directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: pwdMustChange not working
Date Mon, 09 Mar 2015 21:11:10 GMT
Le 08/03/15 05:33, brock samson a écrit :
> Carlo,
> you are correct. pwdSafeModify value was TRUE. so after resetting it back to FALSE and
restarting, everything is working as you described in your last post, thank you!
> however, the question remains to everyone else about pwdSafeModify attribute's value
being TRUE and an admin changing some user's password via apache studio. as i stated in previous
post, such action results in an error where apache studio asks for user's original password.
my question is how to disclose this original password in apache studio?

I strongly suspect that the implemented logic is that it's seen as a
Modify, thus it expect to have the old value - to delete it - and the
new one ) to replace it.

The thing is that a user may have more than one password, and on a
modify operation, changing only one of the passwords will require to
know whci of the passwords have to be removed (the old one).

Now, considering the passwordPolicy implementation, this makes no sense
: we should only have one single password for a user for the PP to be
able to manage correctly the password, thus requiring the old password
is nonsensical.

This is something that need to be fixed.

There is also one other thing that I don't like in the way the PP is
handled : one should never have to enter the pwdPolicySubEntry attribute
in an entry. But this is another problem that requires a full redesign
off the PP implementation. Something we must discuss, it's not a simple

View raw message