OpenLDAP Password Expiration with pwdReset=TRUE?

authentication ldap openldap
11,904

Solution 1

I don't see why a temporary password should expire? If the user never logs in then it shouldn't expire because the user needs to select the new one so he/she knows it.

According to this on the first access of a record by a user, the user will have to change it on first authentication http://linux.die.net/man/5/slapo-ppolicy

are you saying the user can ignore changing it when he first logs back in?

Solution 2

I realize this post is fairly old but it hasn't been answered yet. I don't have any experience with OpenLDAP but with OpenDJ there's a ds-cfg-max-password-reset-age property that sets the maximum length of time a user is given to change their password after it has been reset.

Hope this helps.

Solution 3

You can set pwdMustChange=true to ppolicy and add pwdReset=true to the user,

The user will be able to bind successfully but will get a prompt: "Password must be changed".

Share:
11,904

Related videos on Youtube

jsight
Author by

jsight

Updated on September 17, 2022

Comments

  • jsight
    jsight over 1 year

    I have configured the ppolicy overlay for OpenLDAP to enable password policies. These things work:

    • Password lockouts on too many failed attempts
    • Password Change required once pwdReset=TRUE added to user entry
    • Password Expirations

    If the account is locked out due to intrusion attempts (too many bad passwords) or time (expiration time hit), the account must be reset by an administrator.

    However, when the administrator sets pwdReset=TRUE in the profile, this seems to also override the expiration policy. So, the password that the administrator sent out (which should be a temporary password) ends up being valid permanently.

    Is there a way in OpenLDAP to have a password that must be changed, but also MUST expire?

  • jsight
    jsight over 13 years
    No, I am saying that the temporary password should only be valid for 24-48 hours (ie, it should expire if the user it was sent to doesn't login shortly after receiving it). I don't see a way to enforce this with ppolicy, though.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Allowing LDAP users to change password
Open LDAP Authentication - How to verify userPassword without bind?
Find users currently logged in using ldap?
How to only allow users and/or groups access certain client machines that are connected to an openldap server?
What is my BaseDN supposed to be with the following configuration of OpenLDAP?
How to change expired LDAP user password under linux?
LDAP authentication fails
LDAP Client Authentication using SSSD: Groups issue
SSSD rejects LDAP login with su: incorrect password
How can I set up centralized home directories and user authentication using LDAP and NFS?