RE: pwdMustChange not working

Carlo.Accorsi Thu, 05 Mar 2015 11:11:47 -0800

Hi, we've been that feature for quite some time to force a user to change their 
password after it's been reset by an admin.


Make sure the user(s) you want this to affect have the pwdPolicySubEntry 
attribute set on their entry with the  DN of the password policy entry.

For example

dn: uid=jsmith,ou=users,ou=int,o=company
uid: jsmith
cn: jsmith
...
pwdPolicySubEntry: 
ads-pwdId=internalUsers,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,adsdirectoryServiceId=default,ou=
 config

Then on the policy entry itself, the attribute ads-pwdmustchange must be set 
TRUE. 
And he policy must be enabled, ads-enabled=TRUE

If you've made changes to the policy, restart the server. 

Then if an admin, using the bind credentials (uid=admin,ou=system) sets the 
password for jsmith, the  pwdReset attribute is added to their user entry.
The next time jsmith binds with their credentials, you get a signal that the 
password must change in the bind response. 
Here's some pseudo code:

                        BindRequest bindRequest = new BindRequestImpl();
                        bindRequest.setDn(dn);
                        bindRequest.setCredentials(strPassword);

                        LdapApiService codec = 
LdapApiServiceFactory.getSingleton();
                        PasswordPolicyDecorator pwCtrl = new 
PasswordPolicyDecorator(codec,new PasswordPolicyImpl());  
                        
                        bindRequest.addControl(pwCtrl);
                        BindResponse bindResponse = 
connection.bind(bindRequest);
                        PasswordPolicyResponse pw = null;
                        PasswordPolicy pwPolicy = 
((PasswordPolicyDecorator)ctrl).getDecorated();

                if (pwPolicy.hasResponse())
                {
                        pw = pwPolicy.getResponse();
                        // process password response.   

                        if (PasswordPolicyErrorEnum.CHANGE_AFTER_RESET == 
ctrl.getPasswordPolicyError())  
                                {
                                // this will be true when the pwdRest attr is 
present on the user.
                                // call your change password code here
                                }


                }

After the jsmith user changes their password (with their credentials) the 
pwdReset attribute is removed from their entry.

        
 Hope this helps.


-----Original Message-----
From: brock samson [mailto:[email protected]] 
Sent: Thursday, March 05, 2015 12:39 PM
To: [email protected]
Subject: pwdMustChange not working

i am running apacheds2-M19, and changing pwdMustChange password policy 
attribute's value from FALSE to TRUE does not have any effect. after server 
restart and using the typical LdapNetworkConnection.bind() function, and 
response is marked with SUCCESS. also, despite very good description of pretty 
much every password policy attribute on your doc site, there is absolutely 
nothing written about this particular attribute.

RE: pwdMustChange not working

Reply via email to