bypassing some authN fails? dabantz at
Thu May 25 17:16:47 EDT 2017

Preferable to just ignore that specific account expired state; that results in desired effect without having to craft a tool for a service IAM doesn't run then asking user to do something. Also has less impact on the services run by others that "use" expired flag for their access control.

David.Bantz at
David.Bantz at

> On May 25, 2017, at 12:07, Daniel Fisher <dfisher at> wrote:
>> On Thu, May 25, 2017 at 2:23 PM, IAM David Bantz <dabantz at> wrote:
>> Is it feasible in IdP 3.3 to intercept an authN failure against AD LDAP due to expired account (error 49, data 701) and treat as though successful authN? ("701" data is supposed to be returned ONLY if the supplied credentials were otherwise valid, so this does not bypass expired password, locked account, or bad password, but only those attempts that would have been successful but for the account being marked expired.)
> So do you want to ignore this particular account state or will you be sending these users somewhere to unexpire their account in a self-service fashion?
> --Daniel Fisher
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list