1:11 a.m.
I use OpenLDAP 2.4.24 with the following default password policy,
because I want my users to change their password at first connection,
or after a password reset by an administrator:
dn: cn=default,ou=policies,dc=company
cn: default
description: Strategie de gestion des mots de passe par defaut
objectClass: top
objectClass: person
objectClass: pwdPolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: FALSE
sn: policy
When creating a user account (either as administrator or any user with
sufficient rights),
the pwdReset attribute is not set automatically, and thus, the newly created
user can bind
and search without being forced to change his password.
I have to manually set the pwdReset attribute to TRUE in the user entry at
creation time or
after creation to force a password change. Is this normal behaviour ? I
would have expected
to see the pwdReset attribute automatically set (by the ppolicy overlay).
Otherwise, setting pwdMustChange to TRUE in the password policy definition
looks unuseful.
On the contrary, when the user changes his password, the pwdReset attribute
is automatically removed,
which tends to mean the password policy overlay is called and does something
in this case ..
1:30 p.m.
2011/6/21 Cyril GROSJEAN <cgrosjean(a)janua.fr>:
I use OpenLDAP 2.4.24 with the following default password policy,
because I want my users to change their password at first connection,
or after a password reset by an administrator:
dn: cn=default,ou=policies,dc=company
cn: default
description: Strategie de gestion des mots de passe par defaut
objectClass: top
objectClass: person
objectClass: pwdPolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: FALSE
sn: policy
When creating a user account (either as administrator or any user with
sufficient rights),
the pwdReset attribute is not set automatically, and thus, the newly created
user can bind
and search without being forced to change his password.
I have to manually set the pwdReset attribute to TRUE in the user entry at
creation time or
after creation to force a password change. Is this normal behaviour ? I
would have expected
to see the pwdReset attribute automatically set (by the ppolicy overlay).
Otherwise, setting pwdMustChange to TRUE in the password policy definition
looks unuseful.
On the contrary, when the user changes his password, the pwdReset attribute
is automatically removed,
which tends to mean the password policy overlay is called and does something
in this case ..
I think this is the normal behavior. The configuration parameter
pwdMustChange means that pwdReset can be used in a user entry. Else
pwdReset will have no effect.
Clément.
1:55 a.m.
According to the source code, it seems you're right. But according to the
OpenLDAP 2.4 admin guide
(
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Con...
),
it should be wrong, or at least, it doesn't look consistent to me since it
mentions the following (when
pwdMustChange is set to FALSE):
The password does not need to be changed at the first bind or when the
administrator has reset the password (pwdMustChange: FALSE)
So, from what I understand, if pwdMustChange is set to TRUE, the password
needs to be changed at the first bind, or when the
administrator has reset it.
Also, the slapo-ppolicy man pages tends to mean the same thing:
*pwdMustChange*
This attribute specifies whether users must change their passwords when
they first bind to the directory after a password is set or reset by
the administrator, or not. If *pwdMustChange* has a value of "TRUE",
users must change their passwords when they first bind to the directory
after a password is set or reset by the administrator.
2:16 a.m.
Cyril GROSJEAN wrote:
According to the source code, it seems you're right. But
according to the
OpenLDAP 2.4 admin guide
(http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Con...),
it should be wrong, or at least, it doesn't look consistent to me since it
mentions the following (when
pwdMustChange is set to FALSE):
The password does not need to be changed at the first bind or when the
administrator has reset the password (pwdMustChange: FALSE)
So, from what I understand, if pwdMustChange is set to TRUE, the password
needs to be changed at the first bind, or when the
administrator has reset it.
Also, the slapo-ppolicy man pages tends to mean the same thing:
*pwdMustChange*
This attribute specifies whether users must change their passwords when
they first bind to the directory after a password is set or reset by
the administrator, or not. If*pwdMustChange* has a value
of"TRUE",
users must change their passwords when they first bind to the directory
after a password is set or reset by the administrator.
The only way it knows that an administrator has set anything is if the admin
sets the pwdReset attribute.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
2:31 a.m.
2011/6/24 Howard Chu <hyc(a)symas.com>:
Cyril GROSJEAN wrote:
>
> According to the source code, it seems you're right. But according to the
> OpenLDAP 2.4 admin guide
>
>
(http://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Con...),
> it should be wrong, or at least, it doesn't look consistent to me since it
> mentions the following (when
> pwdMustChange is set to FALSE):
>
> The password does not need to be changed at the first bind or when the
> administrator has reset the password (pwdMustChange: FALSE)
>
> So, from what I understand, if pwdMustChange is set to TRUE, the password
> needs to be changed at the first bind, or when the
> administrator has reset it.
>
> Also, the slapo-ppolicy man pages tends to mean the same thing:
>
> *pwdMustChange*
>
> This attribute specifies whether users must change their passwords
> when
> they first bind to the directory after a password is set or reset
> by
> the administrator, or not. If*pwdMustChange* has a value
> of"TRUE",
> users must change their passwords when they first bind to the
> directory
> after a password is set or reset by the administrator.
>
>
The only way it knows that an administrator has set anything is if the admin
sets the pwdReset attribute.
That's the way I understand it too. For example in LemonLDAP::NG, we
force the pwdReset attribute when the password is reset by mail with
an random value, so the user must change it when back on the
authentication portal.
But I think I saw on the list that this kind of operation (setting
reset attribute) will soon require the relax control, so we should
then update our code, is it true?
Clément.
2:38 a.m.
OK, it's now clear but I think the documentation could be modified this way,
since when creating a new user, one can set the password at the same time,
among other attributes.
This attribute specifies whether users must change their passwords when
they first bind to the directory after a password is set or reset by
the administrator, or not. If*pwdMustChange* has a value of"TRUE",
users must change their passwords when they first bind to the directory
after a password is set or reset by the administrator.
Note: when a user is created, the pwdReset attribute has to be explicitly
set to TRUE to force a password change at the first bind.
4356
days inactive
4359
days old
openldap-technical@openldap.org
5 comments
3 participants
participants (3)
-
Clément OUDOT -
Cyril GROSJEAN -
Howard Chu