Every other directory server, i.e. Oracle's will automatically set pwdReset
to TRUE
if pwdMustChange
is defined in the policy:
When a user's password is changed by another user, such as a password administrator,
pwdReset
is set toTRUE
.
On the other hand, OpenLDAP doesn't, despite the documentation:
5.2.13 pwdMustChange
This attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator. If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.
As I understand it, this should be enforced i.e. by the ppolicy overlay. I understand the how, what I don't understand is the why. Is there a specific reason OpenLDAP is like this?