openLDAP pwdReset pwdMustChange
Daniel Fisher
dfisher at vt.edu
Thu Sep 1 19:01:52 UTC 2022
On Mon, Aug 29, 2022 at 7:57 PM Lipscomb, Gary <glipscomb at csu.edu.au> wrote:
> Hi Dan,
>
>
>
> I finally got it working yesterday by doing the following
>
> - In openLDAP in the password policy set pwdMustChange: TRUE
> - In openLDAP in the user account set pwdReset: TRUE
> - In the IdP in password-authn-config.xml add CHANGE_AFTER_RESET
> - <entry key="ExpiringPassword">
> - <list>
> - <value>ACCOUNT_WARNING</value>
> - <value>CHANGE_AFTER_RESET</value>
> - </list>
>
> This will then give the user the “Your password will be expiring soon*. **Please
> ensure you update your password via the Staff Portal before it expires”*
>
Ok, I think this makes sense. CHANGE_AFTER_RESET would only be returned on
a successful authentication, so only the warning flow could execute. Sounds
like you're on the right track to forcing a password change and leveraging
CHANGE_AFTER_RESET doesn't provide much, if any, value.
--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220901/55eae584/attachment.htm>
More information about the users
mailing list