Reputation: 2904
LDAP: How to reset value of pwdReset field
I am trying to write an application which would offer user to manage users on LDAP system. One feature of this is the functionality "Forgot Password".
- User uses my app to Reset his password
- I ask some security questions and if they are correct, I redirect him to new screen - new password screen.
- User provides new password only (as he has forgotten his old one)
- I use admin Context and reset the user password (using
modifyAttributes(..)). - The LDAP system, set
pwdResettotrueindicating that password was changed by admin and must be changed by user.
Now, I do want to set this to false, coz I don't want user to change his password again (as he already did in above steps), so I explicitly modify it to false. But I get error
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]; remaining name 'cn=XXXX,ou=XXXXOU,O=XXXX'
What is the way around ? Is there some other alternative ?
For refernce, the code to reset pwdReset is as under:
List<ModificationItem> modsList = new ArrayList<ModificationItem>();
BasicAttribute attribute = new BasicAttribute(ATTR_PASSWORDRESET, "false");
modsList.add(new ModificationItem(DirContext.REPLACE_ATTRIBUTE, attribute));
ModificationItem [] modsArr = modsList.toArray(new ModificationItem[modsList.size()]);
modsArr = modsList.toArray(new ModificationItem[modsList.size()]);
this.adminCtx.modifyAttributes(userName, modsArr);
And here is my pwdPolicy
Upvotes: 1
Views: 3392
Answers (1)
Reputation: 311050
I've just spent two weeks proving to myself that OpenLDAP doesn't actually do step #5 at all, despite what the wording of the RFC draft appears to mean. I also found a message in the OpenLDAP Mail archives confirming that they think it isn't supposed to do that. So what is happening is that there is no pwdReset attribute to set to false, so you're getting a schema violation trying to add it with that value. So, all you have to do is nothing.
It would probably be safer just to set pwdReset to null, which removes it completely, or just remove it with DirContext.REMOVE_ATTRIBUTE. My code doesn't use ModificationItem, which is another clue, more like:
BasicAttributes attributes = new BasicAttributes(ATTR_PASSWORDRESET, null);
this.adminCtx.modifyAttributes(userName, attrs);
The above also means that if you want it set to TRUE you have to do so yourself.
Upvotes: 2
Related Questions
- Active Directory Password reset without SSL
- Changing LDAP users password
- Read userPassword field from ldap server in clear text
- AD password reset using UNBoundID SDK
- Password Reset Enforcing Directory Policies with UnboundID
- LDAP pwdlastset unable to change without error showing
- LDAP password reset but i don't have the old password from Java application
- How do I delete one attribute in LDAP with LDIF?
- How to reset the user password in RedHat Directory server using Java code via LDAPS?
- Java Netscape LDAP Remove One Attribute