directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Want to force password end time
Date Wed, 20 Mar 2013 10:17:12 GMT
On Wed, Mar 20, 2013 at 3:39 PM, Emmanuel Lécharny <elecharny@gmail.com>wrote:

> Le 3/19/13 11:17 PM, Carlo.Accorsi@ibs-ag.com a écrit :
> > Hi All,
> > We have a password policy enabled for users with ads-pwdmustchange=TRUE.
> > When an admin changes a user's password , the pwdReset=true attribute is
> set as on the user entry as expected.
> > We get the correct response control and direct a user to a change
> password page.
> > This all works great however, this temporary password remains valid for
> period defined in the policy.
> >
> > Ideally, after receiving the response control for password must change,
> I'd like to expire the temporary password after 10 minutes.
> > This way if they defeat our change password routine by canceling it, the
> password wouldn't remain valid for long.
> >
> > Since we never know when the first time they'll login after
> pwdReset=true is set, this is something I want to do individually on the
> user entry during the login process.
> > I've tried setting pwdEndTime on the user entry. This looks like it
> might be what I want but I get a no user modification exception.
>
> Which is normal, as this AttributeType (pwdEndTime) cannot be modified
> by the user :
>
> attributetype ( 1.3.6.1.4.1.42.2.27.8.1.28
>     NAME 'pwdEndTime'
>     DESC 'The time the password becomes disabled'
>     EQUALITY generalizedTimeMatch
>     ORDERING generalizedTimeOrderingMatch
>     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
>     SINGLE-VALUE
>     NO-USER-MODIFICATION
>  )
>
>
>
> >
> > Can you think of any way to do this?
>
> From the top of my head, that woud probably require the development of
> specific control, to allow the modification of such an AttributeType,
> for a specific user....
>
> another way is to reset the password again as admin and notify the user
mentioning clearly about the validity
of this temporary password

>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message