According to the source code, it seems you're right. But
according to the
OpenLDAP 2.4 admin guide
it should be wrong, or at least, it doesn't look consistent to me since it
mentions the following (when
pwdMustChange is set to FALSE):
The password does not need to be changed at the first bind or when the
administrator has reset the password (pwdMustChange: FALSE)
So, from what I understand, if pwdMustChange is set to TRUE, the password
needs to be changed at the first bind, or when the
administrator has reset it.
Also, the slapo-ppolicy man pages tends to mean the same thing:
This attribute specifies whether users must change their passwords when
they first bind to the directory after a password is set or reset by
the administrator, or not. If*pwdMustChange* has a value
users must change their passwords when they first bind to the directory
after a password is set or reset by the administrator.
The only way it knows that an administrator has set anything is if the admin
sets the pwdReset attribute.
-- Howard Chu
CTO, Symas Corp.