On Wed, Mar 20, 2013 at 3:39 PM, Emmanuel Lécharny <[email protected]>wrote:
> Le 3/19/13 11:17 PM, [email protected] a écrit : > > Hi All, > > We have a password policy enabled for users with ads-pwdmustchange=TRUE. > > When an admin changes a user's password , the pwdReset=true attribute is > set as on the user entry as expected. > > We get the correct response control and direct a user to a change > password page. > > This all works great however, this temporary password remains valid for > period defined in the policy. > > > > Ideally, after receiving the response control for password must change, > I'd like to expire the temporary password after 10 minutes. > > This way if they defeat our change password routine by canceling it, the > password wouldn't remain valid for long. > > > > Since we never know when the first time they'll login after > pwdReset=true is set, this is something I want to do individually on the > user entry during the login process. > > I've tried setting pwdEndTime on the user entry. This looks like it > might be what I want but I get a no user modification exception. > > Which is normal, as this AttributeType (pwdEndTime) cannot be modified > by the user : > > attributetype ( 1.3.6.1.4.1.42.2.27.8.1.28 > NAME 'pwdEndTime' > DESC 'The time the password becomes disabled' > EQUALITY generalizedTimeMatch > ORDERING generalizedTimeOrderingMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 > SINGLE-VALUE > NO-USER-MODIFICATION > ) > > > > > > > Can you think of any way to do this? > > From the top of my head, that woud probably require the development of > specific control, to allow the modification of such an AttributeType, > for a specific user.... > > another way is to reset the password again as admin and notify the user mentioning clearly about the validity of this temporary password > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com > > -- Kiran Ayyagari http://keydap.com
