on which the user login will be disabled. (single-valued)
shadowFlag - not currently in use.
shadowInactive - Indicates the number of days of inactivity allowed for the user. (single-valued)
shadowMax - Indicates the maximum number of days for which the user password remains valid. (single-valued)
shadowMin - Indicates the minimum number of days required between password changes. (single-valued)
shadowWarning - The number of days of advance warning given to the user before the user password expires. (single-valued)
If an entry contains the shadowAccount objectclass, the shadowAccount attributes are automatically filled with the values derived from the password policy. Please note that even if any password policy is not configured, default passwordMinAge: 0, passwordMaxAge: 8640000, passwordWarning: 86400 are set in the configuration.

shadowLastChange

When an entry having a user password is added, 0 is set if passwordMustChange is on in the password policy that the entry follows. Otherwise, the number of days between January 1, 1970 and the day when the entry is added is set.
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com
passwordMustChange: on

dn: uid=tuser,ou=People,dc=example,dc=com
shadowLastChange: 0

When a user password is updated, the value of shadowLastChange is replaced with the number of days between January 1, 1970 and the day when the user password is updated.

dn: uid=tuser,ou=People,dc=example,dc=com
shadowLastChange: 16724

If an entry being added does not contain a user password, even if it is a shadowAccount entry, shadowLastChange is not added.

Note: the shadowLastChange is now the target of Windows Synchronization with Active Directory.

Other shadowAccount attributes

The other values are automatically filled with the password policy values as follows.

shadowMin = passwordMinAge / (60 * 60 *24)
shadowMax = passwordMaxAge / (60 * 60 *24)
shadowWarning = passwordWarning / (60 * 60 *24)
shadowExpire = (current_time() + passwordMaxAge) / (60 * 60 *24)
shadowFlag = 0 ## not currently in use.

shadowInactive is not auto-filled since there is no corresponding policy.