Change passwordexpiry date

hi all, for administrative reasons I need to change the expiry password date but using the command:

udm users/user modify --dn uid=dnofuser --modify passwordexpiry=2018-11-30

the output is:

value may not change.: passwordexpiry

is there any other method to shift the date?

thank you

What is it you wish to achieve?

  • expire date for user account/login
  • password change policy

expire date for user account/login

udm users/user modify --dn uid=dnofuser --set userexpiry=2018-08-23


no, sorry i misunderstood, i need to change the password expire policy.

thank you.

See the manual:
Be aware, that you may have to set the password policy for Samba / Windows clients separately (section 6.3).

Does anyone know what the name of the password expiry date parameter is?
where can i find the list of all these parameters?


depends on the context (e.g. where you want to use the name). UDM-CLI will list you all attributes via --help, in this case:

$ udm users/user --help
univention-directory-manager: command line interface for managing UCS
users/user variables:
        Locked login
                passwordexpiry (e)                       Password expiry date

( I have omitted the other attributes)


thanks for the help and quick response.

udm users/user modify --dn "uid=xpto,ou=users,ou=abc,ou=enterprise,dc=sandbox,dc=pt,dc=corp" --set passwordexpiry=2023-02-16
it’s return
Value may not change.: passwordexpiry

why is it not possible to change this value?

You are right, I got the same. However the value does change for me when I set the pwdChangeNextLogin to 1 → I guess the value may not change because it will be set by processes like this one.
As my colleague wrote some years ago userexpiry still works, furthermore you can use a password expiry policy: 4.6. Policies — Univention Corporate Server - Manual for users and administrators

My goal is to force people to change their password at the next login, however imagine the following scenario.

  • user with the option to change the password checked.
    The person is on vacation does not have access to the PC or univention to log in and be forced to change the password, but he will consult an email through webmail, as the email is authenticated with LDAP the person has no access to the email because from the field “password expiry date”
    How can I get around this situation?

I understand your problem, but I cannot give you a good way to circumvent this without thinking about it longer - I mean in the end it’s a security feature and you exactly want the user to be unable to use the old password any longer. :smiley: But I can see your use case. For now I would just suggest to give the user a way to change the password remotely.