On Fri, Oct 27, 2023 at 12:21:22PM -0000, [email protected] wrote: > This topic comes up in search without a proper answer. The solution appears > to be. > 1. Set the pwdMustChange:TRUE in policies object (dn: > cn=default,ou=Policies,dc=my,dc=com) > 2, when creating <user> set pwdReset: TRUE after creation of <user> > using update (ldapmodify), this will lock out the <user> from logins > of that account (but not password changes).
I would add that setting the password by a "password administrator" (in OpenLDAP since 2.5 that's an identity with "manage" access on the userPassword attribute) will set pwdReset: TRUE automatically as per the Behera ppolicy draft. > 3. Edit or create a login script to check if pwdReset is true (or some > other method) and force <user> to change user password through ldap > Step 3 may or may not be easy to setup in your environment, for > instance a special guest login for password changes could work. > > Important is to note that you cannot login to the created <user> using > su <user> when pwdMustChange:TRUE is set and pwdReset: TRUE is set for > <user>, but the user is still allowed to change the password from > another user using ldap to set <user> password. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
