[Date Prev][Date Next]
Re: problem with the ppolicy overlay
- To: Cyril Grosjean <firstname.lastname@example.org>
- Subject: Re: problem with the ppolicy overlay
- From: Clément OUDOT <email@example.com>
- Date: Tue, 5 Jul 2011 18:15:42 +0200
- Cc: firstname.lastname@example.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=QWEI/0d/ERVEA2DM4tlTaFPeAh8PTuD0h/cv9u6Oto8=; b=minQxxH4NkQ7E4lLNeN7o/a12g6SlsX9B3O33l0UylSK3t3LjgAKyNPkr8raxIp5e0 OEupI/VI6Ob3E8U6qAFWr/rHKyI5KJyu3XPmqJLg5OzUQEoNHm7FCYtGlqkFYluFHVUZ B+RXb2KRBIfh0p95S2qsBYXOqfoS+FU+myle8=
- In-reply-to: <4E1330E2.email@example.com>
- References: <4E1330E2.firstname.lastname@example.org>
2011/7/5 Cyril Grosjean <email@example.com>:
> I use slapd 2.4.24 and I'd like users to be forced to change their password
> after a reset by an administrator.
> So, I've configured OpenLDAP with the ppolicy overlay, I've also configured
> a default password policy
> (with pwdmustchange: TRUE) but then, when bound as the rootdn and changing a
> user's password, the
> pwdReset attribute is not set to TRUE.
> I can see the pwdchangedtime attribute has changed, as well as modifiersname
> and modifytimestamp, but that's all.
> And the user can bind with the new password. Also, the "-e ppolicy"
> ldapsearch extension doesn't report anything special.
> What could be wrong ?
* you must set pwdReset to TRUE yourself, this is never done automatically
* when user changes its password, pwdReset is reverted to FALSE if it
was TRUE, automatically
* rootdn bypasses most of password policy constraints, you need to use
a standard account to edit userPassword if you want to use password