In my application, I use the an ldap connection pool. The login page checks out a connection, binds as the user, returns the connection and then decides what to do based upon the response. Standard stuff... However, we allow a single grace authentication. The desired behavior is that they attempt to log in, we see it is their one grace authentication and we redirect them to the change password page. However, the grace authentication was used up during the authentication process, so I can no longer bind as that user to get a connection to change the password. I COULD bind as admin to change the password but that would avoid all of the password policy settings. I could bind as admin, delete the grace authentication operation attribute, but what if there are more than one (a more generic situation). I could reset as admin to a temporary password, then bind as the user with that temporary password and reset to the supplied password. But I would then have to remember that temporary password for some unknown period in case their new password violated the policy in any way and they have to try again (or do the admin thing again). In this case I would be adding to the password history which would violate that rule in that we are not preserving the required number of passwords (effectively half or fewer).
So the question really boils down to this: how do I reset a different users password when I cannot bind as that user, but I still need to follow that users password policy? Any suggestions? Right now I am leaning toward resetting with admin to a temporary value, deleting the most recent pwdHistory attribute, binding as the user, and attempting the reset. That should work, but is there a better way? Thank You, Lucas Theisen [email protected]
