1

Every other directory server, i.e. Oracle's will automatically set pwdReset to TRUE if pwdMustChange is defined in the policy:

When a user's password is changed by another user, such as a password administrator, pwdReset is set to TRUE.

On the other hand, OpenLDAP doesn't, despite the documentation:

5.2.13 pwdMustChange

This attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator. If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.

As I understand it, this should be enforced i.e. by the ppolicy overlay. I understand the how, what I don't understand is the why. Is there a specific reason OpenLDAP is like this?

user326892
  • 11
  • 2
  • The linked schema documents but does not include the `pwdReset` attribute. Have you modified your schema to include the attribute? – BillThor Dec 12 '15 at 16:24
  • @BillThor -- Have you ever used the ppolicy module? pwdReset is a virtual attribute defined by the modules internal schema. If you open the compiled module in an editor or look at the source code, you would see it. – Sokel Dec 12 '15 at 19:03

1 Answers1

1

OpenLDAP doesn't because of the documentation. The OpenLDAP documentation you quoted explicitly states that it isn't automatic and must be set by an administrator:

This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.

user207421
  • 990
  • 5
  • 16