openLDAP pwdReset pwdMustChange

Lipscomb, Gary glipscomb at
Wed Aug 24 04:34:10 UTC 2022

Thanks Dan,

We already have that set and password expiration works. We get a warning displayed from 10 days prior to password expiration.
It’s just adding the additional pwdReset and pwdMustChange don’t do anything using SSO but work with ldapsearch CLI.



Gary Lipscomb
Technical Officer, Systems
IT Infrastructure & Security | Division of Information Technology

From: users <users-bounces at> On Behalf Of Daniel Fisher via users
Sent: Wednesday, 24 August 2022 11:52
To: Shib Users <users at>
Cc: Daniel Fisher <dfisher at>
Subject: Re: openLDAP pwdReset pwdMustChange

On Tue, Aug 23, 2022 at 1:31 AM Lipscomb, Gary via users <users at<mailto:users at>> wrote:
Has anyone done this?

It appears you're attempting to use<> for your password policy implementation.

  *   idp.authn.LDAP.usePasswordPolicy = true

This is the property you want set to true to enable this feature.

  *   idp.authn.LDAP.usePasswordExpiration = true

This property enables a different type of password policy implementation (<>)
Set it to false.

Assuming you've configured the ppolicy overlay correctly in OpenLDAP....
Your IDP should signal a warning type of AuthnEventIds.ACCOUNT_WARNING when a password warning is returned from an LDAP authentication. And an error type of AuthnEventIds.ACCOUNT_ERROR when a password error is returned.

--Daniel Fisher

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list