I use
OpenLDAP 2.4.24 with the following default password policy,
because I want my
users to change their password at first connection,
or after a password reset by an administrator:
dn: cn=default,ou=policies,dc=company
cn: default
description: Strategie de gestion des mots de passe par defaut
objectClass: top
objectClass: person
objectClass: pwdPolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: FALSE
sn: policy
When creating a user account (either as administrator or any user with
sufficient rights),
the pwdReset attribute is not set automatically, and thus, the newly
created user can bind
and search without being forced to change his password.
I have to manually set the pwdReset attribute to TRUE in the user entry
at creation time or
after creation to force a password change. Is this normal behaviour ? I would have expected
to see the pwdReset attribute automatically set (by the ppolicy
overlay).
Otherwise, setting pwdMustChange to TRUE in the password policy
definition looks unuseful.
On the contrary, when the user changes his password, the pwdReset
attribute is automatically removed,
which tends to mean the password policy overlay is called and does
something in this case ..