[
https://issues.apache.org/jira/browse/DIRSERVER-2051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14485456#comment-14485456
]
Kiran Ayyagari commented on DIRSERVER-2051:
-------------------------------------------
bq. From the security POV, this is not a clear cut. Specifically, case #2 seems
risky
The expired status of the password will be exposed anyway (as per the
standard), if the password policy control is present in the BindRequest.
> Getting Password Expired Instead of Invalid Credentials
> -------------------------------------------------------
>
> Key: DIRSERVER-2051
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2051
> Project: Directory ApacheDS
> Issue Type: Bug
> Reporter: David Paulsen
>
> When I log in with invalid credentials AND the password is expired, I
> would expect to get the invalid credentials error:
> LDAPException: Invalid Credentials (49) Invalid Credentials
> LDAPException: Server Message: INVALID_CREDENTIALS: Bind failed: ERR_229
> Cannot authenticate user
> uid=admin,ou=DJPS1,ou=DVHead,dc=kewilltransport,dc=com
> Instead I get the password expired error:
> LDAPException: Invalid Credentials (49) Invalid Credentials
> LDAPException: Server Message: INVALID_CREDENTIALS: Bind failed: paasword
> expired
> I would think we should get the invalid credentials error in that case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
