1

I am using JNDI framework to interact with various LDAP servers specifically for Sun one LDAP, I am observing the following:

Use case: If Administrator resets password of any user in Sun-One LDAP server then passwordMustChange attribute is set to "on". As a result user has to change his/her password on next logon. This is what documented.

I am performing same action through JAVA code using JNDI. I observed that this attribute is set to "on" successfully. So programming logic is correct.

But when I logon with that user on LDAP server, it doesn't give any error or pop saying that password has expired and please change your password. The same use case works as expected in case of Active Directory (AD ) servers In case of AD, we need to set pwdLastSet to 0. It works and system asks to change password on next logon.

On contrary, same use case does not work for any LDAP flavour such as Sun-One LDAP, ADAM, or Open LDAP. Please let me know if anybody has observed such issue and suggest me how to fix this.

user207421
  • 305,947
  • 44
  • 307
  • 483
BND
  • 51
  • 12
  • Works for me in OpenLDAP. I'll dig out my code tomorrow. Are you using the password-policy extended operations and request/response controls? – user207421 Mar 11 '15 at 11:01
  • Are you saying for OpenLDAP, you have observed the expected behavior ? Which parameter did you use ? pwdReset or passwordMustChange ? yes. I am using password-policy extended operations along with request/response controls. If you can share your code , it will be of great help ! – BND Mar 11 '15 at 13:25
  • Works for me in OpenLDAP. I'm using both those attributes. Code later. – user207421 Mar 11 '15 at 20:55
  • It's not acceptable here to completely change your question, so as to make all prior answers and comments meaningless, and your title. If you *have* a new question, *ask* a new question. – user207421 Mar 16 '15 at 10:55
  • Apologies for the same. I wanted to continue the same thread with new queries but couldn't find a way to do that so edited the same question – BND Mar 16 '15 at 11:45

2 Answers2

0

Unfortunately there is no standard for this kind of feature (there's an internet draft, expired and which is partially implemented in different servers). Depending on your versions of Sun Directory Server, there are different ways to do this (SunDS 6.x introduced a new password policy based on the Internet Draft). With 5.x, I seem to recall that the passwordExpirationTime would take a specific value when the password is expired. The server will return a PasswordExpired Control part of the Bind response saying that it has expired.

With 6.x and beyond, the pwdReset operational attribute is set to true. The server will either return the PasswordExpired Control, or a PwdPolicyControl response if you've set the PwdPolicyControl request in the Bind request.

Ludovic Poitou
  • 4,788
  • 2
  • 21
  • 30
  • Thanks for your reply. We want to implement for all LDAP servers such as OpenLDAP, Sun-One , ADAM and others. In case of Open LDAP, even pwdReset setting to true is **not** working out for us. In case of SunOne LDAP, I have even observed if account does not have ObjectClass = password Policy then system does not even allow to set any parameter i.e. passwordMustChange. Lastly, in case of ADAM, it does not even allow us to set pwdLastSet = 0.It throws following error if pwdLastSet is set to "0" (String) – BND Mar 11 '15 at 13:51
  • @BND Adding `objectClass=passwordPolicy` to the user is definitely not right. That's for the password-policy entry itself, not for users. You must have some other configuration problem. – user207421 Mar 11 '15 at 20:57
  • Agree. Sun Directory Server has a complete separation between the definition of a Password Policy and the users for which it's enforced. In an account, you only find operational attributes that maintain the state of the policy (password changed time, expiration, locked status, reset...). – Ludovic Poitou Mar 12 '15 at 10:05
  • @LudovicPoitou So do the Internet Drafts. It's not confined to Sun DS. – user207421 Mar 12 '15 at 10:23
  • @EJP, I know since my name is on the Internet Drafts ;-) Not all servers have implemented the drafts, which initially started with documenting what was in Netscape / Sun / IPlanet servers. – Ludovic Poitou Mar 12 '15 at 20:27
  • Wow. In that case do you have any insight into why it hasn't become an RFC? Seems pretty useful to me, and ten drafts seems like enough. – user207421 Mar 12 '15 at 21:39
  • @EPJ, lack of consensus, lack of time by the authors, company changes... There are a few people willing to invest time again to complete the work though. – Ludovic Poitou Mar 19 '15 at 19:39
0

You're setting it in the wrong place. passwordMustChange is an attribute of the policy, not of a user. It means that if you set the operational attribute pwdReset for any user, he must change his password on next login, and that is advised via a response control when he does so.

That in turn means you must use the password-policy request control when binding a user, and check the response control. It also means that you must use the change-password extended operation when changing the password, rather than just rewriting the attribute.

This also explains why you thought you had to add objectClass=passwordPolicy to the user entry. You don't. You have to define a separate policy object containing a value for passswordMustChange and the other policy attributes, and specify that in the configuration as default policy, or in the user entry as his specific policy if you're going that far.

You need to reread the documentation and distinguish clearly between policy attributes and user operational attributes. They're listed separately.

What code are you using for the extended operation and request/response controls? I had to write mine. I posted it on the Sun Java forums several years ago: is it that code? Just curious.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • Thanks. Sorry but we haven't use extended operation.Following JAVA code to set **passwordMustChange** to "on" BasicAttribute passwdMustChange = new BasicAttribute("passwordMustChange","on"); ModificationItem modItem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,passwdMustChange); ... and then use modifyAttributes() to update the same along with other attributes such as userPassword Are you saying that it is mandatory use extended operation and request/response control for the mentioned use case ? I could not find good example of extended operations – BND Mar 12 '15 at 10:14
  • I've already answered every last skerrick of that. If you don't do it that way it won't work. You don't have to write code to set `passwordMustChange` at all: you can set it in the policy entry with an LDAP browser, or `ldapadd` if you create the password policy as .ldif. It's not something you're going to change dynamically. No code required. – user207421 Mar 12 '15 at 10:17
  • I am able to perform extendedOperation and get PasswordResponseControl from OpenLDAP but it does not work as expected. I should get NoPermissionException but I am not getting any error but just warning as timeBeforeExpiration = 84. Secondly, even if defining default password policy, I don't see after changing password of user, pwdMustChange is set to TRUE. – BND Mar 23 '15 at 13:34