Christian Bösch wrote:
i want to force a password change for a user. therefor i set pwdreset: true
but to change the password, bind attempts are still allowed.
i thinks thats the reason why a user with pwdreset=true still can login to
an apache webresource which is protected with ldap authentication.
is there a way to prohibit that?
i want the user to only allow the password change.
Strictly speaking: In case of pwdreset=TRUE the LDAP client has to 1. request
and process the ppolicy controls and 2. lead the user to the password change
dialogue. Most LDAP clients are not capable of doing so.
So if you simply want to avoid that such a user can login to such a service
you could either
1. configure a client side search filter (&(uid=<user-id>)(!(pwdreset=TRUE))) or
2. define a server-side ACL which disallows even authc access to userPassword
for for those LDAP clients.
Ciao, Michael.
