Re: ppolicy overlay and pwdreset attribute question

[Howard Chu <hyc@symas.com>]

Cyril GROSJEAN wrote:
> According to the source code, it seems you're right. But according to the
> OpenLDAP 2.4 admin guide
> (http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Configuration),
> it should be wrong, or at least, it doesn't look consistent to me since it
> mentions the following (when
> pwdMustChange is set to FALSE):
>
> The password does not need to be changed at the first bind or when the
> administrator has reset the password (pwdMustChange: FALSE)
>
> So, from what I understand, if pwdMustChange is set to TRUE, the password
> needs to be changed at the first bind, or when the
> administrator has reset it.
>
> Also, the slapo-ppolicy man pages tends to mean the same thing:
>
> *pwdMustChange*
>
>         This attribute specifies whether users must change their passwords when
>         they first bind to the directory after a password is set  or  reset  by
>         the  administrator,  or	not.   If*pwdMustChange*  has a value of"TRUE",
>         users must change their passwords when they first bind to the directory
>         after  a  password  is  set  or	reset  by  the administrator.
The only way it knows that an administrator has set anything is if the admin 
sets the pwdReset attribute.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/