[389-users] PasswordExpiringControl, PasswordExpiredControl and DraftBeheraLDAPPasswordPolicy10RequestControl
Juan Asensio Sánchez
okelet at gmail.com
Tue Aug 28 07:11:09 UTC 2012
Hi
We are testing the password policy in the 389DS. Using CentOS 5.5
i386, 389-ds-base 1.2.5. I have enabled the global password policy,
and set 180 days for password expiration, 14 days for warnings, and 3
grace logins. If I do a login before the 14 days befor the password
expiration, the bind is correct. If the bind is done during the 14
days before the password expiration, a PasswordExpiringControl is sent
to the client (verified with a groovy script using the UnboundID LDAP
SDK). After the password expires, the login is successful (without
being sent any control) for 3 times (all correct), and then the bind
is incorrect (error 49, invalid credentials), and also a
PasswordExpiredControl is sent.
My question, shouldn't the server send the PasswordExpiredControl also
during the 3 grace login?
If not, I have tested the
DraftBeheraLDAPPasswordPolicy10RequestControl
(http://tools.ietf.org/html/draft-behera-ldap-password-policy-10), and
it looks that is implemented (at least, in part) in 389DS. What is the
status of the implementation of this drafts (yes, I know it is a
draft, but is very useful). I am interested mostly in notifying the
user about its expiring/expired password, or remaining login attempts.
This looks to work in 389DS. Is there any more useful function I can
use?
Regards and thanks in advance.
More information about the 389-users
mailing list