Directory Programming .NET

I've struggled with the common problem of "temporary passwords" in ADAM, where an administrator resets a user's password but the user is required to change the password before using it to log in.  (This is the equivalent of the "User must change password at next logon" in Active Directory.)

I can set the pwdLastSet attribute to zero, which prevents a bind but does allow a password change.  (The password change must be performed on a connection using a service account, since the user's own credentials can't be used.  To change the password, I send a modify request for the userPassword attribute that removes the old password and adds the new.) 

However, I'd prefer to only redirect the user to change the password when he enters a valid password to begin with-- if he enters an invalid password, the response should just be the usual "invalid credentials" message.  The problem is that when pwdLastSet=0, the bind result is the same whether the password is correct or not.

Today it occurred to me that I actually do have a way to validate the password without a bind.  When I change a user's password, I get a specific error code if the current password is incorrect-- either 0x56 or 0x52b.  This means that if the initial bind fails and pwdLastSet=0, I can attempt a password change that only removes the old password without setting a new password.  If I get one of the invalid password error codes, I know the password is no good.  Otherwise, I'll get an error due to the missing new password.

Can anyone see any problems with this approach?

Thanks,
Matt

This is a very annoying feature in ADAM to attempt to do anything with. If you can successfully get a different detail-level server error from ADAM that let's you know the reason for the bind failure, then you can probably get away with this approach. The trick is being sure you can get the error code (and having a service account to do the bind with to make the change operation).

What code are you actually using that gets you the detail level error code btw? I know in AD when you do secure bind authentication you don't actually get the detail level error codes so you can't do this effectively. ADAM may actually be more useful in this area (or it may be a function of simple bind authentication provide the additional details).

Hi Joe,

I can't get the detailed error on a bind, but I realized that I can get the error on a password change.  If I get a bind failure, and if pwdLastSet=0, I can do a modify request to remove the attempted password.  On that modify request, I'll get an error that indicates either an invalid attempted password or an invalid new password (since I'm not setting a new password in the request).  That gives me enough information to know whether the attempted password was valid, and if so I can send the user to the password change page.

Thanks,
Matt

I see what you are doing. It makes sense now. Basically, if you are willing to make a "back channel" search request with a service account, you get additional options and can make this work. Ideally and and ADAM would not require that for LDAP auth but unfortunately they are pretty limited in what they can do with this auth mechanism currently. Maybe MS will do something to help address this someday?