Feel free to create a JIRA issue. That we can track progress and resolution.
Best regards, Pierre Smits ORRTIZ.COM <http://www.orrtiz.com> OFBiz based solutions & services OFBiz Extensions Marketplace http://oem.ofbizci.net/oci-2/ On Thu, Mar 31, 2016 at 8:21 PM, Ezsra McDonald <[email protected]> wrote: > We have ApacheDS configured to expire passwords after a fixed amount of > time. If a user lets their password expire and that user attempts to > authenticate with an *invalid* password, ADS will respond with an error > code related to their password being expired rather than a response stating > their password entry was invalid. > > This is not the desired behavior for a couple of reasons. First, it is > confusing our users because they assume that if our SSO portal tells them > their password has expired, that they did enter the correct existing > password. So when they get sent to our password change screen, they will > enter the invalid existing password that they used initially, thinking it > was correct. > > The other issue is a matter of security. It is possible for anyone to > determine if an account is expired just by entering the correct username. > > Are there any suggestions on how to configure ADS to first verify the > password is valid before responding with an account expired code. > > --Ezsra >
