Hi,
I'm installing an OpenLDAP directory server at a customer and we're also implementing password policies. We do have set the pwdMustChange attribute to true in our policy.
During the tests I was a bit surprised that a user for which I've set the password did not require to change his password but was allowed access with the new password.
Reading the documentation and the (expired) draft standard clearly suggests a different behavior.
pwdMustChange (true or false) This attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator. If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.
Then I did some research on the web and found this thread http://www.openldap.org/lists/openldap-technical/201106/msg00178.html It seems an administrator needs to additionally set the pwdReset attribute to force the user to change the password.
The question is: Why does an administrator need to set this attribute? Why isn't this done by the directory server on its own? The directory server does change a few other password policy related attributes as can be seen from the audit log (see below). Thus it should be possible to do the same for the pwdReset attribute.
This behavior of OpenLDAP is different from what I'm used from the Sun (now Oracle) Directory Server where the pwdReset attribute is changed automatically.
Best regards Felix
# modify 1367849424 dc=telefonica,dc=com cn=Manager,dc=example,dc=com IP=192.168.186.141:52267 conn=1561 dn: uid=fbtwo,ou=people,dc=de,dc=telefonica,dc=com changetype: modify replace: userPassword userPassword:: e1NTSEF9VzNpZmtPRkROQTk0MCtmR3pIanZOcTdxbk9QUDArNTM= - replace: pwdChangedTime pwdChangedTime: 20130506141024Z - delete: pwdGraceUseTime - add: pwdHistory pwdHistory: 20130506141024Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}AU4VVldD3ct JnHil4AZPHnIC4G1aobhg - replace: entryCSN entryCSN: 20130506141024.395155Z#000000#001#000000 - replace: modifiersName modifiersName: cn=Manager,dc=example,dc=com - replace: modifyTimestamp modifyTimestamp: 20130506141024Z - # end modify 1367849424
---- Felix Schmitt Blumenweg 24 phone: +49 8092 20796 D-85567 Grafing mobile: +49 172 842 99 12 Germany mailto:Felix-Schmitt@t-online.de
openldap-technical@openldap.org