Le 3/19/13 11:17 PM, [email protected] a écrit :
> Hi All,
> We have a password policy enabled for users with ads-pwdmustchange=TRUE.
> When an admin changes a user's password , the pwdReset=true attribute is set
> as on the user entry as expected.
> We get the correct response control and direct a user to a change password
> page.
> This all works great however, this temporary password remains valid for
> period defined in the policy.
>
> Ideally, after receiving the response control for password must change, I'd
> like to expire the temporary password after 10 minutes.
> This way if they defeat our change password routine by canceling it, the
> password wouldn't remain valid for long.
>
> Since we never know when the first time they'll login after pwdReset=true is
> set, this is something I want to do individually on the user entry during the
> login process.
> I've tried setting pwdEndTime on the user entry. This looks like it might be
> what I want but I get a no user modification exception.
Which is normal, as this AttributeType (pwdEndTime) cannot be modified
by the user :
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.28
NAME 'pwdEndTime'
DESC 'The time the password becomes disabled'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
NO-USER-MODIFICATION
)
>
> Can you think of any way to do this?
>From the top of my head, that woud probably require the development of
specific control, to allow the modification of such an AttributeType,
for a specific user....
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
