Cyril GROSJEAN wrote:
According to the source code, it seems you're right. But according to the OpenLDAP 2.4 admin guide (http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Config...), it should be wrong, or at least, it doesn't look consistent to me since it mentions the following (when pwdMustChange is set to FALSE):
The password does not need to be changed at the first bind or when the administrator has reset the password (pwdMustChange: FALSE)
So, from what I understand, if pwdMustChange is set to TRUE, the password needs to be changed at the first bind, or when the administrator has reset it.
Also, the slapo-ppolicy man pages tends to mean the same thing:
*pwdMustChange*
This attribute specifies whether users must change their passwords when they first bind to the directory after a password is set or reset by the administrator, or not. If*pwdMustChange* has a value of"TRUE", users must change their passwords when they first bind to the directory after a password is set or reset by the administrator.
The only way it knows that an administrator has set anything is if the admin sets the pwdReset attribute.