[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy overlay and pwdreset attribute question

To: Howard Chu <hyc@symas.com>
Subject: Re: ppolicy overlay and pwdreset attribute question
From: Clément OUDOT <clem.oudot@gmail.com>
Date: Fri, 24 Jun 2011 11:31:48 +0200
Cc: Cyril GROSJEAN <cgrosjean@janua.fr>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=lB0TTGcIr9YajXkVTAZO5sM2WL3+wgc+OX3eyjXpNmU=; b=G6mDtWUQpVrykqW5BMxxdMQhlpfkR7YJ9wJDh0jqd5Fjgdb6LwWjMELRe9waOIgnOO YQ2eip7NKvfPmDVPwIVE/olkWPXl6+HkRecQt49r3wBa6WsJnaSVvI/ajqvTs2LF6NYa ChPQjLyQyffqcxEWDuW+rbxBYUg099EyOwXMg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=sE4ClvWXjFBM9q1lw8y0oZw3sQlRiqHFNZ/WmXYog+XFjjyptIBtZyFShnCl9o82U8 TaVMCFaLoS8qhJIoQx7Pl6vic6I794uON2+C5pj+/hUQ6+IpOHMvlq/4HeTLZRMAYlAv y8/JNz0LQjeo41pFtXN/q3fi8vOCDXtcCOWWg=
In-reply-to: <4E0455FA.5070304@symas.com>
References: <BANLkTintspgND5KZoHyJjDhmBHn-1Y+1hQ@mail.gmail.com> <BANLkTikHpGo084wPEYb_G05_=s5AChUm0CekUft+Noe0P=8UZA@mail.gmail.com> <BANLkTikapONVqqPP93SQUMwjZstxQFULSg@mail.gmail.com> <4E0455FA.5070304@symas.com>

2011/6/24 Howard Chu <hyc@symas.com>:
> Cyril GROSJEAN wrote:
>>
>> According to the source code, it seems you're right. But according to the
>> OpenLDAP 2.4 admin guide
>>
>> (http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Configuration),
>> it should be wrong, or at least, it doesn't look consistent to me since it
>> mentions the following (when
>> pwdMustChange is set to FALSE):
>>
>> The password does not need to be changed at the first bind or when the
>> administrator has reset the password (pwdMustChange: FALSE)
>>
>> So, from what I understand, if pwdMustChange is set to TRUE, the password
>> needs to be changed at the first bind, or when the
>> administrator has reset it.
>>
>> Also, the slapo-ppolicy man pages tends to mean the same thing:
>>
>> *pwdMustChange*
>>
>>        This attribute specifies whether users must change their passwords
>> when
>>        they first bind to the directory after a password is set  or  reset
>>  by
>>        the  administrator,  or not.   If*pwdMustChange*  has a value
>> of"TRUE",
>>        users must change their passwords when they first bind to the
>> directory
>>        after  a  password  is  set  or reset  by  the administrator.
>>
>>
> The only way it knows that an administrator has set anything is if the admin
> sets the pwdReset attribute.
>

That's the way I understand it too. For example in LemonLDAP::NG, we
force the pwdReset attribute when the password is reset by mail with
an random value, so the user must change it when back on the
authentication portal.

 But I think I saw on the list that this kind of operation (setting
reset attribute) will soon require the relax control, so we should
then update our code, is it true?

Clément.

References:
- ppolicy overlay and pwdreset attribute question
  - From: Cyril GROSJEAN <cgrosjean@janua.fr>
- Re: ppolicy overlay and pwdreset attribute question
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: ppolicy overlay and pwdreset attribute question
  - From: Cyril GROSJEAN <cgrosjean@janua.fr>
- Re: ppolicy overlay and pwdreset attribute question
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: ppolicy overlay and pwdreset attribute question
Next by Date: Re: ppolicy overlay and pwdreset attribute question
Index(es):
- Chronological
- Thread