directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject Want to force password end time
Date Tue, 19 Mar 2013 22:17:28 GMT
Hi All,
We have a password policy enabled for users with ads-pwdmustchange=TRUE.
When an admin changes a user's password , the pwdReset=true attribute is set as on the user
entry as expected.
We get the correct response control and direct a user to a change password page.
This all works great however, this temporary password remains valid for period defined in
the policy.

Ideally, after receiving the response control for password must change, I'd like to expire
the temporary password after 10 minutes.
This way if they defeat our change password routine by canceling it, the password wouldn't
remain valid for long.

Since we never know when the first time they'll login after pwdReset=true is set, this is
something I want to do individually on the user entry during the login process.
I've tried setting pwdEndTime on the user entry. This looks like it might be what I want but
I get a no user modification exception.

Can you think of any way to do this?

java.lang.Exception: [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType
Message ID : 67
    Modify Request
        Object : 'uid=1337172529807,ou=users,ou=int,o=cpro'
                Operation :  add
pwdEndTime: 20130319220004.006Z ERR_52 Cannot modify
the attribute : ATTRIBUTE_TYPE (
NAME 'pwdEndTime'
DESC The time the password becomes disabled
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
USAGE directoryOperation

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message