问题
I have a problem which I am in need of some help with.
I use LDAP with PHP to authenticate users, I also check to see if the users password is marked as expired. This all works fine if the user's password has not expired or if the admins have tick the box to force a password reset. However I get a problem when the password expires through the group policies.
To make it so that I can still authenticate the user when their password is marked as expired, I need to change the pwdlastset value to -1 and then back to what it was in the first place. But this just throws and exception whenever the password has expired instead of changing the pwdlastset value.
Exception:
0x50 (Other (e.g., implementation specific) error; 00000057: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0 ): updating: CN=Steve,OU=Developer Groups,DC=external,DC=domain,DC=local in
Can anyone confirm for me whether I'm right in thinking that I cannot change this value once the password has expired through policies or not?
If I am unable to change this value, is there not a work around?
Thanks
回答1:
Only the system can modify the pwdLastSet attribute to any value other than 0 or -1. If you assign 0, the password is immediately expired. Then when the user changes their password the current date/time is assigned by the system to the pwdLastSet attribute.
The value -1 corresponds to the largest integer allowed in a 64-bit attribute, 2^63-1. This value does the reverse of 0. It makes the password not expired. When the user next logs on, the pwdLastSet attribute will be set by the system to the value corresponding to the current date/time.
回答2:
If you ask for a generalized setting value in your app for the value of Password expiration policy, then you could add that to pwdLastSet, and compare to the current time to test if it is expired.
Which is how the system does it. Prior to Win 2008 servers, there was only the domain wide password policy, so that works fine in that model. With fine grained password policies there can potentially be more password policies. As I recall, you make a group that is of a particular type whose members get the specific policy so it could be looked up.
Of course, both approaches are Active Directory specific, and won't work on any other LDAP server as they use different methods for denoting expired passwords.
来源:https://stackoverflow.com/questions/18615958/ldap-pwdlastset-unable-to-change-without-error-showing