2011/6/24 Howard Chu <hyc(a)symas.com>:
Cyril GROSJEAN wrote:
> According to the source code, it seems you're right. But according to the
> OpenLDAP 2.4 admin guide
> it should be wrong, or at least, it doesn't look consistent to me since it
> mentions the following (when
> pwdMustChange is set to FALSE):
> The password does not need to be changed at the first bind or when the
> administrator has reset the password (pwdMustChange: FALSE)
> So, from what I understand, if pwdMustChange is set to TRUE, the password
> needs to be changed at the first bind, or when the
> administrator has reset it.
> Also, the slapo-ppolicy man pages tends to mean the same thing:
> This attribute specifies whether users must change their passwords
> they first bind to the directory after a password is set or reset
> the administrator, or not. If*pwdMustChange* has a value
> users must change their passwords when they first bind to the
> after a password is set or reset by the administrator.
The only way it knows that an administrator has set anything is if the admin
sets the pwdReset attribute.
That's the way I understand it too. For example in LemonLDAP::NG, we
force the pwdReset attribute when the password is reset by mail with
an random value, so the user must change it when back on the
But I think I saw on the list that this kind of operation (setting
reset attribute) will soon require the relax control, so we should
then update our code, is it true?