The draft description of ppolicy (draft-behera-ldap-password-policy-09.txt) from July 17 2005 says among other things "If the value the pwdMustChange is TRUE and the modification is performed by a password administrator, then the pwdReset attribute is set to TRUE.
My impression, using OpenLDAP up to v.2.4.10 is that it rather is implemented as "...and the pwdReset attribute is set to TRUE, the user has to change his password." (i.e. to set pwdReset signals the very fact that I am a password administrator.)? (On the other hand - the reset of the pwdReset attribute when the user actually chooses a new password is as expected automatically performed by the OpenLDAP software.)
The Behera draft expired more than two years ago - in a more recent IETF draft by Zeilenga from march 2008, there is a suggestion to replace pwdReset by passwdChangeRequired. Also this draft is expired by now - did it make way into any OpenLDAP code?
Best Regards Akke Bengtsson IT-Forum, IT-Arkitektur och systemutveckling Karolinska Universitetssjukhuset 141 86 STOCKHOLM
openldap-technical@openldap.org