CentOS OpenLDAP pwdReset Attribute

Th1am1dMonozoicK4runa Th1am1dMonozoicK4runa at protonmail.com
Tue Oct 26 17:35:54 CEST 2021

On Tuesday, October 26th, 2021 at 8:56 AM, Alan DeKok <aland at deployingradius.com> wrote:

> You can always run an LDAP query manually via "unlang" to check the status of the pwdReset field.

For any future reader out there, as Alan suggested, this works perfectly fine. Hopefully it will help someone else:

sudo vim /etc/raddb/dictionary
ATTRIBUTE Password-Reset 3000 string

sudo vim /etc/raddb/mods-available/ldap
  control:Password-Reset  += 'pwdReset'

sudo vim /etc/raddb/sites-available/default
post-auth {
    if (control:Password-Reset == "TRUE") {
        update reply {
            &Reply-Message := "Your password has been reset. You must change your password."


More information about the Freeradius-Users mailing list