On Jul 18, 2008, at 10:22 PM, Scott Classen wrote:

Hi All,

this is my default ppolicy:

dn: cn=default,ou=Policies,dc=example,dc=com objectClass: pwdPolicy objectClass: top objectClass: device pwdAttribute: userPassword pwdMaxFailure: 3 pwdFailureCountInterval: 0 pwdAllowUserChange: TRUE cn: default pwdSafeModify: FALSE pwdExpireWarning: 0 pwdInHistory: 1 pwdMinLength: 7 pwdGraceAuthNLimit: 1 pwdLockout: TRUE pwdLockoutDuration: 300 pwdMaxAge: 63072000 pwdCheckQuality: 2 pwdMustChange: TRUE pwdMinAge: 0

Here is an example of a user with their pwdReset attribute set to TRUE. I've only included the relevant lines:

dn: uid=newguy,ou=People,dc=example,dc=com pwdChangedTime: 20080718234642Z pwdReset: TRUE pwdPolicySubentry: cn=default,ou=Policies,dc=example,dc=com

Shouldn't this user be requested to change their password the next time the log in?

Well they're not. logins a successful and there is no prompting for a new password.

Can someone please help me trouble shoot this?

Thanks, Scott

Well I fixed the problem. I just needed to add the following line to my client /etc/ldap.conf files

pam_lookup_policy yes Yeah! now users are prompted to change their passwords.