Hallvard B Furuseth wrote:
Duh, I seem to be tired - I forgot you didn't want that privileged user, I focused on the "password works only once" part.
Well. _Something_ needs permission to create a temporary password. Presumably without removing the old one, otherwise anyone can sabotage anyone's password. Which probably kills the ppolicy idea since that gets confused by multiple passwords. Maybe you could have a separate database or two with passwords, merged to the main one with the translucent overlay... Then the Drupal DN would at least play with its own database and not mess with the main database.
This password reset ticket database could be another part of the DIT. A regex-based ACL could implement password write access for the original user entry (e.g. based on same naming scheme). Also don't forget to clean up password reset tickets not used.
Ciao, Michael.