PhenixID DocumentationPhenixID Authentication ServicesVersion 2.7 SolutionsAccept logons from users where password change is required

Accept logons from users where password change is required

This document is written for PhenixID Server.

This is only valid for User accounts that reside in Active Directory.

This article describes how to accept user login for accounts that has the following flags set:

  • 
532 – password expired
  • 
773 – user must reset password

The reader should have some basic knowledge about PhenixID Server.

Overview

If users have the above flags set on their account, PhenixID Server will receive an LDAP error code in return from the Active Directory server.

The configuration below will accept Active Directory users that must change password.

Instruction

The solution requiers changes to the file phenix-store.json, so please make sure that you have a recent copy/backup of this file.

The following parameter should be set on the LDAPBindValve: 
"allowed_error_codes":"532,773".

Log in to the configuration UI,  go to Scenarios, Radius, <your scenario>.  On the tab"Execution flow" edit the LDAPBindValve on your Pipe. Press "+ Add", enter allowed_error_codes as parameter and the desired code as value. For instance 532. When done press "Save".

Example (press JSON in the right corner):

{
	"connection_ref": "f56b30ab-5042-4ca0-b9f0-bc7e36a12fde",
	"password_param_name": "User-Password",
	"allowed_error_codes": "532,773"
}

Changes will not require restart.