On Fri, Oct 27, 2023 at 12:21:22PM -0000, rolf.stenholm@direct2internet.com wrote:
This topic comes up in search without a proper answer. The solution appears to be.
- Set the pwdMustChange:TRUE in policies object (dn:
cn=default,ou=Policies,dc=my,dc=com) 2, when creating <user> set pwdReset: TRUE after creation of <user> using update (ldapmodify), this will lock out the <user> from logins of that account (but not password changes).
I would add that setting the password by a "password administrator" (in OpenLDAP since 2.5 that's an identity with "manage" access on the userPassword attribute) will set pwdReset: TRUE automatically as per the Behera ppolicy draft.
- Edit or create a login script to check if pwdReset is true (or some
other method) and force <user> to change user password through ldap Step 3 may or may not be easy to setup in your environment, for instance a special guest login for password changes could work.
Important is to note that you cannot login to the created <user> using su <user> when pwdMustChange:TRUE is set and pwdReset: TRUE is set for <user>, but the user is still allowed to change the password from another user using ldap to set <user> password.
Regards,