We installed ppolicy overlay on our ldap server. Password policies work correctly for locking out user after X incorrect password attempts, but we can't enforce user to change his password.
When we set pwdReset=TRUE attribute for a user – user can login as usual from Ubuntu client machine.
Ldap server & client were setup according to Ubuntu howto: https://help.ubuntu.com/12.10/serverguide/openldap-server.html
Client machine uses pam_ldap
Configuration file /etc/ldap.conf has "pam_lookup_policy yes" line
But pwdReset attribute is ignored.
According to what I read on the internet pam_ldap should honor ppolicy and require user to change his password when pwdReset is set. But it doesn't work for us..
How to make ubuntu client honor pwdReset attribute?
Maybe I can turn on debug logging for pam_ldap? But I can't find how to do it…
Best Answer
You must make sure that
pwdMustChange
is set toTRUE
on the user's effective password policy.See the slapo-ppolicy manpage for more information.