Password status information is maintained in the relational databases supporting directory services so checking for expired passwords is a fairly simple database application. Every night a series of processes run that check the status of all passwords stored in the directory. Using data stored in the databases, the age of each password will be calculated and, if it exceeds the time limit, the passwordExpired flag will be added to the tamuStatus attribute for that entry.
Using database technology for account management allows CIS to more thoroughly and efficiently maintain critical data such as password history. This methodology also offloads a fair amount of processing associated with aging a password. By running these processes offline, that is, against the database, the servers running LDAP are not hit with a heavy processing load. This is important since updating LDAP requires replication to the slave servers. Also, logins can be quicker, requiring the testing of a flag as opposed to calculating an expiration date. And, database management systems have good audit and reporting capabilities.
It is important to note that all NetIDs and passwords are stored in the databases supporting directory services. Password management policies can be applied to all accounts, even those that are inactive or may not access systems that check for expired credentials. The process of aging passwords and disabling accounts is done even for these inactive NetIDs.