With PwdReset=TRUE, Users Can Log Into Convergence Without Password Change (Doc ID 2344621.1)

Last updated on JUNE 22, 2023

Applies to:

Symptoms

A password policy is active on LDAP, so when the Admin changes the password for a user, in LDAP it automatically sets the "pwdReset=TRUE" attribute on the account. But, what is happening is that the user is able to log into Convergence and does not get a popup to change their password, once they are logged in with their new password.  Under normal circumstances, when pwdReset=TRUE is set, the user would log into Convergence with the newly assigned password and then after logging in, would get a popup to change the password to whatever he/she wants to set it to.

In this situation, users should not be able to access Webmail; Webmail should deny the access with an error message that says that the Admin reset the password and the user has to re-set the password to access to the mailbox. But instead, the user is able to authenticate with the Admin-assigned password and is not prompted to change it.

With another IMAP client, the user is not given access -- the user is forces to change the password, so it seems like something within Convergence is not enforcing this policy.

The issue can be reproduced at will with the following steps (Note:  this issue was only reproducible at the customer site; Support was not able to duplicate the issue at-will):

1.  Implement password policy
2.  Assigned  this policy to a user
3.  Log into Convergence as this user
4.  Admin changes the user password
5.  Ensure pwdReset=TRUE on the user ldif by doing an ldapsearch and obtaining the user's ldif
6.  Log into Convergence as the same user using the new password
7.  User is able to log into Convergence without getting a popup to change the password

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.