[389-users] PasswordExpiringControl, PasswordExpiredControl and DraftBeheraLDAPPasswordPolicy10RequestControl
Rich Megginson
rmeggins at redhat.com
Tue Aug 28 14:05:15 UTC 2012
On 08/28/2012 01:11 AM, Juan Asensio Sánchez wrote:
> Hi
>
> We are testing the password policy in the 389DS. Using CentOS 5.5
> i386, 389-ds-base 1.2.5. I have enabled the global password policy,
> and set 180 days for password expiration, 14 days for warnings, and 3
> grace logins. If I do a login before the 14 days befor the password
> expiration, the bind is correct. If the bind is done during the 14
> days before the password expiration, a PasswordExpiringControl is sent
> to the client (verified with a groovy script using the UnboundID LDAP
> SDK). After the password expires, the login is successful (without
> being sent any control) for 3 times (all correct), and then the bind
> is incorrect (error 49, invalid credentials), and also a
> PasswordExpiredControl is sent.
>
> My question, shouldn't the server send the PasswordExpiredControl also
> during the 3 grace login?
Indeed - https://fedorahosted.org/389/ticket/89
>
> If not, I have tested the
> DraftBeheraLDAPPasswordPolicy10RequestControl
> (http://tools.ietf.org/html/draft-behera-ldap-password-policy-10), and
> it looks that is implemented (at least, in part) in 389DS. What is the
> status of the implementation of this drafts (yes, I know it is a
> draft, but is very useful). I am interested mostly in notifying the
> user about its expiring/expired password, or remaining login attempts.
> This looks to work in 389DS. Is there any more useful function I can
> use?
>
> Regards and thanks in advance.
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list