[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy overlay and pwdreset attribute question

To: openldap-technical@openldap.org
Subject: ppolicy overlay and pwdreset attribute question
From: Cyril GROSJEAN <cgrosjean@janua.fr>
Date: Tue, 21 Jun 2011 10:11:11 +0200

I use OpenLDAP 2.4.24 with the following default password policy, because Iwant my users to change their password at first connection, or after a password reset by an administrator:
dn: cn=default,ou=policies,dc=company cn: default description: Strategie de gestion des mots de passe par defaut objectClass: top objectClass: person objectClass: pwdPolicy pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 0 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 0 pwdMaxAge: 0 pwdMaxFailure: 0 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: TRUE pwdSafeModify: FALSE sn: policy When creating a user account (either as administrator or any user with sufficient rights), the pwdReset attribute is not set automatically, and thus, the newly created user can bind and search without being forced to change his password. I have to manually set the pwdReset attribute to TRUE in the user entry at creation time or after creation to force a password change. Is this normal behaviour ?I would have expected to see the pwdReset attribute automatically set (by the ppolicy overlay). Otherwise, setting pwdMustChange to TRUE in the password policy definition looks unuseful.On the contrary, when the user changes his password, the pwdReset attribute is automatically removed, which tends to mean the password policy overlay is called and does something in this case ..

Follow-Ups:
- Re: ppolicy overlay and pwdreset attribute question
  - From: Clément OUDOT <clem.oudot@gmail.com>

Prev by Date: Re: schema replication problems with test059-slave-config
Next by Date: Schema modification errors
Index(es):
- Chronological
- Thread