Changing password as user does not clear pwdGraceUseTime and update pwdChangedTime

Mon, 03 Sep 2012 19:44:24 -0700 

Hi Folks  -  been away ApacheDS for a while.. back again..

We built from the trunk on Friday 8/24 and are testing the password policy 
functionality.

When a user has a password policy assigned via pwdPolicySubentry and the policy 
attribute ads-pwdgraceauthnlimit is set to 5 for example,
and the password age has expired, a pwdGraceUseTime field (on the user) is set 
with the timestamp of the login. This is all working great!

We process the response controls and that event forces a user to change their 
password, which they successfully do.

However, even though the password is successfully changed, the:
pwdGraceUseTime fields are not removed and
pwdChangedTime does not update.

A subsequent login by the user with the new password (just set) triggers the 
same response controls and the process repeats, setting another pwdGraceUseTime 
field.
I'm not running out of grace logins. When this happens it's understood nothing 
can be done without an admin reset.

If an admin changes the password, the fields are removed and the pwdChangedTime 
field is updated as it should.
We need the password reset as the user because we're also using the pwdReset 
functionality .


This is how we're changing the passwords. This operation performed with the 
user's credentials NOT an admin.

      public void setPassword (LdapContext ctx,String strDn, String strValue)
      throws DirectoryAdapterException{

            ModificationItem[] mods = new ModificationItem[1];
            mods[0] = new ModificationItem(LdapContext.REPLACE_ATTRIBUTE, new 
BasicAttribute(PASSWORD_AT, strValue));
            try {
                  try {
                        // set control in here.
                        ctx.setRequestControls(new Control[]{new 
PasswordPolicyRqControl()});
                        ctx.modifyAttributes(strDn, mods);
                  } catch (InvalidAttributeValueException ae){
                        throw new 
DirectoryAdapterException(ae,DirectoryAdapterException.CANNOT_MODIFY_ENTRY);
                  } catch (NamingException ne){
                        throw new 
DirectoryAdapterException(ne,DirectoryAdapterException.CANNOT_MODIFY_ENTRY);
                  }
            }catch (DirectoryAdapterException de){
                  processControls(ctx, de); // will re-throw
                  throw de; // catch all, should not happen.
            }
      }

Thank you!!!

Reply via email to