I have configured the ppolicy overlay for OpenLDAP to enable password policies. These things work:
- Password lockouts on too many failed attempts
- Password Change required once pwdReset=TRUE added to user entry
- Password Expirations
If the account is locked out due to intrusion attempts (too many bad passwords) or time (expiration time hit), the account must be reset by an administrator.
However, when the administrator sets pwdReset=TRUE in the profile, this seems to also override the expiration policy. So, the password that the administrator sent out (which should be a temporary password) ends up being valid permanently.
Is there a way in OpenLDAP to have a password that must be changed, but also MUST expire?
-
I don't see why a temporary password should expire? If the user never logs in then it shouldn't expire because the user needs to select the new one so he/she knows it.
According to this on the first access of a record by a user, the user will have to change it on first authentication http://linux.die.net/man/5/slapo-ppolicy
are you saying the user can ignore changing it when he first logs back in?
jsight : No, I am saying that the temporary password should only be valid for 24-48 hours (ie, it should expire if the user it was sent to doesn't login shortly after receiving it). I don't see a way to enforce this with ppolicy, though.From PHGamer -
It looks like you may need to add pwdMustChange:TRUE to force a change on next login. Pre-expiring the password, and disabling grace logins may also be required.
Disabling grace logins will cause problems for users who let their password expire, so you might want to increase the password expiry warning time.
From BillThor
0 comments:
Post a Comment