[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to force password change upon account creation

To: Arthur de Jong <arthur@arthurdejong.org>
Subject: Re: How to force password change upon account creation
From: Michael StrÃder <michael@stroeder.com>
Date: Mon, 24 Dec 2012 13:21:46 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <1356346667.5324.2.camel@sorbet.thuis.net>
References: <CAO5ZC7FdGmzYD-Uaodx2CZZh5K-4yo9=b7GYxDDBj=S9s8RvUQ@mail.gmail.com> <1356346667.5324.2.camel@sorbet.thuis.net>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 SeaMonkey/2.14.1

Arthur de Jong wrote:
> You should probably grant the user the right permissions to update the
> userPassword and shadowLastChange attributes.

Yes, the user should have write-only access to userPassword.

But if the user has write access to 'shadowLastChange' he could circumvent the
shadowAccount-based password policy. So this is bad advice.

Ciao, Michael.

References:
- How to force password change upon account creation
  - From: Kyle Harris <kyle@theharrishome.com>
- Re: How to force password change upon account creation
  - From: Arthur de Jong <arthur@arthurdejong.org>

Prev by Date: Migration from openldap 2.4.20 to 2.4.33
Next by Date: Re: How to force password change upon account creation
Index(es):
- Chronological
- Thread