IDP v3 - OpenLDAP password policy - forcing password reset

Daniel Fisher dfisher at
Wed May 20 17:38:28 EDT 2015

On Wed, May 20, 2015 at 5:09 PM, Emilio Penna <emilio.penna at>

> With respect to ppolicy control, I thinks there's some limitation in the
> control handling in ValidateUsernamePasswordAgainstLDAP, let me explain:
> As you said, in case of bind success (and accountState not null), the
> message generated is:
> String.format("%s:%s:%s", "ACCOUNT_WARNING", response.getResultCode(),
> response.getMessage())
> In bind failure, the message is
> String.format("%s:%s:%s", state.getError(), response.getResultCode(),
> response.getMessage())

Our design made some assumptions that perhaps need to be revisited. Most
notably that warnings are associated with login success and errors are
associated with login failures. I need to think about this use case some
more, but more configuration knobs to drive different flows may be in order.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list