LDAPv3 Server Requirements to Enable Expired Password Handling in the Application Portal

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Oct 20, 2017
Version 21Show Document
  • View in full screen mode
  

In a deployment that includes the SSO Agent, when the Cloud Authentication Service authenticates users against an LDAPv3 directory server, the identity router relies on detailed bind error messages from the directory server to determine if a user's password is expired. If a user attempts to sign in using an expired password, the application portal can prompt the user to set a new password.

Detailed bind error messages are enabled by default on some LDAPv3 directory servers, but others may require configuration, or may not support the feature at all. If detailed bind error messages are disabled or unavailable, the application portal handles expired passwords the same as all other invalid passwords.

The following table describes support for detailed bind error messages on common LDAPv3 directory servers.

                           
LDAPv3 ServerDetailed Bind Error Message Support
Oracle Directory ServerSupported by default. No configuration required.
Apache Directory ServerSupported by default. No configuration required.
OpenDJConfiguration required. LDAP administrator must set return-bind-error-messages to true.
OpenLDAP

Not supported. Detailed bind error messages cannot be enabled on this LDAP server.

Note:  If the application portal does not recognize expired passwords after you enable detailed bind error messages on your LDAPv3 directory server, contact RSA Customer Support.

 

 

You are here
Table of Contents > Identity Sources > LDAPv3 Server Requirements to Enable Expired Password Handling in the Application Portal

Attachments

    Outcomes