[ https://issues.apache.org/jira/browse/DIRAPI-299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17314336#comment-17314336 ]
Stefan Seelmann commented on DIRAPI-299: ---------------------------------------- Email thread: https://lists.apache.org/thread.html/3d5f82e52b1be0557ec51ef513108d4eefd3940891c274eb61bc501d%40%3Cusers.directory.apache.org%3E Moving to DIRSERVER as it seems it's a server side issu. > Unable to change expired password unless logging in as admin. > ------------------------------------------------------------- > > Key: DIRAPI-299 > URL: https://issues.apache.org/jira/browse/DIRAPI-299 > Project: Directory Client API > Issue Type: Bug > Affects Versions: 1.0.0-RC2 > Reporter: Michael Davis > Priority: Major > > Below is an email conversation I've had with [~elecharny] about an an issue > with changing passwords after expiration when using a user other than > uid=admin, ou=system. > We've had to work around this by enabling grace logins, and treating a grace > login as an expiration event. This allows the user to change their password > after expiration, by consuming a grace login to do so. But it requires > specifically coding around the issue, and there is still a possibility, > depending on how the user interacts with the system, of having a user locked > out such that only uid=admin,ou=system can resolve it. > > From: Mike Davis [mailto:mda...@rez1.com] > > Sent: Wednesday, November 02, 2016 7:36 AM > > To: us...@directory.apache.org > > Subject: Re: [ApacheDS | LDAP API] changing expired passwords > > > > > > > > Thanks for the quick response. > > > > > > I have not set any of the grace login parameters at this time. > > > > > > > > > > Get Outlook for Android > > > > > > > > From: Emmanuel Lécharny > > > > Sent: Wednesday, November 2, 4:00 AM > > > > Subject: Re: [ApacheDS | LDAP API] changing expired passwords > > > > To: us...@directory.apache.org > > > > > > > > Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue > > with > > either Apache DS or the Apache LDAP API, or > both. > > > > Here's the > > scenario. > > > > I have a user whose password is expired. I want to force > > the user to > change their password. However, I can't distinguish between a > > case where > the user knows the password and where the user doesn't. I > > always get a > PasswordException with > > > passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and > > > resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that, > > the > > LdapConnectionTemplate.modifyPassword() method that > takes old and new > > password doesn't work, because the library is attempting > to bind with the > > users old password, and we just get the same > PasswordException as above. > > If I use the 'asAdmin' flag, then the old > password is never checked. > > > > > > > > I don't want to change the password as admin, because I have no way to > > > validate the user knows his old password. You should not be forced to use > > the admin flag to change an expired password. There is a paramter > > (pwdGraceUseTime) that let the user tries up a given delay to change an > > expired password. What is the value you have set for this parameter ? > > However, teh default should be infinite. I suspect there is a bug that > > should be fixed urgently... > > Hi ! > > > > > > Le 01/11/16 à 22:03, Mike Davis a écrit : > >> I've run into an issue with either Apache DS or the Apache LDAP API, > >> or both. > >> > >> > >> > >> Here's the scenario. > >> > >> > >> > >> I have a user whose password is expired. I want to force the user to > >> change their password. However, I can't distinguish between a case > >> where the user knows the password and where the user doesn't. I always > >> get a PasswordException with > >> passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and > >> resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > >> > >> > >> > >> On top of that, the LdapConnectionTemplate.modifyPassword() method > >> that takes old and new password doesn't work, because the library is > >> attempting to bind with the users old password, and we just get the > >> same PasswordException as above. If I use the 'asAdmin' flag, then the > >> old password is never checked. > >> > >> > >> > >> I don't want to change the password as admin, because I have no way to > >> validate the user knows his old password. > > You should not be forced to use the admin flag to change an expired > > password. There is a paramter (pwdGraceUseTime) that let the user tries up > > a > > given delay to change an expired password. What is the value you have set > > for this parameter ? > > > > However, teh default should be infinite. I suspect there is a bug that > > should be fixed urgently... > > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org