I use OpenLDAP 2.4.24 with the following default password policy, because I want my users to change their password at first connection, or after a password reset by an administrator:
dn: cn=default,ou=policies,dc=company cn: default description: Strategie de gestion des mots de passe par defaut objectClass: top objectClass: person objectClass: pwdPolicy pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 0 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 0 pwdMaxAge: 0 pwdMaxFailure: 0 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: TRUE pwdSafeModify: FALSE sn: policy
When creating a user account (either as administrator or any user with sufficient rights), the pwdReset attribute is not set automatically, and thus, the newly created user can bind and search without being forced to change his password.
I have to manually set the pwdReset attribute to TRUE in the user entry at creation time or after creation to force a password change. Is this normal behaviour ? I would have expected to see the pwdReset attribute automatically set (by the ppolicy overlay). Otherwise, setting pwdMustChange to TRUE in the password policy definition looks unuseful.
On the contrary, when the user changes his password, the pwdReset attribute is automatically removed, which tends to mean the password policy overlay is called and does something in this case ..
2011/6/21 Cyril GROSJEAN cgrosjean@janua.fr:
I use OpenLDAP 2.4.24 with the following default password policy, because I want my users to change their password at first connection, or after a password reset by an administrator:
dn: cn=default,ou=policies,dc=company cn: default description: Strategie de gestion des mots de passe par defaut objectClass: top objectClass: person objectClass: pwdPolicy pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 0 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 0 pwdMaxAge: 0 pwdMaxFailure: 0 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: TRUE pwdSafeModify: FALSE sn: policy
When creating a user account (either as administrator or any user with sufficient rights), the pwdReset attribute is not set automatically, and thus, the newly created user can bind and search without being forced to change his password.
I have to manually set the pwdReset attribute to TRUE in the user entry at creation time or after creation to force a password change. Is this normal behaviour ? I would have expected to see the pwdReset attribute automatically set (by the ppolicy overlay). Otherwise, setting pwdMustChange to TRUE in the password policy definition looks unuseful.
On the contrary, when the user changes his password, the pwdReset attribute is automatically removed, which tends to mean the password policy overlay is called and does something in this case ..
I think this is the normal behavior. The configuration parameter pwdMustChange means that pwdReset can be used in a user entry. Else pwdReset will have no effect.
Clément.
According to the source code, it seems you're right. But according to the OpenLDAP 2.4 admin guide ( http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Config... ), it should be wrong, or at least, it doesn't look consistent to me since it mentions the following (when pwdMustChange is set to FALSE):
The password does not need to be changed at the first bind or when the administrator has reset the password (pwdMustChange: FALSE)
So, from what I understand, if pwdMustChange is set to TRUE, the password needs to be changed at the first bind, or when the administrator has reset it.
Also, the slapo-ppolicy man pages tends to mean the same thing:
*pwdMustChange*
This attribute specifies whether users must change their passwords when they first bind to the directory after a password is set or reset by the administrator, or not. If *pwdMustChange* has a value of "TRUE", users must change their passwords when they first bind to the directory after a password is set or reset by the administrator.
Cyril GROSJEAN wrote:
According to the source code, it seems you're right. But according to the OpenLDAP 2.4 admin guide (http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Config...), it should be wrong, or at least, it doesn't look consistent to me since it mentions the following (when pwdMustChange is set to FALSE):
The password does not need to be changed at the first bind or when the administrator has reset the password (pwdMustChange: FALSE)
So, from what I understand, if pwdMustChange is set to TRUE, the password needs to be changed at the first bind, or when the administrator has reset it.
Also, the slapo-ppolicy man pages tends to mean the same thing:
*pwdMustChange*
This attribute specifies whether users must change their passwords when they first bind to the directory after a password is set or reset by the administrator, or not. If*pwdMustChange* has a value of"TRUE", users must change their passwords when they first bind to the directory after a password is set or reset by the administrator.
The only way it knows that an administrator has set anything is if the admin sets the pwdReset attribute.
2011/6/24 Howard Chu hyc@symas.com:
Cyril GROSJEAN wrote:
According to the source code, it seems you're right. But according to the OpenLDAP 2.4 admin guide
(http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Config...), it should be wrong, or at least, it doesn't look consistent to me since it mentions the following (when pwdMustChange is set to FALSE):
The password does not need to be changed at the first bind or when the administrator has reset the password (pwdMustChange: FALSE)
So, from what I understand, if pwdMustChange is set to TRUE, the password needs to be changed at the first bind, or when the administrator has reset it.
Also, the slapo-ppolicy man pages tends to mean the same thing:
*pwdMustChange*
This attribute specifies whether users must change their passwords when they first bind to the directory after a password is set or reset by the administrator, or not. If*pwdMustChange* has a value of"TRUE", users must change their passwords when they first bind to the directory after a password is set or reset by the administrator.
The only way it knows that an administrator has set anything is if the admin sets the pwdReset attribute.
That's the way I understand it too. For example in LemonLDAP::NG, we force the pwdReset attribute when the password is reset by mail with an random value, so the user must change it when back on the authentication portal.
But I think I saw on the list that this kind of operation (setting reset attribute) will soon require the relax control, so we should then update our code, is it true?
Clément.
OK, it's now clear but I think the documentation could be modified this way, since when creating a new user, one can set the password at the same time, among other attributes.
This attribute specifies whether users must change their passwords when they first bind to the directory after a password is set or reset by the administrator, or not. If*pwdMustChange* has a value of"TRUE", users must change their passwords when they first bind to the directory after a password is set or reset by the administrator.
Note: when a user is created, the pwdReset attribute has to be explicitly set to TRUE to force a password change at the first bind.
openldap-technical@openldap.org