Access Manager users with expired user redirected to expired password URL but <USERID> is passed instead of username

  • 3455564
  • 10-Sep-2007
  • 05-Jun-2013


Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Netware Access Gateway
Novell Access Management 3 Access Administration


When logging into the Identity Server, users with expired passwords and with grace
logins remaining count set at 0 are getting redirected to the expired password
management URL where the POST data sent includes "dn=", where
was not resolved to the user's actual DN. This "" string then shows up
on the pages of the password management service.

When the user has some remaining
grace logins, the data POSTed to the password management servlet is correct.


1) Configure an Authentication contract with a "Password expiration servlet:"
URL which includes the variables RETURN_URL and USERID in the query string. For
example (tested with the IDM 3.5 servlets):


2) Configure an accelerator and protected resource, enable the above Auth
contract on the protected resource

3) In the user store specified for the Auth contract above, configure a
user with an expired password and grace login count > 0.

4) Browse to the protected resource, login as the user created above who has
grace remaining count > 0

-user is redirected to the password service and POST data includes the DN of
user as expected

5) Decrement the user's grace remaining count to 0

6) Relaunch browser to the protected resource again, login to IDP as user that
now has grace remaining=0

-user is redirected to the password service and POST data now includes string
"dn=" instead of user DN or blank value.


Fixed in 3.1 Support Pack 3 or greater.