NAM 3.1.1 doesn't detect expired passwords properly
I have two setups:
Externally we're using iChain (in the process of replacing with NAM)
Internally we're using NAM 3.1.1
eDirectory 8.8.5 in all cases with NMAS.
Both iChain and NAM 3.1.1 are setup to use the PWM servlets by Jason Rivard. Both are using the SAME PWM server. The PWM version I'm using is a little old, but it's version 1.3.0 b734
Here's what happens:
I go into consoleone and expire a users password (or test one that is expired). Wait a few minutes for it to sync through.
If I login to iChain, on the FIRST login (we allow 6 grace logins), I am taken to the PWM servlet to change my password. It's always worked this way. And that's as it SHOULD work.
But if I use NAM 3.1.1, it NEVER EVER takes me to PWM server on the first login after the password is expired. It ONLY ever works if I login again. Obviously this is bad because as the user continues to run other web-based apps, they are unknowingly decreasing their grace login counts until they get to zero and intruder lockout their account.
I have no idea why NAM fails to properly detect or route on an already expired account on the initial login only.
iChain works, so I'm going to conclude it's NOT a PWM issue (in theory it should be the job of NAM to detect the expired password and redirect, not PWM).
|
Threaded Mode
