Solved

OpenLDAP set password to expire

Posted on 2014-04-24
7
780 Views
Last Modified: 2016-05-21
I am setting up LDAP for my webservers.  I would like to be able to set a users password to expire when I change it so that when the user log in for the first time they are required to change their password.  Basically like you can do in active directory.  How can I do this?  Also, can I do this using the phpLDAPadmin or do i need to do it with the CLI?
0
Comment
Question by:kurtcostello
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
7 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 40021885
Since Active Directory is a LDAP server too why dont you use it? Please define "like in active directory"....
I doubt there will be something like apache MMC.EXE and OpenLDAP Sites And Users addon...
0
 
LVL 29

Accepted Solution

by:
serialband earned 250 total points
ID: 40023509
From http://www.openldap.org/lists/openldap-software/200609/msg00021.html
This is what the ppolicy pwdMaxAge policy setting is for.

From http://www.openldap.org/lists/openldap-software/200904/msg00077.html



    pwdAccountLockedTime

    This attribute contains the time that the user's account was locked. If the account has been locked, the password may no longer be used to authenticate the user to the directory. If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator. Note that account locking only takes effect when the pwdLockout password policy attribute is set to "TRUE".
0
 
LVL 40

Expert Comment

by:jlevie
ID: 40023599
I don't remember there being a "must change on next login" flag in the LDAP schema. You could of course add one the the schema. Or you could simply set the change date to be in the past (as if the password lifetime had expired. But in either case it will be up to the application to check the flag for for an expired password. LDAP (like AD) is simply a data store and has nothing directly to do with authentication, password life, lockout, or expiration.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 40024227
it is here : http://www.openldap.org/doc/admin24/overlays.html
12.10

Just that it does not claim to be "like active directory" by any means.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo‚Ķ
This article discusses how to implement server side field validation and display customized error messages to the client.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question