CentOS OpenLDAP pwdReset Attribute
Michael Ströder
michael at stroeder.com
Tue Oct 26 18:23:04 CEST 2021
On 10/26/21 17:35, Th1am1dMonozoicK4runa via Freeradius-Users wrote:
> For any future reader out there, as Alan suggested, this works
> perfectly fine. Hopefully it will help someone else: >
> sudo vim /etc/raddb/dictionary
> ATTRIBUTE Password-Reset 3000 string
>
> sudo vim /etc/raddb/mods-available/ldap
> update{
> control:Password-Reset += 'pwdReset'
> }
>
> sudo vim /etc/raddb/sites-available/default
> post-auth {
> if (control:Password-Reset == "TRUE") {
> update reply {
> &Reply-Message := "Your password has been reset. You must change your password."
> }
> reject
> }
> }
IMHO it's unlikely that this message will ever be presented to the end user.
So personally I'd just adjust the filter for searching users and add
(!(pwdReset=TRUE))
YMMV.
Ciao, Michael.
More information about the Freeradius-Users
mailing list