Buchan Milne wrote: > On Friday, 3 September 2010 19:26:05 Michael Ströder wrote: >> IMO that's bad practice. When doing a password reset you should set a >> random value in userPassword together with password expiration attribute >> (slapo-ppolicy). > > IMHO, the correct attribute to set would have been pwdReset, but > unfortunately > there is no way to enforce users to reset their passwords in applications > that > don't support ppolicy (as users won't get locked out if they just keep using > the temporary password). > > I think I sent feedback to Howard on the new ppolicy draft about this ...
The original poster wrote about a custom web-based password app anyway. So this would not be a problem in his case. Additionally the password expiration should be set to a reasonable short time-frame. Just in case someone intercepts the password reset message with the temporary password. Ciao, Michael.
