The general behaviour in access management and directory systems is to save the password set timestamp and apply password expiry based on the max password lifetime from that date. That password set timestamp should always be applied to the profile, regardless of expiry being on or not whenever GLUU sets a user password. The GLUU implementation hardcodes the password expiry date instead and this has several downsides * people who set their passwords before expiry was introduced will never expire * if expiry interval is ever updated/extended the currently set passwords will not change set expiry * I don't see any attributes tracking when a password was set, which is useful in audit or security purposes (such as if a password policy changes and you want to know what passwords have been updated) Overall I understand you don't necessarily want to leverage the password-setting attributes from different LDAPs given they're all different per implementation, but having your own is a good first step. The second step would be adapting to the underlying directory implementation to read it from there, but that's way more extensive work and testing. The attribute should also be updated If password is reset via the forgot password, admin GUI, SCIM or other methods via GLUU.