To whom might help
We need to implement a solution for browser clients authenticating over iPlanet LDAP server that will have to manage password expiration. iPlanet´s password expiration is not an option because browsers don´t understand the error returned when iPlanet tells the client that the password is going or has expire. So without a notice the user keeps logging on until the password expires and then he will not be able to log anymore until the admin changes his password. Obviously this is not a good solution and when you think that the company has over 35 hundred users changing the password for all the users is not an option.
We are considering the following options:
Option 1 Make Domino the authenticating server and also the manager of password expiration. So when the password is changed on Domino replicate the changes to iPlanet. But we haven´t been able to replicate both servers.
Option 2 Ldapsearch the expiration date and make the user change password if it has to. If the password has already expired then we are going to be able to change it.
Option 3 Bring the expiration attributes to the names and when the user tries to authenticate we search on the names for the fields and take the necessary actions. Finally ldapmodify iPlanet´s password.
Option 4 The last option is to construct a propietary application to manage password expiration. With this option we are facing the fact that we will need to manage the order in which the logging actions will occur.
Any suggestions or comments will be appreciated!
Thanks,
Andres