Christian Bösch wrote:
i want to force a password change for a user. therefor i set pwdreset: true but to change the password, bind attempts are still allowed. i thinks thats the reason why a user with pwdreset=true still can login to an apache webresource which is protected with ldap authentication. is there a way to prohibit that? i want the user to only allow the password change.
Strictly speaking: In case of pwdreset=TRUE the LDAP client has to 1. request and process the ppolicy controls and 2. lead the user to the password change dialogue. Most LDAP clients are not capable of doing so.
So if you simply want to avoid that such a user can login to such a service you could either 1. configure a client side search filter (&(uid=<user-id>)(!(pwdreset=TRUE))) or 2. define a server-side ACL which disallows even authc access to userPassword for for those LDAP clients.
Ciao, Michael.