Re: ppolicy overlay and pwdreset attribute question

Cyril GROSJEAN wrote: > > According to the source code, it seems you're right. But according to the > OpenLDAP 2.4 admin guide > > (http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Con...), > it should be wrong, or at least, it doesn't look consistent to me since it > mentions the following (when > pwdMustChange is set to FALSE): > > The password does not need to be changed at the first bind or when the > administrator has reset the password (pwdMustChange: FALSE) > > So, from what I understand, if pwdMustChange is set to TRUE, the password > needs to be changed at the first bind, or when the > administrator has reset it. > > Also, the slapo-ppolicy man pages tends to mean the same thing: > > *pwdMustChange* > >        This attribute specifies whether users must change their passwords > when >        they first bind to the directory after a password is set  or  reset >  by >        the  administrator,  or not.   If*pwdMustChange*  has a value > of"TRUE", >        users must change their passwords when they first bind to the > directory >        after  a  password  is  set  or reset  by  the administrator. > > The only way it knows that an administrator has set anything is if the admin sets the pwdReset attribute.