Symantec Access Management

 View Only
  • 1.  How to enable "dxPwdIgnoreExpired" attribute for particular user

    Posted Apr 06, 2018 09:53 AM

    As a part of operational setting in DSA configuration we have enabled below parameter which helps in expiration check of the password for some user accounts.

    set password-allow-ignore-expired = true

    But apart from this we have to enable below attribute as well with its value as true.



    Can anyone help/suggest how to achieve this for particular dsa user in order to prevent it from getting lock out?

  • 2.  Re: How to enable "dxPwdIgnoreExpired" attribute for particular user

    Broadcom Employee
    Posted Apr 09, 2018 11:52 AM

    Support case 01003648 is opened for this but for wider audience...


    Once you set the above Password Policy rule, the next step is to manually add 'dxPwdIgnoreExpire' operational attribute to all those user entries you do not want to export and assign a value of 'true' to this attribute as stated at:


    set password-allow-ignore-expired Command - CA Directory - 12.6 - CA Technologies Documentation 


    The rule of 'password-allow-ignore-expired' is tied to operational attribute 'dxPwdIgnoreExpire'.


    The way you can add this to a user entry (or to user entries) that you do not wish to get expired is to use command line tools such as dxmodiy and/or ldapmodify.


    You can find information that here at:


    DXmodify Tool -- Add New or Changed Information to a Directory - CA Directory - 12.6 - CA Technologies Documentation 


    Hope this helps.




  • 3.  Re: How to enable "dxPwdIgnoreExpired" attribute for particular user

    Posted Apr 12, 2018 06:07 AM

    Hi Hitesh,


    Thanks for your reply. But the link you shared is creating some confusion. Can you please explain how to add this particular attribute using the same? As we have already created user with top class and it has this attribute.

  • 4.  Re: How to enable "dxPwdIgnoreExpired" attribute for particular user
    Best Answer

    Broadcom Employee
    Posted Apr 12, 2018 08:02 AM

    Hi DGMiddlewareAccessManagement,


    I don't believe simply having a top class for a user exposed this attribute even if password policy is enabled. This specific attribute (and it's value as 'TRUE') has to be added manually.


    Here is an example:


    Let's say the user in question is:



    To mark this user with password never expires, you need to create a LDIF file as following and run dxmodify OR ldapmodify command line tool as below.


    e.g. Let's call it a test.ldif and it should contain:

    changetype: modify
    add: dxPwdIgnoreExpired
    dxPwdIgnoreExpired: TRUE

    See the link I posted earlier if any doubt on dxmodify and LDIF file example.

    Now from command line (assuming anonymous access is enabled to DSA):

    dxmodify -h {hostname}:{port} -f test.ldif


    If the DSA is locked down (with no anon access), you need to use a bind DN and password to run the above command, 

    dxmodify -h {hostname}:{port} -D "cn=xyz,ou=abc,o=mycompany,c=us" -w {password} -f test.ldif

    NOTE: All DN values mentioned about are made up so you want to use your actual values replacing what I stated above for this to work.


    I have also updated the support case that you have open with us, with same information. I put it here so others from community can benefit, if anyone has this same question.