Overview#

The set password-force-change DXServer Command forces users to change their passwords after their passwords have been reset.

DxPwdMustChange is an implementation of Password MUST Change condition.

Note: You can use this command only if the client is an LDAP client utilizes Draft-behera-ldap-password-policy PasswordPolicyRequest Supported Control.

When set password-force-change is set to true any bind by a new user or by a user with a reset password will be checked to see if it includes the PasswordPolicyRequest control. This control is required so that the DSA can return the password-force-change control back to the client.

DAP binds do not support the Draft-behera-ldap-password-policy controls, which means that a user cannot bind to a DSA if set password-force-change is set to true and the password has been reset or the user's entry has just been created.

CA Directory uses the operational attribute DxPwdMustChange to force password changes.

This command has the following format:

set password-force-change = true | false;

• true - Enables forced password changes. Users are prompted to change their password when they log in using a password that an administrator has changed.
• false - (Default) Disables forced password changes. Users can continue to use a password that was changed by an administrator.

Attribute Definition#

The DxPwdMustChange AttributeTypes is defined as:

• OID of 1.3.6.1.4.1.3327.6.20
• NAME: DxPwdMustChange
• DESC:
• EQUALITY:
• ORDERING:
• SYNTAX: Boolean
• SINGLE-VALUE
• NO-USER-MODIFICATION
• USAGE UserApplications

More Information#

There might be more information for this subject on one of the following:

• DXServer Password Commands and Operational Attributes
• Password MUST Change