[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy overlay and pwdreset attribute question

To: Cyril GROSJEAN <cgrosjean@janua.fr>
Subject: Re: ppolicy overlay and pwdreset attribute question
From: Clément OUDOT <clem.oudot@gmail.com>
Date: Thu, 23 Jun 2011 22:30:33 +0200
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=dRqPhz4mc3Ikn8jCIHWkUKYZLidblJ5z73qOXCYK3jE=; b=QizAzzI69gRnyqsLHOM82Pn4C+NYewOkdfETz+/HOOdzsw5ZXSohqti9h4EADevc8o 5YCo0LdKbqmPqN0B4sm1HpzOc+JBy87mH0iEGlyczr3w/Fef/v1/Jw9PwUoG7qEIqXNY H28wO3rNQ00/vcY2OhyuJndpk/kliRXq1CxmM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=UMmGUrihM9dG9y3CytDj3eBo8A4xuAkmBACRjLhNypG3Y9gQAg7iBL84T6gFUJWlDj LIUZ9yBdtGBADfv3lRGc5VVKaHq5PWll5NuDOT8OmqGmJmNhI+PPhnrutXjslkDXOiG0 f+WzMX5Q3Jo6LNpBsUBI+T/nQ1Sn6PEWhAOdk=
In-reply-to: <BANLkTintspgND5KZoHyJjDhmBHn-1Y+1hQ@mail.gmail.com>
References: <BANLkTintspgND5KZoHyJjDhmBHn-1Y+1hQ@mail.gmail.com>

2011/6/21 Cyril GROSJEAN <cgrosjean@janua.fr>:
>
> I use OpenLDAP 2.4.24 with the following default password policy,
> because I want my users to change their password at first connection,
> or after a password reset by an administrator:
>
> dn: cn=default,ou=policies,dc=company
> cn: default
> description: Strategie de gestion des mots de passe par defaut
> objectClass: top
> objectClass: person
> objectClass: pwdPolicy
> pwdAllowUserChange: TRUE
> pwdAttribute: userPassword
> pwdCheckQuality: 2
> pwdExpireWarning: 0
> pwdFailureCountInterval: 0
> pwdGraceAuthNLimit: 0
> pwdInHistory: 0
> pwdMaxAge: 0
> pwdMaxFailure: 0
> pwdMinAge: 0
> pwdMinLength: 8
> pwdMustChange: TRUE
> pwdSafeModify: FALSE
> sn: policy
>
> When creating a user account (either as administrator or any user with
> sufficient rights),
> the pwdReset attribute is not set automatically, and thus, the newly created
> user can bind
> and search without being forced to change his password.
>
> I have to manually set the pwdReset attribute to TRUE in the user entry at
> creation time or
> after creation to force a password change. Is this normal behaviour ? I
> would have expected
> to see the pwdReset attribute automatically set (by the ppolicy overlay).
> Otherwise, setting pwdMustChange to TRUE in the password policy definition
> looks unuseful.
>
> On the contrary, when the user changes his password, the pwdReset attribute
> is automatically removed,
> which tends to mean the password policy overlay is called and does something
> in this case ..
>

I think this is the normal behavior. The configuration parameter
pwdMustChange means that pwdReset can be used in a user entry. Else
pwdReset will have no effect.

Clément.

Follow-Ups:
- Re: ppolicy overlay and pwdreset attribute question
  - From: Cyril GROSJEAN <cgrosjean@janua.fr>

References:
- ppolicy overlay and pwdreset attribute question
  - From: Cyril GROSJEAN <cgrosjean@janua.fr>

Prev by Date: RE: N-Way replication
Next by Date: RE: ppolicy works, then doesn't
Index(es):
- Chronological
- Thread