Hi Prajith,

Please find the details,

1) let us know the client application are you using.
        Apache Directory Studio, Version: 2.0.0.v20150606-M9
 2) Paste here your slapd.conf  file.
        #
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/misc.schema
#include     /usr/share/doc/openssh-ldap-6.4p1/openssh-lpk-openldap.schema

# Added for policy
include     /etc/openldap/schema/ppolicy.schema
# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org

pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/lib64/openldap

# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la

moduleload ppolicy.la
moduleload syncprov.la
moduleload accesslog.la
moduleload auditlog.la

#logging level
loglevel -1
logfile /var/log/slapd.log
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.

#TLSCipherSuite SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
TLSProtocolMin 3.2
TLSCipherSuite HIGH:MEDIUM:+TLSv1.2:!RC4
TLSCertificateFile /etc/openldap/cacerts/ldapsrv.crt
TLSCertificateKeyFile /etc/openldap/cacerts/ldap.key
TLSCACertificateFile /etc/openldap/cacerts/ca.crt

# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#   Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#   by self write
#   by users read
#   by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

disallow bind_anon

access to attrs=userPassword
       by self write
       by dn.base="cn=mirrormode,dc=rnd,dc=com" read
       by dn.base="cn=binduser,dc=rnd,dc=com" read
       by * auth


access to *
       by dn.base="cn=mirrormode,dc=rnd,dc=com" read
       by dn.base="cn=binduser,dc=rnd,dc=com" read
       by * break

access to *
       by dn="cn=Manager,dc=rnd,dc=com"
       by users read
       by self write
       by * auth

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database    bdb

# DIT will act as a provider
overlay syncprov

suffix      "dc=rnd,dc=com"
rootdn      "cn=Manager,dc=rnd,dc=com"
rootpw      {SSHA}KOXKk4vkP1X3nF2GY09MQXiaAdxkLyk7

# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=rnd,dc=com"
ppolicy_use_lockout

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/ldap
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

Thanks & Regards
Raj




From:        PRAJITH <prajithpalakkuda@gmail.com>
To:        Rajagopal Rc <rajagopal.rc@tcs.com>
Cc:        openldap-technical@openldap.org
Date:        11/22/2015 09:55 AM
Subject:        Re: Problem with "force user to password reset at first login
Sent by:        "openldap-technical" <openldap-technical-bounces@openldap.org>




Hi Rajagopal,

 Can you confirm the below points?

 1) let us know the client application are you using.
 2) Paste here your slapd.conf  file.

On 20 November 2015 at 13:16, Rajagopal Rc <rajagopal.rc@tcs.com> wrote:
Hi,
I am trying to force users to change their password at first login or after
password reset by administrator.

Tried following:
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the
users get prompt to change their password at first login.

2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt
to change the password and didn't allow to login
i observe below messages in log

"slapd[12684]: connection restricted to password changing only
slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password"

Please help me configure the option to force all users to change their password
at first login or after pwd reset  by administrator.


Thanks & Regards
Raj

Tata Consultancy Services
Mailto:
rajagopal.rc@tcs.com
Website:
http://www.tcs.com
____________________________________________
Experience certainty.        IT Services
                       Business Solutions
                       Consulting
____________________________________________

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you