directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre Smits <pierre.sm...@gmail.com>
Subject Re: ADS returns password expired when wrong password provided
Date Sat, 02 Apr 2016 13:04:34 GMT
Feel free to create a JIRA issue. That we can track progress and
resolution.

Best regards,

Pierre Smits

ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services

OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/

On Thu, Mar 31, 2016 at 8:21 PM, Ezsra McDonald <ezsra.mcdonald@gmail.com>
wrote:

> We have ApacheDS configured to expire passwords after a fixed amount of
> time. If a user lets their password expire and that user attempts to
> authenticate with an *invalid* password, ADS will respond with an error
> code related to their password being expired rather than a response stating
> their password entry was invalid.
>
> This is not the desired behavior for a couple of reasons. First, it is
> confusing our users because they assume that if our SSO portal tells them
> their password has expired, that they did enter the correct existing
> password. So when they get sent to our password change screen, they will
> enter the invalid existing password that they used initially, thinking it
> was correct.
>
> The other issue is a matter of security. It is possible for anyone to
> determine if an account is expired just by entering the correct username.
>
> Are there any suggestions on how to configure ADS to first verify the
> password is valid before responding with an account expired code.
>
> --Ezsra
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message