Re: How to force password change upon account creation

On Sun, 2012-12-23 at 17:33 -0600, Kyle Harris wrote:

I have a perl script that allows for the creation of new accounts in OpenLDAP. I am attempting to find a way to force the newly created user to change his or her password upon first login. I tried setting the attribute pwdMustChange to TRUE but that attribute must not be definable upon user creation. So, how can this be accomplished so that a new user is forced to change passwords after they first log on?

If your applications that are doing the authentication are using PAM, setting the shadowLastChange attribute to 0 should do the trick.

You should probably grant the user the right permissions to update the userPassword and shadowLastChange attributes.