Hi All,
We have a password policy enabled for users with ads-pwdmustchange=TRUE.
When an admin changes a user's password , the pwdReset=true attribute is set as
on the user entry as expected.
We get the correct response control and direct a user to a change password page.
This all works great however, this temporary password remains valid for period
defined in the policy.
Ideally, after receiving the response control for password must change, I'd
like to expire the temporary password after 10 minutes.
This way if they defeat our change password routine by canceling it, the
password wouldn't remain valid for long.
Since we never know when the first time they'll login after pwdReset=true is
set, this is something I want to do individually on the user entry during the
login process.
I've tried setting pwdEndTime on the user entry. This looks like it might be
what I want but I get a no user modification exception.
Can you think of any way to do this?
Thanks!
java.lang.Exception: [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed
for MessageType : MODIFY_REQUEST
Message ID : 67
Modify Request
Object : 'uid=1337172529807,ou=users,ou=int,o=cpro'
Modification[0]
Operation : add
Modification
pwdEndTime: 20130319220004.006Z
org.apache.directory.api.ldap.model.message.ModifyRequestImpl@8ae625e6: ERR_52
Cannot modify the attribute : ATTRIBUTE_TYPE ( 1.3.6.1.4.1.42.2.27.8.1.28
NAME 'pwdEndTime'
DESC The time the password becomes disabled
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation
)
]
