directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject Changing password as user does not clear pwdGraceUseTime and update pwdChangedTime
Date Tue, 04 Sep 2012 02:43:05 GMT
Hi Folks  -  been away ApacheDS for a while.. back again..

We built from the trunk on Friday 8/24 and are testing the password policy functionality.

When a user has a password policy assigned via pwdPolicySubentry and the policy attribute
ads-pwdgraceauthnlimit is set to 5 for example,
and the password age has expired, a pwdGraceUseTime field (on the user) is set with the timestamp
of the login. This is all working great!

We process the response controls and that event forces a user to change their password, which
they successfully do.

However, even though the password is successfully changed, the:
pwdGraceUseTime fields are not removed and
pwdChangedTime does not update.

A subsequent login by the user with the new password (just set) triggers the same response
controls and the process repeats, setting another pwdGraceUseTime field.
I'm not running out of grace logins. When this happens it's understood nothing can be done
without an admin reset.

If an admin changes the password, the fields are removed and the pwdChangedTime field is updated
as it should.
We need the password reset as the user because we're also using the pwdReset functionality

This is how we're changing the passwords. This operation performed with the user's credentials
NOT an admin.

      public void setPassword (LdapContext ctx,String strDn, String strValue)
      throws DirectoryAdapterException{

            ModificationItem[] mods = new ModificationItem[1];
            mods[0] = new ModificationItem(LdapContext.REPLACE_ATTRIBUTE, new BasicAttribute(PASSWORD_AT,
            try {
                  try {
                        // set control in here.
                        ctx.setRequestControls(new Control[]{new PasswordPolicyRqControl()});
                        ctx.modifyAttributes(strDn, mods);
                  } catch (InvalidAttributeValueException ae){
                        throw new DirectoryAdapterException(ae,DirectoryAdapterException.CANNOT_MODIFY_ENTRY);
                  } catch (NamingException ne){
                        throw new DirectoryAdapterException(ne,DirectoryAdapterException.CANNOT_MODIFY_ENTRY);
            }catch (DirectoryAdapterException de){
                  processControls(ctx, de); // will re-throw
                  throw de; // catch all, should not happen.

Thank you!!!

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message