Somebody on this list will know the definitive answer(s) to this
question. I have been knocking holes in the wall with my head all day
and cannot get an answer that makes sense.
In active directory you can set a password as expired and when the user
logs in they get to type their old password to prove they are who they
say they are and then new passwords to get the change to happen.
I want to achieve this via the LDAP interface but cannot find any
references that say if it is possible. I suspect that what really
happens under the cover is that the 'LDAP' code checks that the hash of
the presented old password matches the value in the AD and then uses a
privileged account rather than the user to do the actual change (I am
thinking of the IISADMPWD application here!) What I had hoped I could
find would be an options that would allow a bind to succeed using the
users credentials (old password/username) that could only change the
password. But I have not.
Am I right in that this is done by knowing that the HASH matches or is
there a hidden control to the AD LDAP interface I am missing?
--
Signature
|
Howard Wilkinson
|
Phone:
|
+44(20)76907075
|
|
Coherent Technology Limited
|
Fax:
|
|
|
23 Northampton Square,
|
Mobile:
|
+44(7980)639379
|
|
United Kingdom, EC1V 0HL
|
Email:
|
howard@...
|
