According to the source code, it seems you're right. But according to the
OpenLDAP 2.4 admin guide
(
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Configuration
),
it should be wrong, or at least, it doesn't look consistent to me since it
mentions the following (when
pwdMustChange is set to FALSE):
The password does not need to be changed at the first bind or when the
administrator has reset the password (pwdMustChange: FALSE)
So, from what I understand, if pwdMustChange is set to TRUE, the password
needs to be changed at the first bind, or when the
administrator has reset it.
Also, the slapo-ppolicy man pages tends to mean the same thing:
*pwdMustChange*
This attribute specifies whether users must change their passwords when
they first bind to the directory after a password is set or reset by
the administrator, or not. If *pwdMustChange* has a value of "TRUE",
users must change their passwords when they first bind to the directory
after a password is set or reset by the administrator.
