openLDAP pwdReset pwdMustChange
Daniel Fisher
dfisher at vt.edu
Wed Aug 24 01:51:32 UTC 2022
On Tue, Aug 23, 2022 at 1:31 AM Lipscomb, Gary via users <
users at shibboleth.net> wrote:
> Has anyone done this?
>
It appears you're attempting to use
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10
for your password policy implementation.
>
> - idp.authn.LDAP.usePasswordPolicy = true
>
>
This is the property you want set to true to enable this feature.
> - idp.authn.LDAP.usePasswordExpiration = true
>
>
This property enables a different type of password policy implementation (
http://tools.ietf.org/html/draft-vchu-ldap-pwd-policy-00)
Set it to false.
Assuming you've configured the ppolicy overlay correctly in OpenLDAP....
Your IDP should signal a warning type of AuthnEventIds.ACCOUNT_WARNING
when a password warning is returned from an LDAP authentication. And an
error type of AuthnEventIds.ACCOUNT_ERROR when a password error is returned.
--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220823/f188c7e3/attachment.htm>
More information about the users
mailing list