Checking the tamuStatus attribute is relatively easy and straightforward. Most programming environments include libraries, procedures or processes for accessing LDAP directories. The notes listed here will need to be adapted to your particular development environment.
Note that tamuStatus is a multi-value attribute in the directory. That is, it will contain a number of flags that may be used by other applications or systems. Furthermore, there is no explicit order in which the flags are returned to a query. An application must issue the appropriate commands to return all the flags for the attribute and then must interrogate each flag to determine if passwordExpired is indeed present in the entry.
By looking at the sample directory entry, we can see the entry for this individual has two flags set in the tamuStatus attribute.
Since multiple flags may be set in the attribute, applications should specifically test for the presence of the passwordExpired flag to avoid problems in processing. That is, just because the tamuStatus attribute is not blank does not necessarily mean the password has expired.
It is left up to the application to decide what action should be taken when the passwordExpired flag is present. The desired action is to deny access and redirect the customer to the password reset page.