Accept logons from users where password change is required
This document is written for PhenixID Server.
This is only valid for User accounts that reside in Active Directory.
This article describes how to accept user login for accounts that has the following flags set:
- 532 – password expired
- 773 – user must reset password
The reader should have some basic knowledge about PhenixID Server.
Overview
If users have the above flags set on their account, PhenixID Server will receive an LDAP error code in return from the Active Directory server.
The configuration below will accept Active Directory users that must change password.
Instruction
The solution requiers changes to the file phenix-store.json, so please make sure that you have a recent copy/backup of this file.
The following parameter should be set on the LDAPBindValve: "allowed_error_codes":"532,773".
Log in to the configuration UI, go to Scenarios, Radius, <your scenario>. On the tab"Execution flow" edit the LDAPBindValve on your Pipe. Press "+ Add", enter allowed_error_codes as parameter and the desired code as value. For instance 532. When done press "Save".
Example (press JSON in the right corner):
{
"connection_ref": "f56b30ab-5042-4ca0-b9f0-bc7e36a12fde",
"password_param_name": "User-Password",
"allowed_error_codes": "532,773"
}
Changes will not require restart.