Hi We are testing the password policy in the 389DS. Using CentOS 5.5 i386, 389-ds-base 1.2.5. I have enabled the global password policy, and set 180 days for password expiration, 14 days for warnings, and 3 grace logins. If I do a login before the 14 days befor the password expiration, the bind is correct. If the bind is done during the 14 days before the password expiration, a PasswordExpiringControl is sent to the client (verified with a groovy script using the UnboundID LDAP SDK). After the password expires, the login is successful (without being sent any control) for 3 times (all correct), and then the bind is incorrect (error 49, invalid credentials), and also a PasswordExpiredControl is sent. My question, shouldn't the server send the PasswordExpiredControl also during the 3 grace login? If not, I have tested the DraftBeheraLDAPPasswordPolicy10RequestControl (http://tools.ietf.org/html/draft-behera-ldap-password-policy-10), and it looks that is implemented (at least, in part) in 389DS. What is the status of the implementation of this drafts (yes, I know it is a draft, but is very useful). I am interested mostly in notifying the user about its expiring/expired password, or remaining login attempts. This looks to work in 389DS. Is there any more useful function I can use? Regards and thanks in advance. -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
