> On Jun 14, 2017, at 9:16 AM, Shawn McKinney <[email protected]> wrote: > > In either case during authentication of account, if pwdreset is true you’ll > get the error you’re receiving which is working as designed. > > So far so good. The way it is ‘supposed’ to work, is then the user connects > to a process that allows them to change the password from the value applied > during reset to a new one, that only they know. Afterwards the pwdreset flag > should be removed and the latest password applied. > > Running through this scenario with apacheds doesn’t work. The password gets > changed, but the pwdreset is still set.
to be clear, the normal scenario is…. 1. administrator resets user’s password using the resetPassword api 2. admin sends new password to user 3. user connects to a page that calls the changePassword api where they enter the old password, supplied by admin, and the new password. 4. afterwards user logs on normally using either authenticate or createSession, using the new password. If you just want to change the password, and not leave it in reset state, you should call the updateUser api. Let me know if you have any questions.
