1

I'm implementing the LDAP feature of forcing password change on first login, when a user is added or when admin is changing user's password. I set ds-cfg-force-change-on-add and ds-cfg-force-change-on-reset to true, and following the spec, which defines:

  1. Password Change After Reset This policy forces the user to select a new password on first bind or after password reset. After bind operation succeed with authentication, the server should check if the password change after reset policy is on and this is the first time logon. If so, the server should send bindResponse with the resultCode: LDAP_SUCCESS, and should include the password expired control in the controls field of the bindResponse message:

    controlType: 2.16.840.1.113730.3.4.4,

    controlValue: an octet string: "0",

    criticality: false

Indeed, when I call Client.bind, I get return value LDAP_SUCCESS, and the controls field as defined in the spec.

BUT -

when I call Client.bind when the user is within its password expiration warning interval, I get the controls field only with the password expiring controlType (2.16.840.1.113730.3.4.5). I would expect to get both controlType elements (controls is an array), but 2.16.840.1.113730.3.4.4 is not there.

This is a major problem because if the controlType 2.16.840.1.113730.3.4.4 is not there - the user will be able to login although he supposed to be not.

What am I missing here?

Thanks.

Mathias R. Jessen
  • 157,619
  • 12
  • 148
  • 206
Dekel tsairi
  • 117
  • 1
  • 8
  • Which LDAP server are you using? OpenDS? OpenDJ? – Mathias R. Jessen Nov 17 '21 at 13:57
  • LDAP server I'm using is OpenDj – Dekel tsairi Nov 17 '21 at 14:47
  • I think this is the correct behavior: when the user is within its password expiration warning interval, his password is considered to be set and it has not expired yet, so there is no LDAP_INVALID_CREDENTIALS and the password expiring control 2.16.840.1.113730.3.4.5 indicates the time until the password expires. 2.16.840.1.113730.3.4.4 is returned when the user should be prompted to change the password immediately (meaning it has already expired, or need to be set by the user after reset/1st bind). – EricLavault Nov 17 '21 at 16:59
  • Thanks EricLavault. I understand your answer, but it only makes the question even stronger. If 2.16.840.1.113730.3.4.5 means a warning to change the password soon, and 2.16.840.1.113730.3.4.4 means to change the password immediately, then I'd expect that in case both are valid- 2.16.840.1.113730.3.4.4 would be returned, since it's a stronger notification. But the server returns the warning notification instead. 2.16.840.1.113730.3.4.5 derives a warning to the user, while 2.16.840.1.113730.3.4.4 blocks the user login until he changes its password. Isn't it? – Dekel tsairi Nov 18 '21 at 08:46

1 Answers1

0

The Netscape controls are very old and predate the OpenDJ password policy work. They are just there to ensure some form of compatibility with very old applications. New applications should send the Password Policy Request Control (1.3.6.1.4.1.42.2.27.8.5.1) and will receive the proper PwdPolicy control response.

Ludovic Poitou
  • 4,788
  • 2
  • 21
  • 30