IDP v3 - OpenLDAP password policy - forcing password reset
Daniel Fisher
dfisher at vt.edu
Wed May 20 17:38:28 EDT 2015
On Wed, May 20, 2015 at 5:09 PM, Emilio Penna <emilio.penna at seciu.edu.uy>
wrote:
>
> With respect to ppolicy control, I thinks there's some limitation in the
> control handling in ValidateUsernamePasswordAgainstLDAP, let me explain:
>
> As you said, in case of bind success (and accountState not null), the
> message generated is:
> String.format("%s:%s:%s", "ACCOUNT_WARNING", response.getResultCode(),
> response.getMessage())
>
> In bind failure, the message is
> String.format("%s:%s:%s", state.getError(), response.getResultCode(),
> response.getMessage())
>
Our design made some assumptions that perhaps need to be revisited. Most
notably that warnings are associated with login success and errors are
associated with login failures. I need to think about this use case some
more, but more configuration knobs to drive different flows may be in order.
--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150520/623fc463/attachment.html>
More information about the users
mailing list