Password Policy

Marketplace URL: Password Policy

Command to expire a user or group of users’ passwords.

Command Description

sudo -u www-data php occ user:expire-password <uid> [<expiredate>]

Arguments

uid

User ID.

expiredate

The date and time when a password expires,
e.g. 2019-01-01 14:00:00 CET or -1 days.

The expiry date can be provided using any of PHP’s supported date and time formats.

Options

-a, --all

Will add password expiry to all known users. uid and group option are discarded if the option is provided by user.

-u [UID]
--uid=[UID]

The uid of the user to expire the password for.
To expire the password of multiple users, pass the -u or --uid option multiple times, as in this example: --uid "Alice" --uid "Bob".

-g [GROUP]
--group=[GROUP]

Add password expiry to user(s) in one or more groups.
This option can be used as --group foo --group bar to add expiry passwords for users in multiple groups.

If an expiry date is not supplied, the password will expire with immediate effect. This is because the password will be set as being expired 24 hours before the command was run. For example, if the command was run at 2018-07-12 13:15:28 UTC, then the password’s expiry date will be set to 2018-07-11 13:15:28 UTC.

After the command completes, console output, similar to that below, confirms when the user’s password is set to expire.

The password for frank is set to expire on 2018-07-12 13:15:28 UTC.

Command Examples

# The password for user "frank" will be set as being expired 24 hours before the command was run.
sudo -u www-data php occ user:expire-password -u frank

# Expire the user "frank"'s password in 2 days time.
sudo -u www-data php occ user:expire-password -u frank '+2 days'

# Expire the user "frank"'s password on the 15th of August 2005, at 15:52:01 in the local timezone.
sudo -u www-data php occ user:expire-password --uid frank '2005-08-15T15:52:01+00:00'

# Expire the user "frank"'s password on the 15th of August 2005, at 15:52:01 UTC.
sudo -u www-data php occ user:expire-password --uid frank '15-Aug-05 15:52:01 UTC'

Caveats

Please be aware of the following implications of enabling or changing the password policy’s "days until user password expires" option.

  • Administrators need to run the occ user:expire-password command to initiate expiry for new users.

  • Passwords will never expire for users who have not changed their initial password, because they do not have a password history. To force password expiration use the occ user:expire-password command.

  • A password expiration date will be set after users change their password for the first time. To force password expiration use the occ user:expire-password command.

  • Passwords changed for the first time, will expire based on the active password policy. If the policy is later changed, it will not update the password’s expiry date to reflect the new setting.

  • Password expiration dates of users where the administrator has run the occ user:expire-password command won’t automatically update to reflect the policy change. In these cases, Administrators need to run the occ user:expire-password command again and supply a new expiry date.