eDir 8.8.7
RHEL 6.3

LDAP errorMessage NDS error: password expired (-223) is not returned
on a bind if the passwordrequired attribute on a user object is false.

Two part questionFirst the passwordrequired attribute, which is
presented on the iManager page Modify User | Restrictions | Password
Restrictions | Require a password is not set to true when user objects
are created in my tree. I have not been able to create a Password
Policy that sets this attribute to true. I seem to remember that that
attribute would default to true back in the pre Universal password
days.

Second, and the main issue, is that when the attribute is set to false
on a user object, and that user authenticates via an LDAP client with an
expired password (grace logins are available) the server does not return
the errorMessage NDS error: password expired (-223).


08:25:55 5CD70700 LDAP: (serverIPaddress)(0x0001:0x60) DoBind
on connection 0x249bae00
08:25:55 5CD70700 LDAP: (serverIPaddress)(0x0001:0x60) Bind
name:cn=JasmineAladdin,ou=users,dc=domain,dc=com, version:3,
authentication:simple
08:25:55 5CD70700 LDAP: (serverIPaddress)(0x0001:0x60) Sending
operation result 0:"":"" to connection 0x249bae00

If the attribute is set to true the errorMessage is returned


08:28:59 5CD70700 LDAP: (serverIPaddress)(0x0001:0x60) DoBind
on connection 0x249bae00
08:28:59 5CD70700 LDAP: (serverIPaddress)(0x0001:0x60) Bind
name:cn=JasmineAladdin,ou=users,dc=domain,dc=com, version:3,
authentication:simple
08:28:59 5CD70700 LDAP: (serverIPaddress)(0x0001:0x60) Sending
operation result 0:"":"NDS error: password expired (-223)" to connection
0x249bae00
08:28:59 625C8700 LDAP: (serverIPaddress)(0x0002:0x63) DoSearch on
connection 0x249bae00

The errorMessage for the condition Password expired with grace logins
remaining is the only error message that does not get returned. All of
the other errorMessages are returned regardless of the value of the
passwordrequired attribute.

I need this error message to be returned for an ldap password self
service application.

Thanks, gk


--
gkincaid
------------------------------------------------------------------------
gkincaid's Profile: https://forums.netiq.com/member.php?userid=335
View this thread: https://forums.netiq.com/showthread.php?t=42726