feat: new Samba AD password attributes

DavidePrincipi · DavidePrincipi · commit 0958e0629c86 · 2025-10-06T15:54:14.000+02:00
Added documentation of:

- Password never expires
- Required password change

Fixed release notes for 8.6.
diff --git a/release_notes.rst b/release_notes.rst
@@ -25,6 +25,11 @@ Major changes on 2025-09-30
   :ref:`password-policy-section` for details. The previous default policy
   for Samba AD was between 1 and 42 days.
 
+- **Samba AD password attributes** -- For internal AD domains, two new
+  attributes can be controlled from the cluster-admin and user portal web
+  interfaces: ``Required password change`` and ``Password never expires``.
+  See :ref:`user_groups-section`.
+
 - **New TLS certificates page** -- The :ref:`TLS certificates
   <certificate_manager-section>` UI page has completed its enhancement
   cycle started in previous releases, providing full management of Let's
diff --git a/user_domains.rst b/user_domains.rst
@@ -241,8 +241,8 @@ Password age
 
 You can toggle password age policy by clicking on the ``Password age`` switch. If enabled, you can configure the following parameters:
 
-* ``Minimum password age``: the minimum number of days that must pass before a new password change.
-* ``Maximum password age``: password expiration time in days. After this period, the password is no longer valid for logins and must be changed. Users can change their expired password with :ref:`user-management-portal-section`.
+* ``Minimum password age`` (default 0): the minimum number of days that must pass before a new password change.
+* ``Maximum password age`` (default 180: password expiration time in days. After this period, the password is no longer valid for logins and must be changed. Users can change their expired password with :ref:`user-management-portal-section`.
 
 Password strength
 -----------------
@@ -357,7 +357,19 @@ When creating a user, the following fields are mandatory:
 * User name
 * Full name (name and surname)
 * Password
-* Email address (optional field)
+
+Optional attributes are:
+
+* Email address -- Corresponds to the standard LDAP ``mail`` attribute. It
+  can be set to the user's personal email address, where password
+  expiration warnings are sent. Some applications may also use it as a
+  valid login name.
+* Password never expires (AD only) -- When enabled, the user's password
+  remains valid indefinitely, bypassing the domain password age policy.
+* Required password change / User has to change password at next login (AD
+  only) -- When enabled, the user is prompted to change their password at
+  the next login.
+
 
 A user can be added to one or more groups.
 
@@ -395,6 +407,8 @@ When creating a user, the following fields are available:
 * Password
 * Group (optional field)
 * Email address (optional field)
+* Password never expires (optional field, AD only)
+* Required password change / User has to change password at next login (optional field, AD only)
 
 The portal is automatically configured on every instance of :ref:`active_directory-section` or :ref:`openldap-section` provider.
 
