LDAPv3 Server Requirements to Enable Expired Password Handling in the Application Portal

In a deployment that includes the SSO Agent, when the Cloud Authentication Service authenticates users against an LDAPv3 directory server, the identity router relies on detailed bind error messages from the directory server to determine if a user's password is expired. If a user attempts to sign in using an expired password, the application portal can prompt the user to set a new password.

Detailed bind error messages are enabled by default on some LDAPv3 directory servers, but others may require configuration, or may not support the feature at all. If detailed bind error messages are disabled or unavailable, the application portal handles expired passwords the same as all other invalid passwords.

The following table describes support for detailed bind error messages on common LDAPv3 directory servers.

LDAPv3 Server Detailed Bind Error Message Support
Oracle Directory Server Supported by default. No configuration required.
Apache Directory Server Supported by default. No configuration required.
OpenDJ Configuration required. LDAP administrator must set return-bind-error-messages to true.
OpenLDAP

Not supported. Detailed bind error messages cannot be enabled on this LDAP server.

Note: If the application portal does not recognize expired passwords after you enable detailed bind error messages on your LDAPv3 directory server, contact RSA Customer Support.