-1

I have implemented openldap in centos 6, I want to push password change policy at first login. Which pwdPolicy ObjectClass and Attributes can accomplish this task ?

    # MyOrgPPolicy, Policies, eostest.com
    dn: cn=MyOrgPPolicy,ou=Policies,dc=eostest,dc=com
    cn: MyOrgPPolicy
    pwdInHistory: 4
    pwdMinLength: 9
    pwdFailureCountInterval: 0
    objectClass: pwdPolicy
    objectClass: device
    objectClass: top
    objectClass: pwdPolicyChecker
    pwdMustChange: TRUE
    pwdMaxFailure: 3
    pwdCheckQuality: 1
    pwdAllowUserChange: TRUE
    pwdAttribute: userPassword
    pwdLockout: TRUE
    pwdSafeModify: FALSE
    pwdExpireWarning: 1
    pwdGraceAuthNLimit: 5
    pwdLockoutDuration: 60
    pwdMaxAge: 2592000
    pwdMinAge: 300
    pwdCheckModule: pwcheck.la
Vishesh Sayal
  • 1
  • 3

1 Answers1

0

When you are using Apache Directory Studio you can see a Attribute called passwordMustChange

When on, this attribute requires users to change their passwords when they first login to the directory or after the password is reset by the Directory Manager. The user is required to change their password even if user-defined passwords are disabled. If this attribute is set to off, passwords assigned by the Directory Manager should not follow any obvious convention and should be difficult to discover. This attribute is off by default.

Which I found here .

SystemCookie
  • 169
  • 1
  • 14
  • Is also passwordChange set on ? – SystemCookie Mar 03 '16 at 09:34
  • I have used phpldapadmin and value of pwdMustChange: TRUE is set. But new users are not asked to change the password at first login or when I change password from phpldapadmin. If I remove pwdMustChange and add passwordMustChange to my policy, I get error ldap_modify: Undefined attribute type (17) additional info: passwordMustChange: attribute type undefined I have also set pwdLockout: TRUE, pwdReset: TRUE & pwdMaxFailure: 3, if user attempts wrong password 3 times, account gets locked. After I reset the password, user is able to use new pass without system prompting for change. – Vishesh Sayal Mar 03 '16 at 09:42
  • pwdAllowUserChange: TRUE is also set – Vishesh Sayal Mar 03 '16 at 09:44
  • Then i don't know. You should add this information for others to your question! – SystemCookie Mar 03 '16 at 09:44
  • I have edited my question and added my policy info – Vishesh Sayal Mar 03 '16 at 09:52
  • If you add a new user, and this user will log in the first time, he isn't forced to change his password? Is this right? And you tested it everytime with a new created user? – SystemCookie Mar 03 '16 at 10:02
  • yes I create new user to test every time, new user is logged in without any prompt from system. I suspect PAM config at client side. Any suggestions ? – Vishesh Sayal Mar 03 '16 at 10:11