directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Carlo.Acco...@ibs-ag.com>
Subject RE: Want to force password end time
Date Wed, 20 Mar 2013 14:05:52 GMT
OK thank you both!	

-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Wednesday, March 20, 2013 6:17 AM
To: users@directory.apache.org
Subject: Re: Want to force password end time

On Wed, Mar 20, 2013 at 3:39 PM, Emmanuel Lécharny <elecharny@gmail.com>wrote:

> Le 3/19/13 11:17 PM, Carlo.Accorsi@ibs-ag.com a écrit :
> > Hi All,
> > We have a password policy enabled for users with ads-pwdmustchange=TRUE.
> > When an admin changes a user's password , the pwdReset=true 
> > attribute is
> set as on the user entry as expected.
> > We get the correct response control and direct a user to a change
> password page.
> > This all works great however, this temporary password remains valid 
> > for
> period defined in the policy.
> >
> > Ideally, after receiving the response control for password must 
> > change,
> I'd like to expire the temporary password after 10 minutes.
> > This way if they defeat our change password routine by canceling it, 
> > the
> password wouldn't remain valid for long.
> >
> > Since we never know when the first time they'll login after
> pwdReset=true is set, this is something I want to do individually on 
> the user entry during the login process.
> > I've tried setting pwdEndTime on the user entry. This looks like it
> might be what I want but I get a no user modification exception.
>
> Which is normal, as this AttributeType (pwdEndTime) cannot be modified 
> by the user :
>
> attributetype ( 1.3.6.1.4.1.42.2.27.8.1.28
>     NAME 'pwdEndTime'
>     DESC 'The time the password becomes disabled'
>     EQUALITY generalizedTimeMatch
>     ORDERING generalizedTimeOrderingMatch
>     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
>     SINGLE-VALUE
>     NO-USER-MODIFICATION
>  )
>
>
>
> >
> > Can you think of any way to do this?
>
> From the top of my head, that woud probably require the development of 
> specific control, to allow the modification of such an AttributeType, 
> for a specific user....
>
> another way is to reset the password again as admin and notify the 
> user
mentioning clearly about the validity
of this temporary password

>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>


--
Kiran Ayyagari
http://keydap.com

Mime
View raw message