Buchan Milne wrote:
On Friday, 3 September 2010 19:26:05 Michael Ströder wrote:
IMO that's bad practice. When doing a password reset you should set a random value in userPassword together with password expiration attribute (slapo-ppolicy).
IMHO, the correct attribute to set would have been pwdReset, but unfortunately there is no way to enforce users to reset their passwords in applications that don't support ppolicy (as users won't get locked out if they just keep using the temporary password).
I think I sent feedback to Howard on the new ppolicy draft about this ...
The original poster wrote about a custom web-based password app anyway. So this would not be a problem in his case.
Additionally the password expiration should be set to a reasonable short time-frame. Just in case someone intercepts the password reset message with the temporary password.
Ciao, Michael.