SSPR - Password expiring each time user logs in.

  • 7015902
  • 18-Nov-2014
  • 18-Nov-2014

Environment


Self Service Password Reset 3.0
SSPR configured to use eDirectory LDAP on the back end.

Situation

Each time the user logs into Self Service Password Reset (SSPR), the user is told their password is expired and prompted to change their password.   This occurs whether the password is expired or not.

Logging into eDirectory with the Novell Client does not produce a password change prompt, and viewing the object in eDirectory shows that the password is not expired.

Resolution

Customer had created a custom attribute mapping for loginGraceRemaining, mapping it to graceloginremaining.   This is done under the ldap group object that the ldap server object is assigned to for your ldap server in eDirectory.

Removing the custom mapping corrected the issue.

Cause

SSPR does a comparison between the attributes loginGraceRemaining and loginGraceLimit to see if the values are the same.  If the values are not equal, then it assumes the user is using grace logins and must change their password.  

If you change the attribute name being returned via ldap with a custom attribute mapping, then the comparison will fail, or will be invalid.

In this case the default syntax returned if no attribute mapping is present.
loginGraceRemaining: x
loginGraceLimit: x

Here is what the ldap servers was returning.
graceloginremaining: x
loginGraceLimit: x

"graceloginremaining" is not the default name for "loginGraceRemaining"

Thus the comparing the expected attributes of loginGraceRemaining (no value) and LoginGraceLimit (10) results in that they are not equal so it flags the password as expired.