[389-users] Password policy during grace login / expiration warning

Rich Megginson rmeggins at redhat.com
Wed Mar 24 01:21:15 UTC 2010 

Aaron Hagopian wrote:
> I am having an issue in regards to handling expiring passwords during 
> the grace period.  I also filed a bug because I find the behavior to 
> not be as expected 
> (https://bugzilla.redhat.com/show_bug.cgi?id=576303).  But to 
> summarize my bug report, in my code that checks a user's credentials 
> (username / password) I ask the server for
> the response controls (using Java/JNDI).  When the user's pass hasn't 
> expired yet but they are in the warning period, in the response 
> I receive 2.16.840.1.113730.3.4.5 indicating the password is expiring, 
> which works great.
>
> Then when their password actually expires and they still haven't 
> changed it yet (Glass half full, they just haven't logged in during 
> that time and didn't ignore my warnings) and I have say 3 grace logins 
> allows in the policy the server doesn't respond with the warning 
> (2.16.840.1.113730.3.4.5) or the password expired response control 
> (2.16.840.1.113730.3.4.4).
>
> The only way I can determine during the grace period that the password 
> is actually expired and I'm on my grace login seems to be by checking 
> the passwordExpiredTime attribute by hand.  This just seems silly to 
> me since the server knows the password expired and it knows to 
> increment the passwordGraceUserTime attribute for each successful 
> login after the password expired.  I would think the server would 
> respond with both 2.16.840.1.113730.3.4.5 and 2.16.840.1.113730.3.4.4 
> like it does when your password is reset by the administrator.
>
> Am I missing something?  Anyone else have a cleaner way 
> of determining that it's a grace period login?
I think it should return the pwexpired control.  But according to this 
http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.4 
you should be able to determine how many grace logins are remaining?
> By the way, for the record I'm accessing this in Java, not sure it 
> matters and here's a little code blurb:
>
>             LdapContext ctx = new InitialLdapContext(env, nul);
>             Control[] ctls = ctx.getResponseControls();
>             if(ctls != null) {
>                 for(Control control : ctls) {
>                     System.out.println(control.getID());
>                 }
>             }
>
> Also if this question should be on the devel list I apologize but I 
> figured that was for actually coding the 389 directory server.
This list is fine.
>
> Thanks,
>
> Aaron Hagopian
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list