Why isn’t pwdReset automatically set when pwdMustChange is true

Every other directory server, i.e. Oracle's will automatically set pwdReset to TRUE if pwdMustChange is defined in the policy:

When a user's password is changed by another user, such as a password administrator, pwdReset is set to TRUE.

On the other hand, OpenLDAP doesn't, despite the documentation:

5.2.13 pwdMustChange

This attribute specifies with a value of "TRUE" that users must
change their passwords when they first bind to the directory after a
password is set or reset by a password administrator. If this
attribute is not present, or if the value is "FALSE", users are not
required to change their password upon binding after the password
administrator sets or resets the password. This attribute is not set
due to any actions specified by this document, it is typically set by
a password administrator after resetting a user's password.

As I understand it, this should be enforced i.e. by the ppolicy overlay. I understand the how, what I don't understand is the why. Is there a specific reason OpenLDAP is like this?

Best Answer

OpenLDAP doesn't because of the documentation. The OpenLDAP documentation you quoted explicitly states that it isn't automatic and must be set by an administrator:

This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.

Best Answer

Related Solutions

Ldap – OpenLDAP Password Expiration with pwdReset=TRUE

How to get openldap to honor pwdReset=TRUE

Related Topic