Thanks for that good pointer Dieter.
Although it will force the user to change his password I'm not sure this will do the trick in our case. We have a custom passwd script that keeps both ldap and nis in sync. With the above I believe the Nis password won't be updated.

So is there a way to actually update the pwdChangedTime? (Even out of pure curiosity)

Thanks


On Aug 17, 2016 11:38, "Dieter Klünter" <dieter@dkluenter.de> wrote:
Am Wed, 17 Aug 2016 10:46:58 +0200
schrieb "PenguinWhispererThe ." <th3penguinwhisperer@gmail.com>:

> Hi all,
>
> I've noticed that after a password reset pwdChangedTime gets updated.
>
> This is fine. We do have a policy in place that doesn't let you
> modify your password again within a few days.
>
> I'd like to reset/change this pwdChangedTime so the user can reset his
> password himself after logging in with the supplied password. However
> deleting/modifying pwdChangedTime doesn't work.
>
> How should I resolve this?
> I'm pretty sure this is not an ACL issue as my user matches the first
> entry and is allowed to write all.
>
> I've seen some docs from IBM about removing pwdChangedTime being
> possible but that might not apply to openldap.
>
man slapo-ppolicy(5), read carefully the comments on pwdReset.

-Dieter

--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E