• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1699
  • Last Modified:

OpenLDAP set password to expire

I am setting up LDAP for my webservers.  I would like to be able to set a users password to expire when I change it so that when the user log in for the first time they are required to change their password.  Basically like you can do in active directory.  How can I do this?  Also, can I do this using the phpLDAPadmin or do i need to do it with the CLI?
0
kurtcostello
Asked:
kurtcostello
  • 2
2 Solutions
 
gheistCommented:
Since Active Directory is a LDAP server too why dont you use it? Please define "like in active directory"....
I doubt there will be something like apache MMC.EXE and OpenLDAP Sites And Users addon...
0
 
serialbandCommented:
From http://www.openldap.org/lists/openldap-software/200609/msg00021.html
This is what the ppolicy pwdMaxAge policy setting is for.

From http://www.openldap.org/lists/openldap-software/200904/msg00077.html



    pwdAccountLockedTime

    This attribute contains the time that the user's account was locked. If the account has been locked, the password may no longer be used to authenticate the user to the directory. If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator. Note that account locking only takes effect when the pwdLockout password policy attribute is set to "TRUE".
0
 
jlevieCommented:
I don't remember there being a "must change on next login" flag in the LDAP schema. You could of course add one the the schema. Or you could simply set the change date to be in the past (as if the password lifetime had expired. But in either case it will be up to the application to check the flag for for an expired password. LDAP (like AD) is simply a data store and has nothing directly to do with authentication, password life, lockout, or expiration.
0
 
gheistCommented:
it is here : http://www.openldap.org/doc/admin24/overlays.html
12.10

Just that it does not claim to be "like active directory" by any means.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now