Hello Brian, With apacheDS there are two ways to put a user’s account in reset state:
1. If password policy’s mustchange = true, and a new user account is added, the initial state of pwdreset flag on user account is true. 2. if you call the fortress resetPassword function, it will change the password and set pwdreset=true In either case during authentication of account, if pwdreset is true you’ll get the error you’re receiving which is working as designed. So far so good. The way it is ‘supposed’ to work, is then the user connects to a process that allows them to change the password from the value applied during reset to a new one, that only they know. Afterwards the pwdreset flag should be removed and the latest password applied. Running through this scenario with apacheds doesn’t work. The password gets changed, but the pwdreset is still set. So, I’ll need to add a condition, to remove the flag, if apacheds. slapd removes the flag automatically during change btw, but server impls will have small variances like that. Shouldn’t take long, will let you know when fix is applied. Thanks for letting us know, Shawn > On Jun 14, 2017, at 8:58 AM, Brian Brooks (US) <[email protected]> > wrote: > > We're encountering a problem with authenticating a user after resetting their > password. After performing a Fortress Rest /userReset on a user, subsequent > /rbacAuthN fail with the error: > > FAILED calling rbacAuthN rc=1015 error message=checkPwPolicies for userId > [brian] PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID > > the only way we've found to recover is to manually delete the pwdReset value > on the user entry uid=brian,ou=People,${suffix}. > > Reading the code in > org.apache.directory.fortress.core.impl.UserDAO.resetUserPassword(User) we see > > mods.add( new DefaultModification( > ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_PW_RESET, "TRUE" ) ); > > But we're unable to find any Fortress code that ever does something like > > mods.add( new DefaultModification( > ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_PW_RESET, "FALSE" ) ); > > or deletes the pwdReset value. > > How should the password reset use case work? Is it expected that the > application using Fortress delete pwdReset or set the value to false? > > **Environment** > Fortress 2.0.0-RC2 > ApacheDS 2.0.0-M23 > Windows 10 > > Brian Brooks > Sr Software Engineer > [email protected] > Office: +1 678 252 4498 > 2205 Northmont Pkwy, STE 100 > Duluth, GA 30096
