directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Want to force password end time
Date Wed, 20 Mar 2013 10:09:09 GMT
Le 3/19/13 11:17 PM, Carlo.Accorsi@ibs-ag.com a écrit :
> Hi All,
> We have a password policy enabled for users with ads-pwdmustchange=TRUE.
> When an admin changes a user's password , the pwdReset=true attribute is set as on the
user entry as expected.
> We get the correct response control and direct a user to a change password page.
> This all works great however, this temporary password remains valid for period defined
in the policy.
>
> Ideally, after receiving the response control for password must change, I'd like to expire
the temporary password after 10 minutes.
> This way if they defeat our change password routine by canceling it, the password wouldn't
remain valid for long.
>
> Since we never know when the first time they'll login after pwdReset=true is set, this
is something I want to do individually on the user entry during the login process.
> I've tried setting pwdEndTime on the user entry. This looks like it might be what I want
but I get a no user modification exception.

Which is normal, as this AttributeType (pwdEndTime) cannot be modified
by the user :

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.28
    NAME 'pwdEndTime'
    DESC 'The time the password becomes disabled'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
    SINGLE-VALUE
    NO-USER-MODIFICATION
 )



>
> Can you think of any way to do this?

>From the top of my head, that woud probably require the development of
specific control, to allow the modification of such an AttributeType,
for a specific user....


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 


Mime
View raw message