directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject RE: pwdMustChange not working
Date Thu, 05 Mar 2015 19:04:58 GMT
Hi, we've been that feature for quite some time to force a user to change their password after
it's been reset by an admin. 

Make sure the user(s) you want this to affect have the pwdPolicySubEntry attribute set on
their entry with the  DN of the password policy entry.

For example

dn: uid=jsmith,ou=users,ou=int,o=company
uid: jsmith
cn: jsmith
pwdPolicySubEntry: ads-pwdId=internalUsers,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=

Then on the policy entry itself, the attribute ads-pwdmustchange must be set TRUE. 
And he policy must be enabled, ads-enabled=TRUE

If you've made changes to the policy, restart the server. 

Then if an admin, using the bind credentials (uid=admin,ou=system) sets the password for jsmith,
the  pwdReset attribute is added to their user entry.
The next time jsmith binds with their credentials, you get a signal that the password must
change in the bind response. 
Here's some pseudo code:

			BindRequest bindRequest = new BindRequestImpl();

			LdapApiService codec = LdapApiServiceFactory.getSingleton();
			PasswordPolicyDecorator pwCtrl = new PasswordPolicyDecorator(codec,new PasswordPolicyImpl());
			BindResponse bindResponse = connection.bind(bindRequest);
			PasswordPolicyResponse pw = null;
			PasswordPolicy pwPolicy = ((PasswordPolicyDecorator)ctrl).getDecorated();

		if (pwPolicy.hasResponse())
			pw = pwPolicy.getResponse();
			// process password response. 	

			if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == ctrl.getPasswordPolicyError())  
				// this will be true when the pwdRest attr is present on the user.
				// call your change password code here


After the jsmith user changes their password (with their credentials) the pwdReset attribute
is removed from their entry.

 Hope this helps.

-----Original Message-----
From: brock samson [] 
Sent: Thursday, March 05, 2015 12:39 PM
Subject: pwdMustChange not working

i am running apacheds2-M19, and changing pwdMustChange password policy attribute's value from
FALSE to TRUE does not have any effect. after server restart and using the typical LdapNetworkConnection.bind()
function, and response is marked with SUCCESS. also, despite very good description of pretty
much every password policy attribute on your doc site, there is absolutely nothing written
about this particular attribute.

View raw message