I have set up pam_ldap for authentication against Active Directory on a
Win2k3 R2 server.
When I select "User must change password at next login" within Active
Directory and then try logging on from a Linux Console the following text
is displayed.
login as: aduser
aduser@...'s password:
Warning: password has expired.
Last login: Thu Aug 17 15:55:48 2006 from host01.example.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user aduser.
Enter login(LDAP) password:
LDAP Password incorrect: try again
Although I am entering the current password for the user correctly I am
given the error: LDAP Password incorrect: try again.
In the /var/log/messages is this message:
pam_ldap: error trying to bind as user "<full DN of user listed above>"
(Invalid credentials)
The credentials are correct. I have tried many times.
I can run `ldapsearch', setting the -D parameter to the DN listed in the
error above, and query the LDAP server. I am assuming that I can "bind"
as that user because the LDAP query is successful.
If the Active Directory restriction, "User must change password at next
login", is removed the user can login with no problems. Also, with the
restriction removed, the user can issue the passwd command to change
password and this works successfully.
How can I force users to reset passwords at first logon?
Thank You.
Scott
