Why Does Configured Password Policy Allow BINDs when Subsequent Requests are Rejected with Error 53 (Doc ID 1996252.1)

Last updated on FEBRUARY 01, 2017

Applies to:

Oracle Directory Server Enterprise Edition - Version 5.2 and later
Information in this document applies to any platform.

Goal

Customer has created a custom password policy and applied it to a specific user entry to force a password reset.  When the user authenticates, the bind is successful (no error is returned), but subsequent operations on the same connection return the expected err=53.  Customer asks why the authentication/bind does not fail with the same error 53.  Below is the custom password policy being used...

dn: cn=CustomPasswordPolicy,dc=example,dc=com
pwdMinAge: 0
pwdLockoutDuration: 3600
pwdFailureCountInterval: 600
pwdMaxAge: 259200
pwdMaxFailure: 3
pwdLockout: TRUE
pwdExpireWarning: 86400
objectClass: top
objectClass: pwdPolicy
objectClass: sunPwdPolicy
objectClass: LDAPsubentry
cn: CustomPasswordPolicy
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdMustChange: TRUE
pwdInHistory: 10
pwdMinLength: 8
pwdKeepLastAuthTime: TRUE

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms