CentOS OpenLDAP pwdReset Attribute

Th1am1dMonozoicK4runa Th1am1dMonozoicK4runa at protonmail.com
Mon Oct 25 19:41:22 CEST 2021

Current Setup:
CentOS Steam 8
FreeRADIUS 3.0.20
OpenLDAP 2.5.5

FreeRADIUS ignores pwdReset attribute, because it only needs the initial OpenLDAP bind to be successful.

If there are any users on the list with the above config, how do you get around the issue of password resets, specifically having the pwdReset attribute set? Our users primarily use RADIUS for network device authentication, but then we also have a few web apps that only work with LDAP. So, we pointed FreeRADIUS at OpenLDAP, and use LDAP's password policy to adhere to company security policies. Seems like this would be a common config, and everything generally works great. The only main issue is when it comes time to reset a user's password. We have the pwdMustChange option set to TRUE, and when an admin resets a user's password (from out lockout or forgotten) the pwdReset attribute shows up as expected and is set to TRUE. Since FreeRADIUS only cares about a simple BIND to OpenLDAP, the end user can continue to use the given (temp) password, because the initial BIND works as expected. FreeRADIUS doesn't care about the pwdReset attribute, so just lets the user login to the network device.

In the documentation, right above the "Auth-Type LDAP" section, I noticed the lines "We do NOT recommend using this". So I'm curious what is the recommended best practice for situations that require both LDAP and RADIUS authentication for their various apps and devices?

Thank you for your time,

More information about the Freeradius-Users mailing list