You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Ca...@ibs-ag.com on 2013/03/19 23:17:28 UTC

Want to force password end time

Hi All,
We have a password policy enabled for users with ads-pwdmustchange=TRUE.
When an admin changes a user's password , the pwdReset=true attribute is set as on the user entry as expected.
We get the correct response control and direct a user to a change password page.
This all works great however, this temporary password remains valid for period defined in the policy.

Ideally, after receiving the response control for password must change, I'd like to expire the temporary password after 10 minutes.
This way if they defeat our change password routine by canceling it, the password wouldn't remain valid for long.

Since we never know when the first time they'll login after pwdReset=true is set, this is something I want to do individually on the user entry during the login process.
I've tried setting pwdEndTime on the user entry. This looks like it might be what I want but I get a no user modification exception.

Can you think of any way to do this?
Thanks!


java.lang.Exception: [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST
Message ID : 67
    Modify Request
        Object : 'uid=1337172529807,ou=users,ou=int,o=cpro'
            Modification[0]
                Operation :  add
                Modification
pwdEndTime: 20130319220004.006Z
org.apache.directory.api.ldap.model.message.ModifyRequestImpl@8ae625e6: ERR_52 Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.28
NAME 'pwdEndTime'
DESC The time the password becomes disabled
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation
)
]

RE: Want to force password end time

Posted by Ca...@ibs-ag.com.
OK thank you both!	

-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of Kiran Ayyagari
Sent: Wednesday, March 20, 2013 6:17 AM
To: users@directory.apache.org
Subject: Re: Want to force password end time

On Wed, Mar 20, 2013 at 3:39 PM, Emmanuel Lécharny <el...@gmail.com>wrote:

> Le 3/19/13 11:17 PM, Carlo.Accorsi@ibs-ag.com a écrit :
> > Hi All,
> > We have a password policy enabled for users with ads-pwdmustchange=TRUE.
> > When an admin changes a user's password , the pwdReset=true 
> > attribute is
> set as on the user entry as expected.
> > We get the correct response control and direct a user to a change
> password page.
> > This all works great however, this temporary password remains valid 
> > for
> period defined in the policy.
> >
> > Ideally, after receiving the response control for password must 
> > change,
> I'd like to expire the temporary password after 10 minutes.
> > This way if they defeat our change password routine by canceling it, 
> > the
> password wouldn't remain valid for long.
> >
> > Since we never know when the first time they'll login after
> pwdReset=true is set, this is something I want to do individually on 
> the user entry during the login process.
> > I've tried setting pwdEndTime on the user entry. This looks like it
> might be what I want but I get a no user modification exception.
>
> Which is normal, as this AttributeType (pwdEndTime) cannot be modified 
> by the user :
>
> attributetype ( 1.3.6.1.4.1.42.2.27.8.1.28
>     NAME 'pwdEndTime'
>     DESC 'The time the password becomes disabled'
>     EQUALITY generalizedTimeMatch
>     ORDERING generalizedTimeOrderingMatch
>     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
>     SINGLE-VALUE
>     NO-USER-MODIFICATION
>  )
>
>
>
> >
> > Can you think of any way to do this?
>
> From the top of my head, that woud probably require the development of 
> specific control, to allow the modification of such an AttributeType, 
> for a specific user....
>
> another way is to reset the password again as admin and notify the 
> user
mentioning clearly about the validity
of this temporary password

>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>


--
Kiran Ayyagari
http://keydap.com

Re: Want to force password end time

Posted by Kiran Ayyagari <ka...@apache.org>.
On Wed, Mar 20, 2013 at 3:39 PM, Emmanuel Lécharny <el...@gmail.com>wrote:

> Le 3/19/13 11:17 PM, Carlo.Accorsi@ibs-ag.com a écrit :
> > Hi All,
> > We have a password policy enabled for users with ads-pwdmustchange=TRUE.
> > When an admin changes a user's password , the pwdReset=true attribute is
> set as on the user entry as expected.
> > We get the correct response control and direct a user to a change
> password page.
> > This all works great however, this temporary password remains valid for
> period defined in the policy.
> >
> > Ideally, after receiving the response control for password must change,
> I'd like to expire the temporary password after 10 minutes.
> > This way if they defeat our change password routine by canceling it, the
> password wouldn't remain valid for long.
> >
> > Since we never know when the first time they'll login after
> pwdReset=true is set, this is something I want to do individually on the
> user entry during the login process.
> > I've tried setting pwdEndTime on the user entry. This looks like it
> might be what I want but I get a no user modification exception.
>
> Which is normal, as this AttributeType (pwdEndTime) cannot be modified
> by the user :
>
> attributetype ( 1.3.6.1.4.1.42.2.27.8.1.28
>     NAME 'pwdEndTime'
>     DESC 'The time the password becomes disabled'
>     EQUALITY generalizedTimeMatch
>     ORDERING generalizedTimeOrderingMatch
>     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
>     SINGLE-VALUE
>     NO-USER-MODIFICATION
>  )
>
>
>
> >
> > Can you think of any way to do this?
>
> From the top of my head, that woud probably require the development of
> specific control, to allow the modification of such an AttributeType,
> for a specific user....
>
> another way is to reset the password again as admin and notify the user
mentioning clearly about the validity
of this temporary password

>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>


-- 
Kiran Ayyagari
http://keydap.com

Re: Want to force password end time

Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 3/19/13 11:17 PM, Carlo.Accorsi@ibs-ag.com a écrit :
> Hi All,
> We have a password policy enabled for users with ads-pwdmustchange=TRUE.
> When an admin changes a user's password , the pwdReset=true attribute is set as on the user entry as expected.
> We get the correct response control and direct a user to a change password page.
> This all works great however, this temporary password remains valid for period defined in the policy.
>
> Ideally, after receiving the response control for password must change, I'd like to expire the temporary password after 10 minutes.
> This way if they defeat our change password routine by canceling it, the password wouldn't remain valid for long.
>
> Since we never know when the first time they'll login after pwdReset=true is set, this is something I want to do individually on the user entry during the login process.
> I've tried setting pwdEndTime on the user entry. This looks like it might be what I want but I get a no user modification exception.

Which is normal, as this AttributeType (pwdEndTime) cannot be modified
by the user :

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.28
    NAME 'pwdEndTime'
    DESC 'The time the password becomes disabled'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
    SINGLE-VALUE
    NO-USER-MODIFICATION
 )



>
> Can you think of any way to do this?

>From the top of my head, that woud probably require the development of
specific control, to allow the modification of such an AttributeType,
for a specific user....


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com