[Date Prev][Date Next]
Re: ppolicy overlay and pwdreset attribute question
2011/6/24 Howard Chu <firstname.lastname@example.org>:
> Cyril GROSJEAN wrote:
>> According to the source code, it seems you're right. But according to the
>> OpenLDAP 2.4 admin guide
>> it should be wrong, or at least, it doesn't look consistent to me since it
>> mentions the following (when
>> pwdMustChange is set to FALSE):
>> The password does not need to be changed at the first bind or when the
>> administrator has reset the password (pwdMustChange: FALSE)
>> So, from what I understand, if pwdMustChange is set to TRUE, the password
>> needs to be changed at the first bind, or when the
>> administrator has reset it.
>> Also, the slapo-ppolicy man pages tends to mean the same thing:
>> This attribute specifies whether users must change their passwords
>> they first bind to the directory after a password is set or reset
>> the administrator, or not. If*pwdMustChange* has a value
>> users must change their passwords when they first bind to the
>> after a password is set or reset by the administrator.
> The only way it knows that an administrator has set anything is if the admin
> sets the pwdReset attribute.
That's the way I understand it too. For example in LemonLDAP::NG, we
force the pwdReset attribute when the password is reset by mail with
an random value, so the user must change it when back on the
But I think I saw on the list that this kind of operation (setting
reset attribute) will soon require the relax control, so we should
then update our code, is it true?