OpenLDAP Password Expiration with pwdReset=TRUE?

Posted by jsight on Server Fault See other posts from Server Fault or by jsight
Published on 2009-11-25T20:28:31Z Indexed on 2014/05/28 9:34 UTC
Read the original article Hit count: 364

Filed under:
|
|

I have configured the ppolicy overlay for OpenLDAP to enable password policies. These things work:

  • Password lockouts on too many failed attempts
  • Password Change required once pwdReset=TRUE added to user entry
  • Password Expirations

If the account is locked out due to intrusion attempts (too many bad passwords) or time (expiration time hit), the account must be reset by an administrator.

However, when the administrator sets pwdReset=TRUE in the profile, this seems to also override the expiration policy. So, the password that the administrator sent out (which should be a temporary password) ends up being valid permanently.

Is there a way in OpenLDAP to have a password that must be changed, but also MUST expire?

© Server Fault or respective owner

Related posts about authentication

Related posts about ldap