Thanks for the quick response.
I have not set any of the grace login parameters at this time. Get Outlook for Android From: Emmanuel Lécharny Sent: Wednesday, November 2, 4:00 AM Subject: Re: [ApacheDS | LDAP API] changing expired passwords To: users@directory.apache.org Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue with either Apache DS or the Apache LDAP API, or > both. > > > > Here's the scenario. > > > > I have a user whose password is expired. I want to force the user to > change their password. However, I can't distinguish between a case where > the user knows the password and where the user doesn't. I always get a > PasswordException with > passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and > resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that, the LdapConnectionTemplate.modifyPassword() method that > takes old and new password doesn't work, because the library is attempting > to bind with the users old password, and we just get the same > PasswordException as above. If I use the 'asAdmin' flag, then the old > password is never checked. > > > > I don't want to change the password as admin, because I have no way to > validate the user knows his old password. You should not be forced to use the admin flag to change an expired password. There is a paramter (pwdGraceUseTime) that let the user tries up a given delay to change an expired password. What is the value you have set for this parameter ? However, teh default should be infinite. I suspect there is a bug that should be fixed urgently... Hi ! Le 01/11/16 à 22:03, Mike Davis a écrit : > I've run into an issue with either Apache DS or the Apache LDAP API, or > both. > > > > Here's the scenario. > > > > I have a user whose password is expired. I want to force the user to > change their password. However, I can't distinguish between a case where > the user knows the password and where the user doesn't. I always get a > PasswordException with > passwordPolicyError=PasswordPolicyErrorEnum.PASSWORD_EXPIRED and > resultCode = ResultCodeEnum.INVALID_CREDENTIALS. > > > > On top of that, the LdapConnectionTemplate.modifyPassword() method that > takes old and new password doesn't work, because the library is attempting > to bind with the users old password, and we just get the same > PasswordException as above. If I use the 'asAdmin' flag, then the old > password is never checked. > > > > I don't want to change the password as admin, because I have no way to > validate the user knows his old password. You should not be forced to use the admin flag to change an expired password. There is a paramter (pwdGraceUseTime) that let the user tries up a given delay to change an expired password. What is the value you have set for this parameter ? However, teh default should be infinite. I suspect there is a bug that should be fixed urgently...