password expiration - password control result

Daniel Fisher dfisher at
Fri Apr 1 23:40:02 EDT 2016

On Thu, Mar 31, 2016 at 9:45 PM, joller lee <joller.lee at> wrote:

> In my attempt to handle password-must-change in AD,
I'm trying to map it to Account-Warning to handle it.
> But it's simply treated as login failure, and event though the
> password-expiration subflow is triggered,
> something like subject c14n context is missing.
> Is there any simple way of treating password-must-change as login success
> in case of AD.

The current code provides an accurate representation of the directory
response. For your use case, AD is returning err=49 invalid credentials
with a message about password-must-change. I've seen some docs that
indicate you can only get that message with valid credentials. If that's
true, it makes my head spin.

So the only way to get the behavior you're after is to have a component
that converts the login failure to a success for those cases where AD
behaves in this manner. Honestly I've been resistant to such a
implementation, but if you file a RFE I'll give it some more thought.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list