Hello All,
I have a perl script that allows for the creation of new accounts in OpenLDAP. I am attempting to find a way to force the newly created user to change his or her password upon first login. I tried setting the attribute pwdMustChange to TRUE but that attribute must not be definable upon user creation. So, how can this be accomplished so that a new user is forced to change passwords after they first log on?
Thank you.
On 12/23/12 17:33 -0600, Kyle Harris wrote:
Hello All,
I have a perl script that allows for the creation of new accounts in OpenLDAP. I am attempting to find a way to force the newly created user to change his or her password upon first login. I tried setting the attribute pwdMustChange to TRUE but that attribute must not be definable upon user creation. So, how can this be accomplished so that a new user is forced to change passwords after they first log on?
By 'log in' I assume you're asking about shell access to your system, which makes use of an ldap pam module to authenticate users. If so, the function of prompting users to change their password will be handled by that piece of software, and you should consult the documentation distributed with it.
If that's not the case, please clarify your authentication scenario.
Am Sun, 23 Dec 2012 17:33:38 -0600 schrieb Kyle Harris kyle@theharrishome.com:
Hello All,
I have a perl script that allows for the creation of new accounts in OpenLDAP. I am attempting to find a way to force the newly created user to change his or her password upon first login. I tried setting the attribute pwdMustChange to TRUE but that attribute must not be definable upon user creation. So, how can this be accomplished so that a new user is forced to change passwords after they first log on?
In your perlscript you may include Net::LDAP::Extension::SetPassword in order to create a random password, and second you should define and create a password policy entry that contains all relevant attribute types. See man slapo-ppolicy(5).
-Dieter
On Sun, 2012-12-23 at 17:33 -0600, Kyle Harris wrote:
I have a perl script that allows for the creation of new accounts in OpenLDAP. I am attempting to find a way to force the newly created user to change his or her password upon first login. I tried setting the attribute pwdMustChange to TRUE but that attribute must not be definable upon user creation. So, how can this be accomplished so that a new user is forced to change passwords after they first log on?
If your applications that are doing the authentication are using PAM, setting the shadowLastChange attribute to 0 should do the trick.
You should probably grant the user the right permissions to update the userPassword and shadowLastChange attributes.
Arthur de Jong wrote:
You should probably grant the user the right permissions to update the userPassword and shadowLastChange attributes.
Yes, the user should have write-only access to userPassword.
But if the user has write access to 'shadowLastChange' he could circumvent the shadowAccount-based password policy. So this is bad advice.
Ciao, Michael.
Hi.
Do you thinking about alternative ways?..
For our corporate environment, new users accounts doesn't have userPassword attribute at all. But peoples get "activation code" -- unique ID for our custom interface, for "activate" (create userPassword) account.
With this way, only user know his password.
WBR
On 12/24/2012 03:33 AM, Kyle Harris wrote:
Hello All,
I have a perl script that allows for the creation of new accounts in OpenLDAP. I am attempting to find a way to force the newly created user to change his or her password upon first login. I tried setting the attribute pwdMustChange to TRUE but that attribute must not be definable upon user creation. So, how can this be accomplished so that a new user is forced to change passwords after they first log on?
Thank you.
openldap-technical@openldap.org
-
Arthur de Jong -
Dan White -
Dieter Klünter -
Dmitriy Kirhlarov -
Kyle Harris -
Michael Ströder