Return-Path: 
 <users-return-7239-apmail-directory-users-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-users-archive@www.apache.org
Delivered-To: apmail-directory-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A27A41981C
	for <apmail-directory-users-archive@www.apache.org>;
 Thu, 31 Mar 2016 18:21:19 +0000 (UTC)
Received: (qmail 73729 invoked by uid 500); 31 Mar 2016 18:21:19 -0000
Delivered-To: apmail-directory-users-archive@directory.apache.org
Received: (qmail 73687 invoked by uid 500); 31 Mar 2016 18:21:19 -0000
Mailing-List: contact users-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@directory.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@directory.apache.org>
List-Post: <mailto:users@directory.apache.org>
List-Id: <users.directory.apache.org>
Reply-To: users@directory.apache.org
Delivered-To: mailing list users@directory.apache.org
Received: (qmail 73675 invoked by uid 99); 31 Mar 2016 18:21:19 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO
 spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 Mar 2016 18:21:19 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org)
 with ESMTP id B46ECC0362
	for <users@directory.apache.org>; Thu, 31 Mar 2016 18:21:18 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.179
X-Spam-Level: *
X-Spam-Status: No, score=1.179 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd4-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx2-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new,
 port 10024)
	with ESMTP id BLWx0UF-jKDs for <users@directory.apache.org>;
	Thu, 31 Mar 2016 18:21:17 +0000 (UTC)
Received: from mail-wm0-f50.google.com (mail-wm0-f50.google.com
 [74.125.82.50])
	by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS
 id 5896F5F47C
	for <users@directory.apache.org>; Thu, 31 Mar 2016 18:21:17 +0000 (UTC)
Received: by mail-wm0-f50.google.com with SMTP id 20so124381208wmh.1
        for <users@directory.apache.org>;
 Thu, 31 Mar 2016 11:21:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to;
        bh=lLrULksep7W6pq0OxzA1C/8jvXfpz8LlbKvUbmTm878=;
        b=EhK8QuHZmQpmwzCEOI01SBAf9vmoWhZxQ9Fq5gQtZRnxNCBp7QRtDym/ep5o2TyTei
         wa42xqxSEbvEvgA5MbH6h6rk27p+2JWJfWXpvLF3tIIRg9bDOZ0bdhn+ojmmoOcG/8Ts
         lEMAxT4wDWv6t7JRs/8C9+yQqTNNddjYOidC3qt/x+70Rr9M01iXUWo1YvaF38oxT4AO
         i9vTgdqbRai3YY/refhlnuaMqJqljPGwJUvfyRSAd8igloNDO9gJ7gOxC3vXZUlDljSc
         7FrjBJWlAJd1dn9dn2AHDm1iZwRpdAyrjB+H0uzXWHey7dVvNazxvq3YtdQrUEeMiYO5
         FU6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:date:message-id:subject:from:to;
        bh=lLrULksep7W6pq0OxzA1C/8jvXfpz8LlbKvUbmTm878=;
        b=VyxipaDLSXuvhsuzx6n9zyiAdIafz/xrlTHN7KqS3iqdBTHCq5dY0W9VIC64VxeRuI
         OutX7ohH6vd103Gl64Sg/7mrxNiugDyywnSC79UMFC2rJ3eUvbgS8iIrC4g9fEIgklLS
         NclDUTIapZ4ay+HrBsxZPNoMj2dlp+6s9HRdI0joBOZ3uAHKJbDvZfzRY9TN/KppMLIa
         48nRrhupeIrVAfNnurY64XIyEdUqoLwWsMNcwVF6/ES5xfAsLJM1FReH0f1bniqifB1m
         g0A2xQ7GNem9fvCN7+akkS69etIX/Out+ZkTHrX4XQjgx2F0LMBRZSfxOHAOHx+f8K2R
         jMTg==
X-Gm-Message-State: 
 AD7BkJIEFPJnNeZbfYcj7R5B1xoG0W2G5lHzb6cLKMBmAsXtiqmpgB8QMJPkPEu3+c1qg71A4UwiWdgCs2A0Yw==
MIME-Version: 1.0
X-Received: by 10.28.128.83 with SMTP id b80mr328137wmd.6.1459448476338; Thu,
 31 Mar 2016 11:21:16 -0700 (PDT)
Received: by 10.28.230.11 with HTTP; Thu, 31 Mar 2016 11:21:16 -0700 (PDT)
Date: Thu, 31 Mar 2016 13:21:16 -0500
Message-ID: 
 <CAGo-12BxhPxcDXgsB_mJZsh7urH2TfS6xSaiPbg12T+wH8V4zg@mail.gmail.com>
Subject: ADS returns password expired when wrong password provided
From: Ezsra McDonald <ezsra.mcdonald@gmail.com>
To: users <users@directory.apache.org>
Content-Type: multipart/alternative; boundary=001a1142052c000e36052f5c54ae

--001a1142052c000e36052f5c54ae
Content-Type: text/plain; charset=UTF-8

We have ApacheDS configured to expire passwords after a fixed amount of
time. If a user lets their password expire and that user attempts to
authenticate with an *invalid* password, ADS will respond with an error
code related to their password being expired rather than a response stating
their password entry was invalid.

This is not the desired behavior for a couple of reasons. First, it is
confusing our users because they assume that if our SSO portal tells them
their password has expired, that they did enter the correct existing
password. So when they get sent to our password change screen, they will
enter the invalid existing password that they used initially, thinking it
was correct.

The other issue is a matter of security. It is possible for anyone to
determine if an account is expired just by entering the correct username.

Are there any suggestions on how to configure ADS to first verify the
password is valid before responding with an account expired code.

--Ezsra

--001a1142052c000e36052f5c54ae--