Environment
Self Service Password Reset 3.0
SSPR configured to use eDirectory LDAP on the back end.
Situation
Each time the user logs into Self Service Password Reset (SSPR), the user is told their password is expired and prompted to change their password. This occurs whether the password is expired or not.
Logging into eDirectory with the Novell Client does not produce a password change prompt, and viewing the object in eDirectory shows that the password is not expired.
Logging into eDirectory with the Novell Client does not produce a password change prompt, and viewing the object in eDirectory shows that the password is not expired.
Resolution
Customer had created a custom attribute mapping for loginGraceRemaining, mapping it to graceloginremaining. This is done under the ldap group object that the ldap server object is assigned to for your ldap server in eDirectory.
Removing the custom mapping corrected the issue.
Removing the custom mapping corrected the issue.
Cause
SSPR does a comparison between the attributes loginGraceRemaining and loginGraceLimit to see if the values are the same. If the values are not equal, then it assumes the user is using grace logins and must change their password.
If you change the attribute name being returned via ldap with a custom attribute mapping, then the comparison will fail, or will be invalid.
In this case the default syntax returned if no attribute mapping is present.
loginGraceRemaining: x
loginGraceLimit: x
Here is what the ldap servers was returning.
graceloginremaining: x
loginGraceLimit: x
"graceloginremaining" is not the default name for "loginGraceRemaining"
Thus the comparing the expected attributes of loginGraceRemaining (no value) and LoginGraceLimit (10) results in that they are not equal so it flags the password as expired.
If you change the attribute name being returned via ldap with a custom attribute mapping, then the comparison will fail, or will be invalid.
In this case the default syntax returned if no attribute mapping is present.
loginGraceRemaining: x
loginGraceLimit: x
Here is what the ldap servers was returning.
graceloginremaining: x
loginGraceLimit: x
"graceloginremaining" is not the default name for "loginGraceRemaining"
Thus the comparing the expected attributes of loginGraceRemaining (no value) and LoginGraceLimit (10) results in that they are not equal so it flags the password as expired.