Solved

OpenLDAP set password to expire

Posted on 2014-04-24
7
431 Views
Last Modified: 2016-05-21
I am setting up LDAP for my webservers.  I would like to be able to set a users password to expire when I change it so that when the user log in for the first time they are required to change their password.  Basically like you can do in active directory.  How can I do this?  Also, can I do this using the phpLDAPadmin or do i need to do it with the CLI?
0
Comment
Question by:kurtcostello
  • 2
7 Comments
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Since Active Directory is a LDAP server too why dont you use it? Please define "like in active directory"....
I doubt there will be something like apache MMC.EXE and OpenLDAP Sites And Users addon...
0
 
LVL 27

Accepted Solution

by:
serialband earned 250 total points
Comment Utility
From http://www.openldap.org/lists/openldap-software/200609/msg00021.html
This is what the ppolicy pwdMaxAge policy setting is for.

From http://www.openldap.org/lists/openldap-software/200904/msg00077.html



    pwdAccountLockedTime

    This attribute contains the time that the user's account was locked. If the account has been locked, the password may no longer be used to authenticate the user to the directory. If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator. Note that account locking only takes effect when the pwdLockout password policy attribute is set to "TRUE".
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I don't remember there being a "must change on next login" flag in the LDAP schema. You could of course add one the the schema. Or you could simply set the change date to be in the past (as if the password lifetime had expired. But in either case it will be up to the application to check the flag for for an expired password. LDAP (like AD) is simply a data store and has nothing directly to do with authentication, password life, lockout, or expiration.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 250 total points
Comment Utility
it is here : http://www.openldap.org/doc/admin24/overlays.html
12.10

Just that it does not claim to be "like active directory" by any means.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now