[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy overlay and pwdreset attribute question



2011/6/24 Howard Chu <hyc@symas.com>:
> Cyril GROSJEAN wrote:
>>
>> According to the source code, it seems you're right. But according to the
>> OpenLDAP 2.4 admin guide
>>
>> (http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Configuration),
>> it should be wrong, or at least, it doesn't look consistent to me since it
>> mentions the following (when
>> pwdMustChange is set to FALSE):
>>
>> The password does not need to be changed at the first bind or when the
>> administrator has reset the password (pwdMustChange: FALSE)
>>
>> So, from what I understand, if pwdMustChange is set to TRUE, the password
>> needs to be changed at the first bind, or when the
>> administrator has reset it.
>>
>> Also, the slapo-ppolicy man pages tends to mean the same thing:
>>
>> *pwdMustChange*
>>
>>        This attribute specifies whether users must change their passwords
>> when
>>        they first bind to the directory after a password is set  or  reset
>>  by
>>        the  administrator,  or not.   If*pwdMustChange*  has a value
>> of"TRUE",
>>        users must change their passwords when they first bind to the
>> directory
>>        after  a  password  is  set  or reset  by  the administrator.
>>
>>
> The only way it knows that an administrator has set anything is if the admin
> sets the pwdReset attribute.
>

That's the way I understand it too. For example in LemonLDAP::NG, we
force the pwdReset attribute when the password is reset by mail with
an random value, so the user must change it when back on the
authentication portal.

 But I think I saw on the list that this kind of operation (setting
reset attribute) will soon require the relax control, so we should
then update our code, is it true?

Clément.