Hi Prajith,

Please find the details,

1) let us know the client application are you using. Apache Directory Studio, Version: 2.0.0.v20150606-M9 2) Paste here your slapd.conf file. # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema #include /usr/share/doc/openssh-ldap-6.4p1/openssh-lpk-openldap.schema

# Added for policy include /etc/openldap/schema/ppolicy.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2

# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules: # modulepath /usr/lib64/openldap

# Modules available in openldap-servers-overlays RPM package # Module syncprov.la is now statically linked with slapd and there # is no need to load it here # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la

moduleload ppolicy.la moduleload syncprov.la moduleload accesslog.la moduleload auditlog.la

#logging level loglevel -1 logfile /var/log/slapd.log # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la

# modules available in openldap-servers-sql RPM package: # moduleload back_sql.la

# The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however.

#TLSCipherSuite SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC TLSProtocolMin 3.2 TLSCipherSuite HIGH:MEDIUM:+TLSv1.2:!RC4 TLSCertificateFile /etc/openldap/cacerts/ldapsrv.crt TLSCertificateKeyFile /etc/openldap/cacerts/ldap.key TLSCACertificateFile /etc/openldap/cacerts/ca.crt

# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!

disallow bind_anon

access to attrs=userPassword by self write by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * auth

access to * by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * break

access to * by dn="cn=Manager,dc=rnd,dc=com" by users read by self write by * auth

####################################################################### # ldbm and/or bdb database definitions #######################################################################

database bdb

# DIT will act as a provider overlay syncprov

suffix "dc=rnd,dc=com" rootdn "cn=Manager,dc=rnd,dc=com" rootpw {SSHA}KOXKk4vkP1X3nF2GY09MQXiaAdxkLyk7

# PPolicy Configuration overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=rnd,dc=com" ppolicy_use_lockout

# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub

Thanks & Regards Raj

From: PRAJITH prajithpalakkuda@gmail.com To: Rajagopal Rc rajagopal.rc@tcs.com Cc: openldap-technical@openldap.org Date: 11/22/2015 09:55 AM Subject: Re: Problem with "force user to password reset at first login Sent by: "openldap-technical" openldap-technical-bounces@openldap.org

Hi Rajagopal,

Can you confirm the below points?

1) let us know the client application are you using. 2) Paste here your slapd.conf file.

On 20 November 2015 at 13:16, Rajagopal Rc rajagopal.rc@tcs.com wrote: Hi, I am trying to force users to change their password at first login or after password reset by administrator.

Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login.

2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log

"slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password"

Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator.

Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc@tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

Hi Michael,

Please suggest the process to achieve this

Thanks & Regards Raj

From: Michael Ströder michael@stroeder.com To: Rajagopal Rc rajagopal.rc@tcs.com, openldap-technical@openldap.org Date: 11/21/2015 10:09 PM Subject: Re: Problem with "force user to password reset at first login

Rajagopal Rc wrote:

I am trying to force users to change their password at first login or after password reset by administrator.

I always recommend to define a better password reset process where the admin never has complete knowledge of a temporary reset password. Then you simply don't need 'pwdReset'.

Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as

non

of the users get prompt to change their password at first login.

2. used the 'pwdReset TRUE' attribute in users attributes, and it won't

prompt to change the password and didn't allow to login

The LDAP client has to use the request ppolicy control and act upon the status returned in the ppolicy response control. Only very few LDAP clients do that correctly.

This all won't work in practice. See my recommendation above.

Ciao, Michael.

=====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

Thanks Michael for your quick response,

I am sorry I am clear on this as i have setup this LDAP for the first time, can you please elaborate more on it and route me toward right configuration.

Thanks & Regards Raj

From: Michael Ströder michael@stroeder.com To: Rajagopal Rc rajagopal.rc@tcs.com Cc: openldap-technical@openldap.org Date: 11/25/2015 03:45 PM Subject: Re: Problem with "force user to password reset at first login Sent by: "openldap-technical" openldap-technical-bounces@openldap.org

Rajagopal Rc wrote:

Please suggest the process to achieve this

The solution is to set a *separate* temporary password attribute and, depending on your security requirements and system environment, hand over the user different parts of it through different channels.

Ciao, Michael.

From: Michael Ströder michael@stroeder.com To: Rajagopal Rc rajagopal.rc@tcs.com, openldap-technical@openldap.org Date: 11/21/2015 10:09 PM Subject: Re: Problem with "force user to password reset at first login

Rajagopal Rc wrote:

...

I am trying to force users to change their password at first login or after password reset by administrator.

I always recommend to define a better password reset process where the admin never has complete knowledge of a temporary reset password. Then you simply don't need 'pwdReset'. [..]

=====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you