How and When iChain redirects to the Password Management Servlet URL

  • 3007390
  • 18-May-2006
  • 27-Apr-2012

Environment

Novell iChain 2.3
Password Management Servlet URL

Situation

iChain can redirect a user with an expired password to a password management servlet such as the exteNd password servlet, the Password Management Servlet located on developer.novell.com, or a custom made password servlet.

Resolution

Only the process of redirecting the browser from iChain to the password managment servlet is supported.

Conditions:

User's password is reaching expiration but has not yet expired:
iChain will not redirect the user to the password management servlet URL.

User's password is expired but no grace logins remain:
If no grace logins are allowed, or if the grace logins run out, the LDAP BIND result code returned is "invalidCredentials" and the user is not allowed to login to iChain.  The user will never recieve the 302 redirect to the password management servlet URL.

User's password is expired and grace logins remain:
If grace logins are allowed, the LDAP BIND result code returned is"success" and iChain is notified that the password is expired.  The user then recieves a 302 redirect to the password management servlet URL.

Traffic flow between iChain and LDAP when grace logins remain for a user and the user's password has expired:
  1. The user's password expires.
  2. The user logs into iChain.
  3. A Bind Request using the full DN of the user is sent to the LDAP server.
  4. If the LDAP Bind Result code returned is "success" but specifies an error message "NDS error: password expired (-223)".
  5. A 302 redirect is sent to the user's browser with the location of the password management servlet URL specified in the iChain configuration.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.