directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre Smits <>
Subject Re: ADS returns password expired when wrong password provided
Date Sat, 02 Apr 2016 13:04:34 GMT
Feel free to create a JIRA issue. That we can track progress and

Best regards,

Pierre Smits

OFBiz based solutions & services

OFBiz Extensions Marketplace

On Thu, Mar 31, 2016 at 8:21 PM, Ezsra McDonald <>

> We have ApacheDS configured to expire passwords after a fixed amount of
> time. If a user lets their password expire and that user attempts to
> authenticate with an *invalid* password, ADS will respond with an error
> code related to their password being expired rather than a response stating
> their password entry was invalid.
> This is not the desired behavior for a couple of reasons. First, it is
> confusing our users because they assume that if our SSO portal tells them
> their password has expired, that they did enter the correct existing
> password. So when they get sent to our password change screen, they will
> enter the invalid existing password that they used initially, thinking it
> was correct.
> The other issue is a matter of security. It is possible for anyone to
> determine if an account is expired just by entering the correct username.
> Are there any suggestions on how to configure ADS to first verify the
> password is valid before responding with an account expired code.
> --Ezsra

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message