Environment
Novell iChain 2.3
Password Management Servlet URL
Situation
iChain can redirect a user with an expired password to a password
management servlet such as the exteNd password servlet, the Password Management Servlet located on developer.novell.com, or a
custom made password servlet.
Resolution
Only the process of redirecting the browser
from iChain to the password managment servlet is
supported.
Conditions:
User's password is reaching expiration but has not yet expired:
iChain will not redirect the user to the password management servlet URL.
User's password is expired but no grace logins
remain:
If no grace logins are allowed, or if the grace logins run out, the
LDAP BIND result code returned is "invalidCredentials" and the user
is not allowed to login to iChain. The user will never
recieve the 302 redirect to the password management servlet
URL.
User's password is expired and grace logins remain:
If grace logins are allowed, the LDAP BIND result code returned is"success" and iChain is notified that the password is
expired. The user then recieves a 302 redirect to the
password management servlet URL.
Traffic flow between iChain and LDAP when grace logins
remain for a user and the user's password has
expired:
- The user's password expires.
- The user logs into iChain.
- A Bind Request using the full DN of the user is sent to the LDAP server.
- If the LDAPÂ Bind Result code returned is "success" but specifies an error message "NDS error: password expired (-223)".
- A 302 redirect is sent to the user's browser with the location of the password management servlet URL specified in the iChain configuration.