2011/6/21 Cyril GROSJEAN <[email protected]>: > > I use OpenLDAP 2.4.24 with the following default password policy, > because I want my users to change their password at first connection, > or after a password reset by an administrator: > > dn: cn=default,ou=policies,dc=company > cn: default > description: Strategie de gestion des mots de passe par defaut > objectClass: top > objectClass: person > objectClass: pwdPolicy > pwdAllowUserChange: TRUE > pwdAttribute: userPassword > pwdCheckQuality: 2 > pwdExpireWarning: 0 > pwdFailureCountInterval: 0 > pwdGraceAuthNLimit: 0 > pwdInHistory: 0 > pwdMaxAge: 0 > pwdMaxFailure: 0 > pwdMinAge: 0 > pwdMinLength: 8 > pwdMustChange: TRUE > pwdSafeModify: FALSE > sn: policy > > When creating a user account (either as administrator or any user with > sufficient rights), > the pwdReset attribute is not set automatically, and thus, the newly created > user can bind > and search without being forced to change his password. > > I have to manually set the pwdReset attribute to TRUE in the user entry at > creation time or > after creation to force a password change. Is this normal behaviour ? I > would have expected > to see the pwdReset attribute automatically set (by the ppolicy overlay). > Otherwise, setting pwdMustChange to TRUE in the password policy definition > looks unuseful. > > On the contrary, when the user changes his password, the pwdReset attribute > is automatically removed, > which tends to mean the password policy overlay is called and does something > in this case .. >
I think this is the normal behavior. The configuration parameter pwdMustChange means that pwdReset can be used in a user entry. Else pwdReset will have no effect. Clément.
