LDAP issue with Password Expiration
I know this topic has been covered alot on and off, but I was not able to find an answer to this issue. We are using Active Directory (Win 2003) and we were calculating password expirations using a combination of pwdLastSet and maxPwdAge....as well as userAccessControl. We have been trying to switch our code to use the new computed values of ms-DS-User-Password-Expired and msDS-User-Account-Control-Computed. However, I am not getting consistent result with either of these. ms-DS-User-Password-Expired is always null and msDS-User-Account-Control-Computed usually returns 0, but on some users, it is returning 8388608 (pwd expired) even though the password for that user is not expired in AD. I read on a .NET site that since these values were computed, you had to call a RefreshCache method on the user object after it was retrieved but I have not been able to find a Java equivalent. What is the recommended method for figuring out the status of a user's password/account?
Thanks in advance.
Ci-Ci Thomson
# 1
Yes, it is very confusing.
Have a look at the Active Directory schema definitions on http://msdn2.microsoft.com/en-us/library/ms675090.aspx
You'll notice that for example attributes such as ms-DS-UserAccountAutoLocked, msDS-UserPasswordExpired,msDS-UserAccountDisabled,msDS-UserDontExpirePassword are only applicable to Active Directory Application Mode (ADAM), whereas msDS-User-Account-Control-Computed is supported on both Active Directory and Active Directory Application Mode.
One could only hope that with the Longhorn Server release that we get some consistency and have the same computed attributes available for both AD & ADAM (or more correctly for Longhorn, Active Directory Domain Services and Active Directory Lightweight Services !) **** marketing people ! (That's really clever, if you type in some profanity such as http://www.askoxford.com/results/?view=dict&field-12668446=****&branch=13842570&textsearchtype=exact&sortorder=score%2Cname the forum replaces it with asterisks !)
Would also be an opportunity to also ensure that the LDAP Display Names for the attributes are consistent, for example contrast msDS-User-Account-Control-Computed and msDS-UserDontExpirePassword. Would never have happened in my day !
# 3
To the best of my knowledge, there is no caching of the computed value on a domain controller.
The only reason why I can think you may be getting inconsistent results could be that you may be connecting to multiple domain controllers and that perhaps the accountLockout time values have yet to replicate.
BTW, if you would like to e-mail me with further details about your company and your use of the specific ADAM attributes (such as msDS-UserPasswordExpired), that will add greater weight to the arguments for approving a Design Change Request (DCR) for future releases of AD. Can't guarantee anything for Longhorn Server though.
My non-work e-mail address is adler_steven@hotmail.com (Note to others on this forum, I will not reply to any unsolicited emails, and for obvious reasons, I will not be providing my work email address as this is not meant to be an official support mechanism for Active Directory related questions)
