APS Password Expiration is not getting triggered when the Following is being used .

Use case as follows 

- Symantec Directory as user store (in this example, it can be any ldap store)
- APS enabled and Symantec  dir extended with APS schema 
- test user VDAAAA
- VDAAAA belongs to a test Group0 as indicated 

dn: cn=Group0,dc=example,dc=com
cn: Group0
objectClass: top
objectClass: groupofuniquenames
uniqueMember: cn=VDAAAA,ou=OrgUnit0,dc=example,dc=com

- APS.cfg modified to have the following 

* Created a class called @Group0 which should apply to any user that belongs to the LDAP store and belongs to The Group Group0.

@Group0=IsLDAP() AND (IsInGroup("cn=Group0,dc=example,dc=com"))

and 

Password Expiration=0
Password Expiration={@Group0} 2

- VDAAAA test used has the following APS attributes 

smapsBaseDate: 20240910135002Z       --> this means 2024 SEP 10  at 13:50 
smapsFailureCount: 0 20240917140800Z
smapsNextAction: 99999999999999Z CYCLE COMPLETE
smapsLastLogin: 20240917140800Z 10.36.50.9
smapsPreviousLogin: 20240910134536Z 10.36.50.9
smapsTotalLogins: 451
smapsDisableUntil:
smapsFailuresSinceLastLogin:
smapsLoginHistory:
smapsTotalFailures:

- Test was Performed SEP 18 2024 and based on the configuration , expectation is that the user Password Expiration of 2 days should kick in based on the configuration since the user belongs to Group0 and the smapsBaseDate value is at 2024 SEP 10.

Observation is that the User is able to Authenticate instead of getting rejected.

Any Supported Siteminder release 

This is by Design since the Default Password Expiration=0 is enabled and set to 0.

When Password Expiration is set (without the class Definition) , it always takes precedence over any other Password Expiration with classes.

In the Test configuration above, since the default  Password Expiration (without any class definition) was enabled , APS code looked into it and since its value is 0, by design, it means that the 

Password Expiration functionality is disabled and the code will Exit there. 

So in this use case , if the test scenario has this 

Password Expiration=0
Password Expiration={@Group0} 2

The Default will apply and since its value is 0 , the password Expiration Function is disabled and user will allow access.

Now if you change the config to this 

Password Expiration=60    --> this means 60 days 
Password Expiration={@Group0} 2    --> this means 2 days if the user belong to the Group 

If you Perform the same test on SEP 18  2024 with the smapsBaseDate value is at 2024 SEP 10, the Default password Expiration will trigger first and since its value this time is 60, the Password is not Expired and the code will move to the other Password Expiration with the Group class to see if it applies. 

Since the user belongs to the group , The Password Expiration with the Group is applicable and user's password is determined to be Expired and the following will be printed in the logs 

LogMessage:INFO:[sm-Server-03580] [SM-APS-00111] APS: Rejecting Login. Password expired as of Thu 12 Sep 2024 01:50:02 PM GMT GMT. No grace logins remain.][22:37:56][SmAuthUser.cpp:823][][]LogMessage:INFO:[sm-Server-03580] [SM-APS-55143] Mail File not found: "ExpiredPassword.email".][22:37:56][SmAuthUser.cpp:823][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

So if your design is to use password Expiry for specific set of users, use the class configuration and only enable the Password Expiration with class and keep the Default one disabled so it doesn't fire and take precedence over the one with the class configuration.

Add as many classes you want as follows 

@Group0=IsLDAP() AND (IsInGroup("cn=Group0,dc=example,dc=com"))

@Group1=IsLDAP() AND (IsInGroup("cn=Group1,dc=example,dc=com"))

@Group2=IsLDAP() AND (IsInGroup("cn=Group2,dc=example,dc=com"))

#Password Expiration=0     --> disable it 
Password Expiration={@Group0} 2     --> if the user belongs to Group0 , the password will expire in 2 days 

Password Expiration={@Group1} 7 --> if the user belongs to Group1 , the password will expire in 7 days 

Password Expiration={@Group2} 100 --> if the user belongs to Group2 , the password will expire in 100 days