This article applies to AppGate (classic).
The feature, and how to configure is explained here:
Note: this feature is about password expiration and not about "account" expiration. Expiration date of a password is set on the Domain level, not in a user object. It is actually calculated. For more details please read here:
In a Active Directory the maximum age for a password must be defined, simple domain example:
In this example the max password age is 1 day. If a password of a user has expired, it needs basically to be calculated. In theory this is done by:
The password expiration date is not an attribute on the user object. It is a calculated value based on the sum of pwdLastSet for the user and maxPwdAge of the user's domain. To get the password expiration date, get the IADsUser.PasswordExpirationDate property. You cannot modify this attribute for a user; instead, set the IADsDomain.MaxPasswordAge property to change the setting for the domain.
How AppGate calculates when to warn
AppGate calculate the remaining days before a password expires as with the following approach:
Note the following timestamps are UNIX time stamps as they are used in AppGate.
X = "number of days to warn before password expires".
now = 1418122792 #Tue, 09 Dec 2014 10:59:52 GMT
maxPwdAge = 86400 #value from Domain object
pwdLastSet = 1418046954 #Mon, 08 Dec 2014 13:55:54; value from user object
if now() > ((pwdLastSet + maxPwdAge) - 86400 * warnDays) then warn()
Configuration in AppGate Console
Now, when a user logs in where on the AppGate Server it is defined to warn user x days before, you will see a message as the following:
Set ag_userd to debug 4. The logs will show the following lines if a warning should be shown (the values match the calculation above):
ag_userd get_ad_pass_flags(): maxPwdAge = 86400, pwdLastSet = 1418046954, time() - pwdLastSet = 73782, userAccountControl = 0x200, flags = CAN_EXPIRE WARN_EXPIRE CAN_CHANGE , 0 seconds