directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: Want to force password end time
Date Wed, 20 Mar 2013 10:09:09 GMT
Le 3/19/13 11:17 PM, a écrit :
> Hi All,
> We have a password policy enabled for users with ads-pwdmustchange=TRUE.
> When an admin changes a user's password , the pwdReset=true attribute is set as on the
user entry as expected.
> We get the correct response control and direct a user to a change password page.
> This all works great however, this temporary password remains valid for period defined
in the policy.
> Ideally, after receiving the response control for password must change, I'd like to expire
the temporary password after 10 minutes.
> This way if they defeat our change password routine by canceling it, the password wouldn't
remain valid for long.
> Since we never know when the first time they'll login after pwdReset=true is set, this
is something I want to do individually on the user entry during the login process.
> I've tried setting pwdEndTime on the user entry. This looks like it might be what I want
but I get a no user modification exception.

Which is normal, as this AttributeType (pwdEndTime) cannot be modified
by the user :

attributetype (
    NAME 'pwdEndTime'
    DESC 'The time the password becomes disabled'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch

> Can you think of any way to do this?

>From the top of my head, that woud probably require the development of
specific control, to allow the modification of such an AttributeType,
for a specific user....

Emmanuel Lécharny 

View raw message