[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Defining a password attributetype

To: openldap-technical@openldap.org
Subject: Re: Defining a password attributetype
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 6 Sep 2010 08:49:20 +0100
Cc: Rob Tanner <rtanner@linfield.edu>, Michael Ströder <michael@stroeder.com>
In-reply-to: <4C813DBD.2050600@stroeder.com>
References: <C8A66B6B.60C69%rtanner@linfield.edu> <4C813DBD.2050600@stroeder.com>
User-agent: KMail/1.13.3 (Linux/2.6.33.7-desktop-0.4mnb; KDE/4.4.3; x86_64; ; )

On Friday, 3 September 2010 19:26:05 Michael Ströder wrote:

> IMO that's bad practice. When doing a password reset you should set a
> random value in userPassword together with password expiration attribute
> (slapo-ppolicy).

IMHO, the correct attribute to set would have been pwdReset, but unfortunately 
there is no way to enforce users to reset their passwords in applications that 
don't support ppolicy (as users won't get locked out if they just keep using 
the temporary password).

I think I sent feedback to Howard on the new ppolicy draft about this ...

Regards,
Buchan

Follow-Ups:
- Re: Defining a password attributetype
  - From: Michael Ströder <michael@stroeder.com>

References:
- Re: Defining a password attributetype
  - From: Rob Tanner <rtanner@linfield.edu>
- Re: Defining a password attributetype
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: [Fwd: PAM not warning for password expiration]
Next by Date: Invitation to connect on LinkedIn
Index(es):
- Chronological
- Thread