You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Stefan Seelmann (Jira)" <ji...@apache.org> on 2021/04/03 19:00:00 UTC

[jira] [Updated] (DIRSERVER-2343) Unable to change expired password unless logging in as admin.

     [ https://issues.apache.org/jira/browse/DIRSERVER-2343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefan Seelmann updated DIRSERVER-2343:
---------------------------------------
                  Key: DIRSERVER-2343  (was: DIRAPI-299)
    Affects Version/s:     (was: 1.0.0-RC2)
              Project: Directory ApacheDS  (was: Directory Client API)

> Unable to change expired password unless logging in as admin.
> -------------------------------------------------------------
>
>                 Key: DIRSERVER-2343
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2343
>             Project: Directory ApacheDS
>          Issue Type: Bug
>            Reporter: Michael Davis
>            Priority: Major
>
> Below is an email conversation I've had with [~elecharny] about an an issue with changing passwords after expiration when using a user other than uid=admin, ou=system.
> We've had to work around this by enabling grace logins, and treating a grace login as an expiration event. This allows the user to change their password after expiration, by consuming a grace login to do so. But it requires specifically coding around the issue, and there is still a possibility, depending on how the user interacts with the system, of having a user locked out such that only uid=admin,ou=system can resolve it.
> > From: Mike Davis [mailto:mdavis@rez1.com]
> > Sent: Wednesday, November 02, 2016 7:36 AM
> > To: users@directory.apache.org
> > Subject: Re: [ApacheDS | LDAP API] changing expired passwords
> >
> >
> >
> > Thanks for the quick response.
> >
> >
> > I have not set any of the grace login parameters at this time.
> >
> >
> >
> >
> > Get Outlook for Android
> >
> >
> >
> > From: Emmanuel Lécharny
> >
> > Sent: Wednesday, November 2, 4:00 AM
> >
> > Subject: Re: [ApacheDS | LDAP API] changing expired passwords
> >
> > To: users@directory.apache.org
> >
> >
> >
> > Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue with 
> > either Apache DS or the Apache LDAP API, or > both. > > > > Here's the 
> > scenario. > > > > I have a user whose password is expired. I want to force 
> > the user to > change their password. However, I can't distinguish between a 
> > case where > the user knows the password and where the user doesn't. I 
> > always get a > PasswordException with > 
> > passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and > 
> > resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that, the 
> > LdapConnectionTemplate.modifyPassword() method that > takes old and new 
> > password doesn't work, because the library is attempting > to bind with the 
> > users old password, and we just get the same > PasswordException as above. 
> > If I use the 'asAdmin' flag, then the old > password is never checked. > > > 
> >  > I don't want to change the password as admin, because I have no way to > 
> > validate the user knows his old password. You should not be forced to use 
> > the admin flag to change an expired password. There is a paramter 
> > (pwdGraceUseTime) that let the user tries up a given delay to change an 
> > expired password. What is the value you have set for this parameter ? 
> > However, teh default should be infinite. I suspect there is a bug that 
> > should be fixed urgently...
> > Hi !
> >
> >
> > Le 01/11/16 à 22:03, Mike Davis a écrit :
> >> I've run into an issue with either Apache DS or the Apache LDAP API,
> >> or both.
> >>
> >>
> >>
> >> Here's the scenario.
> >>
> >>
> >>
> >> I have a user whose password is expired. I want to force the user to
> >> change their password. However, I can't distinguish between a case
> >> where the user knows the password and where the user doesn't. I always
> >> get a PasswordException with
> >> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED  and
> >> resultCode = ResultCodeEnum.INVALID_CREDENTIALS.
> >>
> >>
> >>
> >> On top of that, the LdapConnectionTemplate.modifyPassword() method
> >> that takes old and new password doesn't work, because the library is
> >> attempting to bind with the users old password, and we just get the
> >> same PasswordException as above. If I use the 'asAdmin' flag, then the
> >> old password is never checked.
> >>
> >>
> >>
> >> I don't want to change the password as admin, because I have no way to
> >> validate the user knows his old password.
> > You should not be forced to use the admin flag to change an expired 
> > password. There is a paramter (pwdGraceUseTime) that let the user tries up a 
> > given delay to change an expired password. What is the value you have set 
> > for this parameter ?
> >
> > However, teh default should be infinite. I suspect there is a bug that 
> > should be fixed urgently...
> >



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org