When modifying a property of a user account in an MS Active Directory environment with the Password does not expire option set, LAM sends an LDAP modifyRequest with the userAccountControl attribute and AttributeValue 66048 (Enabled, Password Doesn’t Expire) even if the checkbox was not altered by the user. This results in issues for users who have permissions to edit basic LDAP properties (such as telephone or address) but are not allowed to change password policies; thereby not allowing any modification of such LDAP accounts.
Steps to Reproduce
Ensure a user account has the Password does not expire option set.
Edit the user account without changing the Password does not expire option.
Save the changes.
Observe that an LDAP modifyRequest is sent with the userAccountControl attribute and AttributeValue 66048.
This behavior can be confirmed by observing the request in a running Wireshark session.
Issue Summary
When modifying a property of a user account in an MS Active Directory environment with the
Password does not expire
option set, LAM sends an LDAPmodifyRequest
with theuserAccountControl
attribute andAttributeValue 66048
(Enabled, Password Doesn’t Expire) even if the checkbox was not altered by the user. This results in issues for users who have permissions to edit basic LDAP properties (such as telephone or address) but are not allowed to change password policies; thereby not allowing any modification of such LDAP accounts.Steps to Reproduce
Password does not expire
option set.Password does not expire
option.modifyRequest
is sent with theuserAccountControl
attribute andAttributeValue 66048
.This behavior can be confirmed by observing the request in a running Wireshark session.
Affected Versions