FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 03-24-2010, 12:21 AM
Rich Megginson
 
Default Password policy during grace login / expiration warning

Aaron Hagopian wrote:
> I am having an issue in regards to handling expiring passwords during
> the grace period. I also filed a bug because I find the behavior to
> not be as expected
> (https://bugzilla.redhat.com/show_bug.cgi?id=576303). But to
> summarize my bug report, in my code that checks a user's credentials
> (username / password) I ask the server for
> the response controls (using Java/JNDI). When the user's pass hasn't
> expired yet but they are in the warning period, in the response
> I receive 2.16.840.1.113730.3.4.5 indicating the password is expiring,
> which works great.
>
> Then when their password actually expires and they still haven't
> changed it yet (Glass half full, they just haven't logged in during
> that time and didn't ignore my warnings) and I have say 3 grace logins
> allows in the policy the server doesn't respond with the warning
> (2.16.840.1.113730.3.4.5) or the password expired response control
> (2.16.840.1.113730.3.4.4).
>
> The only way I can determine during the grace period that the password
> is actually expired and I'm on my grace login seems to be by checking
> the passwordExpiredTime attribute by hand. This just seems silly to
> me since the server knows the password expired and it knows to
> increment the passwordGraceUserTime attribute for each successful
> login after the password expired. I would think the server would
> respond with both 2.16.840.1.113730.3.4.5 and 2.16.840.1.113730.3.4.4
> like it does when your password is reset by the administrator.
>
> Am I missing something? Anyone else have a cleaner way
> of determining that it's a grace period login?
I think it should return the pwexpired control. But according to this
http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.4
you should be able to determine how many grace logins are remaining?
> By the way, for the record I'm accessing this in Java, not sure it
> matters and here's a little code blurb:
>
> LdapContext ctx = new InitialLdapContext(env, nul);
> Control[] ctls = ctx.getResponseControls();
> if(ctls != null) {
> for(Control control : ctls) {
> System.out.println(control.getID());
> }
> }
>
> Also if this question should be on the devel list I apologize but I
> figured that was for actually coding the 389 directory server.
This list is fine.
>
> Thanks,
>
> Aaron Hagopian
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-24-2010, 03:43 PM
Aaron Hagopian
 
Default Password policy during grace login / expiration warning

> Am I missing something? *Anyone else have a cleaner way

> of determining that it's a grace period login?

I think it should return the pwexpired control. *But according to this

http://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.4

you should be able to determine how many grace logins are remaining?



*Ok so I changed my code to request the passwordPolicy on bind and after lots of fun trying to figure out how to parse BER it does return the grace logins remaining during the grace period which is better than manually searching and figuring it out on my own but hopefully my bug will get fixed at some point.


Thanks,
Aaron Hagopian
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 07:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org