2011/6/24 Howard Chu <[email protected]>: > Cyril GROSJEAN wrote: >> >> According to the source code, it seems you're right. But according to the >> OpenLDAP 2.4 admin guide >> >> (http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Configuration), >> it should be wrong, or at least, it doesn't look consistent to me since it >> mentions the following (when >> pwdMustChange is set to FALSE): >> >> The password does not need to be changed at the first bind or when the >> administrator has reset the password (pwdMustChange: FALSE) >> >> So, from what I understand, if pwdMustChange is set to TRUE, the password >> needs to be changed at the first bind, or when the >> administrator has reset it. >> >> Also, the slapo-ppolicy man pages tends to mean the same thing: >> >> *pwdMustChange* >> >> This attribute specifies whether users must change their passwords >> when >> they first bind to the directory after a password is set or reset >> by >> the administrator, or not. If*pwdMustChange* has a value >> of"TRUE", >> users must change their passwords when they first bind to the >> directory >> after a password is set or reset by the administrator. >> >> > The only way it knows that an administrator has set anything is if the admin > sets the pwdReset attribute. >
That's the way I understand it too. For example in LemonLDAP::NG, we force the pwdReset attribute when the password is reset by mail with an random value, so the user must change it when back on the authentication portal. But I think I saw on the list that this kind of operation (setting reset attribute) will soon require the relax control, so we should then update our code, is it true? Clément.
