LDAP pwdlastset 无法更改而不显示错误 [英] LDAP pwdlastset unable to change without error showing
问题描述
我有一个问题需要帮助.
I have a problem which I am in need of some help with.
我使用 LDAP 和 PHP 来验证用户,我还检查用户密码是否标记为过期.如果用户的密码未过期或管理员已勾选该框以强制重置密码,这一切都可以正常工作.但是,当密码通过组策略过期时,我会遇到问题.
I use LDAP with PHP to authenticate users, I also check to see if the users password is marked as expired. This all works fine if the user's password has not expired or if the admins have tick the box to force a password reset. However I get a problem when the password expires through the group policies.
为了使我在用户的密码被标记为过期时仍然可以对用户进行身份验证,我需要将 pwdlastset 值更改为 -1,然后再恢复到最初的值.但这只是在密码过期而不是更改 pwdlastset 值时抛出异常.
To make it so that I can still authenticate the user when their password is marked as expired, I need to change the pwdlastset value to -1 and then back to what it was in the first place. But this just throws and exception whenever the password has expired instead of changing the pwdlastset value.
例外:
0x50 (Other (e.g., implementation specific) error; 00000057: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0 ): updating: CN=Steve,OU=Developer Groups,DC=external,DC=domain,DC=local in
谁能帮我确认一下,一旦密码通过策略过期,我就无法更改此值是否正确?
Can anyone confirm for me whether I'm right in thinking that I cannot change this value once the password has expired through policies or not?
如果我无法更改此值,是否有解决办法?
If I am unable to change this value, is there not a work around?
谢谢
推荐答案
只有系统可以修改pwdLastSet属性为0或-1以外的任何值.如果指定 0,则密码立即过期.然后,当用户更改密码时,系统会将当前日期/时间分配给 pwdLastSet 属性.
Only the system can modify the pwdLastSet attribute to any value other than 0 or -1. If you assign 0, the password is immediately expired. Then when the user changes their password the current date/time is assigned by the system to the pwdLastSet attribute.
值 -1 对应于 64 位属性中允许的最大整数 2^63-1.此值与 0 相反.它使密码不会过期.当用户下次登录时,pwdLastSet 属性会被系统设置为当前日期/时间对应的值.
The value -1 corresponds to the largest integer allowed in a 64-bit attribute, 2^63-1. This value does the reverse of 0. It makes the password not expired. When the user next logs on, the pwdLastSet attribute will be set by the system to the value corresponding to the current date/time.
这篇关于LDAP pwdlastset 无法更改而不显示错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
