[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy overlay and pwdreset attribute question



2011/6/21 Cyril GROSJEAN <cgrosjean@janua.fr>:
>
> I use OpenLDAP 2.4.24 with the following default password policy,
> because I want my users to change their password at first connection,
> or after a password reset by an administrator:
>
> dn: cn=default,ou=policies,dc=company
> cn: default
> description: Strategie de gestion des mots de passe par defaut
> objectClass: top
> objectClass: person
> objectClass: pwdPolicy
> pwdAllowUserChange: TRUE
> pwdAttribute: userPassword
> pwdCheckQuality: 2
> pwdExpireWarning: 0
> pwdFailureCountInterval: 0
> pwdGraceAuthNLimit: 0
> pwdInHistory: 0
> pwdMaxAge: 0
> pwdMaxFailure: 0
> pwdMinAge: 0
> pwdMinLength: 8
> pwdMustChange: TRUE
> pwdSafeModify: FALSE
> sn: policy
>
> When creating a user account (either as administrator or any user with
> sufficient rights),
> the pwdReset attribute is not set automatically, and thus, the newly created
> user can bind
> and search without being forced to change his password.
>
> I have to manually set the pwdReset attribute to TRUE in the user entry at
> creation time or
> after creation to force a password change. Is this normal behaviour ? I
> would have expected
> to see the pwdReset attribute automatically set (by the ppolicy overlay).
> Otherwise, setting pwdMustChange to TRUE in the password policy definition
> looks unuseful.
>
> On the contrary, when the user changes his password, the pwdReset attribute
> is automatically removed,
> which tends to mean the password policy overlay is called and does something
> in this case ..
>

I think this is the normal behavior. The configuration parameter
pwdMustChange means that pwdReset can be used in a user entry. Else
pwdReset will have no effect.

Clément.