Solved

OpenLDAP set password to expire

Posted on 2014-04-24
7
1,020 Views
Last Modified: 2016-05-21
I am setting up LDAP for my webservers.  I would like to be able to set a users password to expire when I change it so that when the user log in for the first time they are required to change their password.  Basically like you can do in active directory.  How can I do this?  Also, can I do this using the phpLDAPadmin or do i need to do it with the CLI?
0
Comment
Question by:kurtcostello
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
7 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 40021885
Since Active Directory is a LDAP server too why dont you use it? Please define "like in active directory"....
I doubt there will be something like apache MMC.EXE and OpenLDAP Sites And Users addon...
0
 
LVL 30

Accepted Solution

by:
serialband earned 250 total points
ID: 40023509
From http://www.openldap.org/lists/openldap-software/200609/msg00021.html
This is what the ppolicy pwdMaxAge policy setting is for.

From http://www.openldap.org/lists/openldap-software/200904/msg00077.html



    pwdAccountLockedTime

    This attribute contains the time that the user's account was locked. If the account has been locked, the password may no longer be used to authenticate the user to the directory. If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator. Note that account locking only takes effect when the pwdLockout password policy attribute is set to "TRUE".
0
 
LVL 40

Expert Comment

by:jlevie
ID: 40023599
I don't remember there being a "must change on next login" flag in the LDAP schema. You could of course add one the the schema. Or you could simply set the change date to be in the past (as if the password lifetime had expired. But in either case it will be up to the application to check the flag for for an expired password. LDAP (like AD) is simply a data store and has nothing directly to do with authentication, password life, lockout, or expiration.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 40024227
it is here : http://www.openldap.org/doc/admin24/overlays.html
12.10

Just that it does not claim to be "like active directory" by any means.
0

Featured Post

Want Experts Exchange at your fingertips?

With Experts Exchange’s latest app release, you can now experience our most recent features, updates, and the same community interface while on-the-go. Download our latest app release at the Android or Apple stores today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question