Make password expiration time attribute configurable

server/src/main/java/password/pwm/config/PwmSetting.java

@@ -252,6 +252,8 @@ public enum PwmSetting
             "ldap.namingAttribute", PwmSettingSyntax.STRING, PwmSettingCategory.LDAP_ATTRIBUTES ),
     PASSWORD_LAST_UPDATE_ATTRIBUTE(
             "passwordLastUpdateAttribute", PwmSettingSyntax.STRING, PwmSettingCategory.LDAP_ATTRIBUTES ),
+    PASSWORD_EXPIRATION_TIME_ATTRIBUTE(
+            "passwordExpirationTimeAttribute", PwmSettingSyntax.STRING, PwmSettingCategory.LDAP_ATTRIBUTES ),
     LDAP_USER_GROUP_ATTRIBUTE(
             "ldap.user.group.attribute", PwmSettingSyntax.STRING, PwmSettingCategory.LDAP_ATTRIBUTES ),
     LDAP_GROUP_LABEL_ATTRIBUTE(

server/src/main/java/password/pwm/ldap/LdapOperationsHelper.java

@@ -849,11 +849,21 @@ public static Map<String, List<String>> readAllEntryAttributeValues( final ChaiE
         return Collections.emptyMap();
     }
 
-    public static Instant readPasswordExpirationTime( final ChaiUser theUser )
+    public static Instant readPasswordExpirationTime(
+            final PwmDomain pwmDomain,
+            final SessionLabel sessionLabel,
+            final UserIdentity userIdentity
+    )
     {
         try
         {
-            Instant ldapPasswordExpirationTime = theUser.readPasswordExpirationDate();
+            final ChaiUser theUser = pwmDomain.getProxiedChaiUser( sessionLabel, userIdentity );
+
+            final LdapProfile ldapProfile = pwmDomain.getConfig().getLdapProfiles().get( userIdentity.getLdapProfileID() );
+            final String expirationTimeAttribute = ldapProfile.readSettingAsString( PwmSetting.PASSWORD_EXPIRATION_TIME_ATTRIBUTE );
+
+            Instant ldapPasswordExpirationTime = expirationTimeAttribute != null ? theUser.readDateAttribute( expirationTimeAttribute ) : theUser.readPasswordExpirationDate();
+
             if ( ldapPasswordExpirationTime != null && ldapPasswordExpirationTime.toEpochMilli() < 0 )
             {
                 // If ldapPasswordExpirationTime is less than 0, this may indicate an extremely late date, past the epoch.

server/src/main/java/password/pwm/ldap/UserInfoReader.java

@@ -203,7 +203,7 @@ public UserIdentity getUserIdentity( )
     @Override
     public Instant getPasswordExpirationTime( ) throws PwmUnrecoverableException
     {
-        return LdapOperationsHelper.readPasswordExpirationTime( chaiUser );
+        return LdapOperationsHelper.readPasswordExpirationTime( pwmDomain, sessionLabel, userIdentity );
     }
 
     @Override

server/src/main/java/password/pwm/svc/pwnotify/PwNotifyEngine.java

@@ -20,7 +20,6 @@
 
 package password.pwm.svc.pwnotify;
 
-import com.novell.ldapchai.ChaiUser;
 import password.pwm.PwmDomain;
 import password.pwm.bean.EmailItemBean;
 import password.pwm.bean.UserIdentity;
@@ -238,8 +237,8 @@ private void processUserIdentity(
         }
 
         examinedCount.incrementAndGet();
-        final ChaiUser theUser = pwmDomain.getProxiedChaiUser( pwNotifyService.getSessionLabel(), userIdentity );
-        final Instant passwordExpirationTime = LdapOperationsHelper.readPasswordExpirationTime( theUser );
+
+        final Instant passwordExpirationTime = LdapOperationsHelper.readPasswordExpirationTime( pwmDomain, pwNotifyService.getSessionLabel(), userIdentity );
 
         if ( passwordExpirationTime == null )
         {

server/src/main/resources/password/pwm/config/PwmSetting.xml

@@ -623,6 +623,13 @@
             <value/>
         </default>
     </setting>
+    <setting hidden="false" key="passwordExpirationTimeAttribute" level="2">
+        <ldapPermission actor="proxy" access="write"/>
+        <regex>^[a-zA-Z][a-zA-Z0-9-]*$</regex>
+        <default>
+            <value/>
+        </default>
+    </setting>
     <setting hidden="false" key="ldap.user.group.attribute" level="2">
         <regex>^[a-zA-Z][a-zA-Z0-9-]*$</regex>
         <default>

server/src/main/resources/password/pwm/i18n/PwmSetting.properties

@@ -576,6 +576,7 @@ Setting_Description_changePassword.enable=Enable or Disable the change password
 Setting_Description_password.allowChange.queryMatch=Specify the permissions used to detect if @PwmAppName@ permits users to change their passwords.
 Setting_Description_password.change.requireCurrent=Enable this option to require users to provide their current passwords on the Change Password page. You must enable this option if users are using a single sign-on service. In most cases, this is not required because the single sign-on service authenticates the users prior to accessing the Change Password page.
 Setting_Description_passwordLastUpdateAttribute=Specify the attribute that @PwmAppName@ uses to mark when the user updates password. Plus @PwmAppName@ uses it during replication checks and other processes.
+Setting_Description_passwordExpirationTimeAttribute=Specify the attribute that @PwmAppName@ uses to read the user password expiration time.
 Setting_Description_password.policy.ADComplexity=Enforce Microsoft Active Directory 2003 style password complexity rules\:<ul><li>Not contain the user's account name or parts of the user's full name that exceed two consecutive characters</li><li>Be at least six characters in length</li><li>Contain characters from three of the following four categories\:<ul><li>English uppercase characters (A through Z)</li><li>English lowercase characters (a through z)</li><li>Base 10 digits (0 through 9)</li><li>Non-alphabetic characters (for example, \!, $, \#, %)</li></ul></ul>
 Setting_Description_password.policy.ADComplexityLevel=Select the Microsoft Active Directory style password complexity rules. <p><code>AD 2003 Level Complexity\:</code></p> <ul> <li>Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters</li> <li>Minimum 6 characters</li> <li>Maximum 128 characters</li> <li> Must contain characters from three of the following four categories\: <ul> <li>English uppercase characters (A through Z)</li> <li>English lowercase characters (a through z)</li> <li>Base 10 digits (0 through 9)</li> <li>Non-alphabetic characters (For example, \!, $, \#, %)</li> </ul> </li> </ul> <p><code>AD 2008 Level Complexity\:</code></p> <ul> <li>Cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters</li> <li>Minimum 6 characters</li> <li>Maximum 512 characters</li> <li> Must contain characters from several of the following categories. The setting <a data-gotoSettingLink\="password.policy.ADComplexityMaxViolations">@PwmSettingReference\:password.policy.ADComplexityMaxViolations@</a> specifies the exact number of catagories.<ul> <li>European language uppercase alphabetic characters</li> <li>European language lowercase alphabetic characters</li> <li>Base 10 digits (0 through 9)</li> <li>Non-alphabetic characters (for example, \!, $, \#, %)</li> <li>Other alphabetic characters not included in the other categories</li> </ul> </li> </ul>
 Setting_Description_password.policy.ADComplexityMaxViolations=Specify the maximum number of Active Directory 2008 Level Complexity category violations.  This setting has no effect unless the setting <a data-gotoSettingLink\="password.policy.ADComplexityLevel">@PwmSettingReference\:password.policy.ADComplexityLevel@</a> is set to <code>AD 2008 Level Complexity</code>.
@@ -1117,6 +1118,7 @@ Setting_Label_changePassword.enable=Enable Change Password Module
 Setting_Label_password.allowChange.queryMatch=Change Password Profile Match
 Setting_Label_password.change.requireCurrent=Require Current Password During Change
 Setting_Label_passwordLastUpdateAttribute=Last Password Update Attribute
+Setting_Label_passwordExpirationTimeAttribute=Password Expiration Time Attribute
 Setting_Label_password.policy.ADComplexity=DEPRECATED-Enforce Microsoft-AD 2003 Password Complexity
 Setting_Label_password.policy.ADComplexityLevel=Active Directory Password Complexity
 Setting_Label_password.policy.ADComplexityMaxViolations=Active Directory 2008 Password Complexity Maximum Violations