directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ezsra McDonald <ezsra.mcdon...@gmail.com>
Subject ADS returns password expired when wrong password provided
Date Thu, 31 Mar 2016 18:21:16 GMT
We have ApacheDS configured to expire passwords after a fixed amount of
time. If a user lets their password expire and that user attempts to
authenticate with an *invalid* password, ADS will respond with an error
code related to their password being expired rather than a response stating
their password entry was invalid.

This is not the desired behavior for a couple of reasons. First, it is
confusing our users because they assume that if our SSO portal tells them
their password has expired, that they did enter the correct existing
password. So when they get sent to our password change screen, they will
enter the invalid existing password that they used initially, thinking it
was correct.

The other issue is a matter of security. It is possible for anyone to
determine if an account is expired just by entering the correct username.

Are there any suggestions on how to configure ADS to first verify the
password is valid before responding with an account expired code.

--Ezsra

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message