I have an LDAP Installation running on an Centos7 system.
I want to create a big number of users. Those users will get a default password, so I want them to change the password at the (only)first login.
Is there an Option, which I could set in an ldif-file to enable this functionality? (Just on the first login not every time they login)
Thanks in advance
Edit:
Also, sry if Im asking that baldly, but was is an overlay insert in this cause, and for what is it needed? I inserted the ppolicy schema via sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
And created a passwordpolicy.ldif
Edit2:
So I tried the solution which was mentioned here, but it seems something went wrong, it is just ignoring my command. I added the schema of the ppolicy schema.
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
Afterwards I activated the module by adding the following Ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: ppolicy.la
Than I created an overlay as found in some guides:
database: bdb
suffix: "dc=example,dc=com"
overlay: ppolicy
ppolicy_default: "cn=default,ou=policies,dc=example,dc=com"
Afterwards I added the accual policy :
# Creates a Policies OU (Organizational Unit)
dn: ou=Policies,dc=example,dc=com
objectClass: organizationalUnit
ou: Policies
# Creates a Policy object in Policies OU (Organizational Unit)
dn: cn=default,ou=Policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: 2.5.4.35
pwdMaxAge: 3888000
pwdExpireWarning: 604800
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
#pwdSafeModify: FALSE
Then I tried to add a user with the follwing attribute (user.ldif):
dn: uid=pwresettest,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: pwresettest
sn: andsoon
userPassword: passwort
loginShell: /bin/bash
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/pwresettest
pwdReset: TRUE
But when I log in with this user, there is no prompt to reset the password.
Did I do something wrong?
Thanks in advance for your answers.
most sincerely
Twinhand
Best Answer
I assume your server is OpenLDAP.
If you deploy the ppolicy, you get the option to force password change at first logon with the combination of
pwdMustChangein the policy file pluspwdReseton the entry.The upside is you are going to deploy something you are going to need in the future: password expire, password force check and so on.
The downside is ppolicy setup require: a schema insert, a overlay insert and a setup policy (a special entry to store your configurations).
The other problem is that while ppolicy is a general solution as it is placed in the directory itself, you could run in trouble to let it interoperate with you client tools.