Watkins, Jayme <[EMAIL PROTECTED]> writes: ::snip:: > I suppose it is possible to check the “Password > Last Set” attribute, but if LDAP won’t let the person login even > with their good password anymore, what good is it to check it since I can’t > validate their password? >
It's important that the user be made aware *why* they can't login (the password expired) and what they can do to correct the problem (go to a password self-service page, call the help desk, etc...). Here's an example: we have an particularly high-traffic application that is a heavily kludged up monstrosity that isn't able to give the user feedback on why their login failed, and the number one help request for that app is "I can't login". 99 times out of 100, we look them up and our response is "your password expired, here's how to get it reset". Basically, an hour a day is wasted answering these requests. We've tried (along with many others!) to get the upstream vendor of the app (it's open source) to change this behavior, but the responses on the mailing lists leave something to be desired. We're replacing it at the end of the year. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
