directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Davis (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRAPI-299) Unable to change expired password unless logging in as admin.
Date Tue, 08 Aug 2017 21:11:00 GMT
Michael Davis created DIRAPI-299:
------------------------------------

             Summary: Unable to change expired password unless logging in as admin.
                 Key: DIRAPI-299
                 URL: https://issues.apache.org/jira/browse/DIRAPI-299
             Project: Directory Client API
          Issue Type: Bug
    Affects Versions: 1.0.0-RC2
            Reporter: Michael Davis


Below is an email conversation I've had with [~elecharny] about an an issue with changing
passwords after expiration when using a user other than uid=admin, ou=system.

We've had to work around this by enabling grace logins, and treating a grace login as an expiration
event. This allows the user to change their password after expiration, by consuming a grace
login to do so. But it requires specifically coding around the issue, and there is still a
possibility, depending on how the user interacts with the system, of having a user locked
out such that only uid=admin,ou=system can resolve it.



> From: Mike Davis [mailto:mdavis@rez1.com]
> Sent: Wednesday, November 02, 2016 7:36 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS | LDAP API] changing expired passwords
>
>
>
> Thanks for the quick response.
>
>
> I have not set any of the grace login parameters at this time.
>
>
>
>
> Get Outlook for Android
>
>
>
> From: Emmanuel Lécharny
>
> Sent: Wednesday, November 2, 4:00 AM
>
> Subject: Re: [ApacheDS | LDAP API] changing expired passwords
>
> To: users@directory.apache.org
>
>
>
> Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue with 
> either Apache DS or the Apache LDAP API, or > both. > > > > Here's the

> scenario. > > > > I have a user whose password is expired. I want to force

> the user to > change their password. However, I can't distinguish between a 
> case where > the user knows the password and where the user doesn't. I 
> always get a > PasswordException with > 
> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and > 
> resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that,
the 
> LdapConnectionTemplate.modifyPassword() method that > takes old and new 
> password doesn't work, because the library is attempting > to bind with the 
> users old password, and we just get the same > PasswordException as above. 
> If I use the 'asAdmin' flag, then the old > password is never checked. > > >

>  > I don't want to change the password as admin, because I have no way to > 
> validate the user knows his old password. You should not be forced to use 
> the admin flag to change an expired password. There is a paramter 
> (pwdGraceUseTime) that let the user tries up a given delay to change an 
> expired password. What is the value you have set for this parameter ? 
> However, teh default should be infinite. I suspect there is a bug that 
> should be fixed urgently...
> Hi !
>
>
> Le 01/11/16 à 22:03, Mike Davis a écrit :
>> I've run into an issue with either Apache DS or the Apache LDAP API,
>> or both.
>>
>>
>>
>> Here's the scenario.
>>
>>
>>
>> I have a user whose password is expired. I want to force the user to
>> change their password. However, I can't distinguish between a case
>> where the user knows the password and where the user doesn't. I always
>> get a PasswordException with
>> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED  and
>> resultCode = ResultCodeEnum.INVALID_CREDENTIALS.
>>
>>
>>
>> On top of that, the LdapConnectionTemplate.modifyPassword() method
>> that takes old and new password doesn't work, because the library is
>> attempting to bind with the users old password, and we just get the
>> same PasswordException as above. If I use the 'asAdmin' flag, then the
>> old password is never checked.
>>
>>
>>
>> I don't want to change the password as admin, because I have no way to
>> validate the user knows his old password.
> You should not be forced to use the admin flag to change an expired 
> password. There is a paramter (pwdGraceUseTime) that let the user tries up a 
> given delay to change an expired password. What is the value you have set 
> for this parameter ?
>
> However, teh default should be infinite. I suspect there is a bug that 
> should be fixed urgently...
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message