Logs also indicate the following error:
2016-12-20T20:41:00Z, FATAL, servlet.AbstractPwmServlet, 5026 ERROR_BAD_SESSION_PASSWORD (unable to authenticate with password read from directory, check proxy rights, ldap logs; error: 5066 ERROR_ACCOUNT_EXPIRED (unable to create connection: unable to bind to ldaps://chansen2.lab.novell.com:636 as cn=gilgamesh,ou=users,o=data reason: [LDAP: error code 53 - NDS error: log account expired (-220)]))
- Make sure that Unlock User During Activation is set to Enabled.
that when you click "View Matches" under the Activation Permission
that valid users come up.
A useful parameter is to have loginDisabled=TRUE. Use the following as an example filter: (&(objectclass=person)((loginDisabled=TRUE)))
- *Most important setting* Create a new Action under Activation Actions (Before Password Change) to have SSPR change the loginDisabled=TRUE to FALSE on the user attempting activation. Use the following steps to do that:
- Click Add Action.
- Give your Action a name.
- Change "webservice" to "ldap".
- Click the Options button.
- Set Attribute Name to loginDisabled
- Set Attribute Value to FALSE
- Leave Operation Type as Replace.
- Save these changes.