the response controls (using Java/JNDI). When the user's pass hasn't expired yet but they are in the warning period, in the response I receive 2.16.840.1.113730.3.4.5 indicating the password is expiring, which works great.
Then when their password actually expires and they still haven't changed it yet (Glass half full, they just haven't logged in during that time and didn't ignore my warnings) and I have say 3 grace logins allows in the policy the server doesn't respond with the warning (2.16.840.1.113730.3.4.5) or the password expired response control (2.16.840.1.113730.3.4.4).
The only way I can determine during the grace period that the password is actually expired and I'm on my grace login seems to be by checking the passwordExpiredTime attribute by hand. This just seems silly to me since the server knows the password expired and it knows to increment the passwordGraceUserTime attribute for each successful login after the password expired. I would think the server would respond with both 2.16.840.1.113730.3.4.5 and 2.16.840.1.113730.3.4.4 like it does when your password is reset by the administrator.
Am I missing something? Anyone else have a cleaner way of determining that it's a grace period login? By the way, for the record I'm accessing this in Java, not sure it matters and here's a little code blurb:
LdapContext ctx = new InitialLdapContext(env, nul);
Control[] ctls = ctx.getResponseControls();
if(ctls != null) {
for(Control control : ctls) {
System.out.println(control.getID());
}
}
Also if this question should be on the devel list I apologize but I figured that was for actually coding the 389 directory server.
Thanks,
Aaron Hagopian
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users