LDAP pwdlastset无法更改而不会显示错误 [英] LDAP pwdlastset unable to change without error showing
问题描述
我有一个需要帮助的问题.
I have a problem which I am in need of some help with.
我将LDAP与PHP结合使用来对用户进行身份验证,同时还要检查用户密码是否标记为已过期.如果用户的密码尚未过期,或者管理员已勾选该框以强制重置密码,则所有操作都可以正常进行.但是,当密码通过组策略过期时,我遇到了一个问题.
I use LDAP with PHP to authenticate users, I also check to see if the users password is marked as expired. This all works fine if the user's password has not expired or if the admins have tick the box to force a password reset. However I get a problem when the password expires through the group policies.
为了使密码仍然被标记为过期时,我仍然可以对用户进行身份验证,我需要将pwdlastset值更改为-1,然后再恢复为最初的值.但是,只要密码过期而不是更改pwdlastset值,这只会引发异常.
To make it so that I can still authenticate the user when their password is marked as expired, I need to change the pwdlastset value to -1 and then back to what it was in the first place. But this just throws and exception whenever the password has expired instead of changing the pwdlastset value.
例外:
0x50 (Other (e.g., implementation specific) error; 00000057: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0 ): updating: CN=Steve,OU=Developer Groups,DC=external,DC=domain,DC=local in
任何人都可以为我确认我是否正确,以为密码一旦通过策略过期就无法更改此值?
Can anyone confirm for me whether I'm right in thinking that I cannot change this value once the password has expired through policies or not?
如果我无法更改此值,是否可以解决?
If I am unable to change this value, is there not a work around?
谢谢
推荐答案
仅系统可以将pwdLastSet属性修改为0或-1以外的任何值.如果您指定0,则密码立即失效.然后,当用户更改密码时,系统会将当前日期/时间分配给pwdLastSet属性.
Only the system can modify the pwdLastSet attribute to any value other than 0 or -1. If you assign 0, the password is immediately expired. Then when the user changes their password the current date/time is assigned by the system to the pwdLastSet attribute.
值-1对应于64位属性2 ^ 63-1中允许的最大整数.该值的取反值是0.它使密码未过期.当用户下次登录时,系统会将pwdLastSet属性设置为与当前日期/时间相对应的值.
The value -1 corresponds to the largest integer allowed in a 64-bit attribute, 2^63-1. This value does the reverse of 0. It makes the password not expired. When the user next logs on, the pwdLastSet attribute will be set by the system to the value corresponding to the current date/time.
这篇关于LDAP pwdlastset无法更改而不会显示错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
