Hi,

I'm installing an OpenLDAP directory server at a customer and we're also implementing password policies. We do have set the pwdMustChange attribute to true in our policy. 

During the tests I was a bit surprised that a user for which I've set the password did not require to change his password but was allowed access with the new password. 

Reading the documentation and the (expired) draft standard clearly suggests a different behavior. 

pwdMustChange (true or false)
This attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator.  If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password.  This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.

Then I did some research on the web and found this thread http://www.openldap.org/lists/openldap-technical/201106/msg00178.html It seems an administrator needs to additionally set the pwdReset attribute to force the user to change the password.

The question is: Why does an administrator need to set this attribute? Why isn't this done by the directory server on its own? The directory server does change a few other password policy related attributes as can be seen from the audit log (see below). Thus it should be possible to do the same for the pwdReset attribute.

This behavior of OpenLDAP is different from what I'm used from the Sun (now Oracle) Directory Server where the pwdReset attribute is changed automatically.

Best regards
Felix 

# modify 1367849424 dc=telefonica,dc=com cn=Manager,dc=example,dc=com IP=192.168.186.141:52267 conn=1561
dn: uid=fbtwo,ou=people,dc=de,dc=telefonica,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NTSEF9VzNpZmtPRkROQTk0MCtmR3pIanZOcTdxbk9QUDArNTM=
-
replace: pwdChangedTime
pwdChangedTime: 20130506141024Z
-
delete: pwdGraceUseTime
-
add: pwdHistory
pwdHistory: 20130506141024Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}AU4VVldD3ct
 JnHil4AZPHnIC4G1aobhg
-
replace: entryCSN
entryCSN: 20130506141024.395155Z#000000#001#000000
-
replace: modifiersName
modifiersName: cn=Manager,dc=example,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20130506141024Z
-
# end modify 1367849424

----
Felix Schmitt
Blumenweg 24                   phone: +49 8092 20796
D-85567 Grafing                mobile: +49 172 842 99 12
Germany                           mailto:Felix-Schmitt@t-online.de